Is it possible for the server to see if the HTTPS connection is verified using Fiddler?

I would like to see if it is possible for web services to detect HTTPS connections with "fake" root certificates generated by Fiddler4 (web debugging proxy) to prevent reverse engineering.

Is there a way to check if the encryption is done with the original certificate or with the Fiddler file?

+3


source to share


1 answer


The server has no way of knowing which certificate the client received unless the client sends this information to the server.

From client-side JavaScript, you cannot detect such an interception today; JavaScript does not provide facilities for certificate validation. It is possible to use Java or Flash inside a web page to validate the certificate obtained when connecting to the server, but a rather cunning interceptor can simply avoid MITMing the Java / Flash connection.



In contrast, a native code client application can determine which certificate was presented by the server and reject any certificate that does not match the expected certificate; it is calledcertificate pinning

and this is the method used by some applications. Note that this blocks more than Fiddler; it also blocks connections through corporate inspection proxies (such as BlueCoat, ISA TMG, etc.) and through some of the popular proxy servers of popular antivirus software (such as BitDefender). More importantly, users can bypass your certificates if they choose; your code is running on their device and they have the ability to change your code in memory to strip your certificates. On some mobile devices, this code modification requires a "cracker" of the device, but this is not an insurmountable barrier.

+6


source







All Articles