Protecting password viewstate in asp.net page

Question

In our project we wanted to secure the password of a user from anonymous attacker (through Man in the Middle or by any technique). So I was exploring the HttpRequest of a login page through Fiddler. Following link will explain what I get in Fiddler http://www.sharexfiles.com/image/2015-02-24_113847_0.jpg . (Please note the Request Text - In Red and View State in Green).

To secure the View State, I have added the following in the config enableViewStateMac="true" viewStateEncryptionMode="Always" , Then my HttpRequest looks like the following in the link http://www.sharexfiles.com/image/2015-02-24_114302.jpg. Please note the Green and Red blocks here as well.

My question is based on the above, my View State is encrypted (i.e block in Green) but my request is not encrypted (block in Red) and so my password is visible clearly. Does the attacker by any means can he get this request (block in red) to know the password of a user? Is there is anyway I can check that the request I send is secured from client to server?

Note: I am using SSL (HTTPS) in this project. It would be good to provide answers for this accordingly.

Thanks for your help. :)

Answer 1

If you're using https, then you can only see these requests as you allow Fiddler to man-in-the-middle you by enabling https decryption.

If you want to see what an attacker can actually see, you should use a tool like Wireshark. You'll see that your password is not visible to an attacker.

Another option would obviously be to disable http decryption in Fiddler.