Reputation: 6830
Is it 'safe' to permanently trust the Fiddler root certificate?
I'm looking to inspect HTTP traffic sent and received by a WFC client using Fiddler. To do this I've added the Fiddler Root Certificate to the Windows certificate store.
My question: is there are any risk of leaving this certificate in the Windows store ready for when I may need to test again? Could an attacker take advantage of the fact that it's there? Should I remove it once I've finished testing?
Upvotes: 18
Views: 27001
Answers (4)
Reputation: 6830
As the certificate is uniquely generated by Fiddler for my system, even if an adversary knew I had such a certificate installed, there isn't a way for them to take advantage of this. If they knew the unique private key of the certificate they could potentially use this against me, for example, via a man-in-the-middle attack, but to do that they'd need to infiltrate my system to get the certificate, at which point there would be no need for the man-in-the-middle attack.
Having said that, just to be extra safe, I've installed the certificate in a separate Firefox profile specifically for use with Fiddler, so that I don't have the certificate in my system when doing general web surfing.
Upvotes: 23
Reputation: 12731
From the Fiddler FAQs
What’s the Risk?
Many security folks are worried that, if a user configures Windows to trust Fiddler’s root certificate, that user could have their traffic intercepted and decrypted by any other Fiddler user. They assume that Fiddler is sharing the same root certificate across all installations.
Fear not! Every Fiddler root certificate is uniquely generated, per user, per machine. No two Fiddler installations have the same root certificate. The only way for a Fiddler user to be “spoofed” by a bad guy is if that bad guy already is running code inside the user’s account (which means you’d already be pwned anyway).
Upvotes: 11
Reputation: 9
Corporate usage instructions I have seen at more than one client include the Cert removal step after Fiddler has been used. So the answer would definitely be a "Yes, do remove the certificate after use."
Upvotes: -1
Reputation: 113222
No it's not safe, and yes you should remove it.
The entire point of it is to break the security of SSL for debugging convenience.
It even has "DO_NOT_TRUST" in its name, for a good reason.
Upvotes: -5
Related Questions
- Using openssl to get the certificate from a server
- Java client certificates over HTTPS/SSL
- How do you remove the root CA certificate that fiddler installs
- Chrome Doesn't Trust Fiddler Root Certificate
- How to install custom client certificate and Trust it while using fiddler/Charles
- Why won't fiddler install my certificate windows 8? - unable to configure windows to trust Fiddler Root certificate
- openssl s_client -cert: Proving a client certificate was sent to the server
- Chrome extension to Indicate/show the CA Root certificate?
- Does Fiddler create private root certificates uniquely per machine?
- Fiddler: Respond to Requests Requiring a Client Certificate