I have a WCF service that uses transport and message security. How do i protect data from a malicious man-in-the-middle at开发者_StackOverflow中文版tack, say from a user using fiddler and allowing fiddler to Decrypt HTTPS traffic?
This topic has been covered in the Fiddler documentation. You can use Fiddler to sniff messages from the parties you have physical access to. Given you don't give physical access to malicious user you are protected with transport and message security.
Q: Does Fiddler2 demonstrate a flaw in HTTPS?
A: No. HTTPS relies on certificates in order to secure web traffic. Web browsers prevent man-in-the-middle attacks by relying upon Trusted Root Certification authorities to issue certificates that secure the traffic. As designed, web browsers will show a warning when traffic is not protected by a certificate issued by a trusted root.
Edit
This is from another relevant answer
Transport security provides only point-to-point channel security. It means that HTTPS establish secure channel only between client and server exposed to client. But if this server is just a load balancer or proxy server it has direct access to content of the message.
Message security provides end-to-end channel security. It means that security is part of transferred data and only intended destination can decrypt the data (load balancer or proxy sees only encrypted message). Message security in most cases also uses certificates to provide encryption and signing but it is usually slower because transport security can use HW acceleration.
精彩评论