Windows 10’s IE11 continues to send your keystrokes over the internet in plaintext as you type in the address bar, a part of the “Search Suggestions” feature: “But I don’t search from the address bar,” you might say. That may be, but if you fail to type or paste a URL (sans protocol) into theContinue reading “Leaking Keystrokes”
When a browser needs to send a HTTPS request through a proxy (like Fiddler), there’s a bit of a problem. The proxy needs to know where to send the client’s request, but the whole point of protecting traffic with HTTPS is that the content is encrypted and cannot be read by anyone else on theContinue reading “Understanding CONNECT Tunnels”
You can easily use Fiddler to evaluate what algorithms a client is using to connect to a HTTPS server in Fiddler. First, adjust Fiddler’s configuration using Tools > Fiddler Options to enable capture of CONNECT tunnels but disable decryption: Disabling decryption is necessary because Fiddler decrypts traffic using a HTTPS man-in-the-middle technique, which means thatContinue reading “Viewing HTTPS Handshakes in Fiddler”
Fiddler and FiddlerCore offer three different choices for generating interception certificates: MakeCert CertEnroll Bouncy Castle If you’re so inclined, you can even write your own certificate generator (say, by wrapping OpenSSL) and expose it to Fiddler using the ICertificateProvider3 interface. On Windows, Fiddler includes the MakeCert and CertEnroll certificate generators by default; you can downloadContinue reading “Fiddler Certificate Generators”
Building a HTTPS-secured website is easier than it’s ever been.
It should be obvious, but everyone seems to be making the same mistake. HTTPS only works if you use it. Everywhere. If you don’t use HTTPS everywhere, a bad guy can intercept an insecure request and prevent the user from reaching your secure site. HSTS is a good start to mitigating the threat of accidentallyContinue reading “HTTPS Only Works If You Use It”
Over on Twitter, Paul asks how to verify that a native application is using TLS. For a PC, it’s pretty simple, just run Fiddler and watch the traffic. If you see any HTTP requests (other than those labeled “Tunnel to”, indicating a HTTP tunnel used for HTTPS traffic) from the Process of interest, that trafficContinue reading “Testing HTTPS In Native APPs”