I have recently been looking into HTTPS, and just how secure it is.
I went to an https site which had a valid certificate and entered my username and password. Using Fiddler, I decrypted the requests which appeared after clicking the submit button, and there was my username and password in plain text in a string containing key-value pairs (this wasn’t the querystring, it was the post values).
Can anyone enlighten me as to why HTTPS is said to be secure when it is this easy for me to get the username and password using an external application? I mean it was pretty much instant decryption, and surely a hacker could use an application to find out what requests you’re making and decrypt them, can’t they?
HTTPS is a fairly secure way of communicating point-to-point without anyone in the middle being able to listen in.
The reason Fiddler can decrypt the traffic is that it has control over which certificates your browser trusts. A certificate is basically a “guarantee” that the web site you’re talking to is who it claims to be, and since Fiddler can put its own certificate into the browser, it can convince the browser that it is any site.
Normally the browser only has certificates from certificate authorities (like Verisign, Thawte, Geotrust) who’s job it is to validate that every site is actually who they say they are. As long as you trust the certificate authorities (they have made mistakes) and noone has added a fake certificate to your browser, you can pretty much trust that no one is listening in.
If you’re looking for something that is “mathematically secure”, HTTPS isn’t it. For communication to be easy to set up, you still have to trust someone else than the person other end of the connection.