DO_NOT_TRUST_FiddlerRoot

[guardian]

I am trying to assess what possible security holes are related to the
installation of the fiddler certificate as a trusted one;

If this certificate is installed as a trusted one in my browser, would
it be possible for somebody to fake a secure website with this
certificate ?

And related to this, can you trap this on the client side of fiddler
or on the client site of the browser connected to fiddler proxy or
streight connection without fiddler proxy ?

Any other security flaws you can think of ?

many thanks for your comments!

[EricLaw]

> If this certificate is installed as a trusted one in my browser, would
> it be possible for somebody to fake a secure website with this
> certificate ?

Not unless they already had access to your local computer (e.g. the
ability to run a program on your computer). Each FiddlerRoot is
uniquely generated on a per-machine basis, so the root on my machine
has a different private key than the root on your machine.

For attack surface reduction reasons, I don't generally recommend you
trust the root except on test machines, but I'll admit that I do trust
the root on all of my machines.

> And related to this, can you trap this on the client side of fiddler
> or on the client site of the browser connected to fiddler proxy or
> streight connection without fiddler proxy ?

Trap what exactly?

[guardian]

Many thanks Eric, the last part of my question was referring
to the case when it would be possible to abuse a certificate. As you
generate unique certificates per Fiddler installation, this is clearly
not possible unless
someone had the possibility to steal it from my machine, therefore
very unlikely!

I created an extension DLL on Fiddler that handles automatic logon for
a VPN
SSL Network Extender. Works perfectly now combined with the -quiet
command line
parameter. you can see the tool on www.vpnguard.com. I was a bit
worried that the Fiddler
certificate would introduce a security risk, Now I am not so worried
anymore :)

[Steve]

I had the same thing on my computer and on my friend's computer just this past week. It was called BrowserSafeGuard, which I clearly never remember installing. Are these BrowserSafeGuard guys part of Fiddler? I did install fiddler recently. I had all kinds of ads showing up on pages that didn't have ads before. Seems wrong to be dropping a "DO_NOT_TRUST" ssl cert on unsuspecting victims. Is any of my secure information compromised when a program does this?

[EricLaw]

"BrowserSafeguard" is a product built by a company with no relationship to me or Telerik.

Their product doesn't appear to be malicious in any traditional sense: You either buy their product or use their ad-funded version (see browsersafeguard[dot]com). I'd imagine that they're paying 3rd parties to install their product when you install other products (the "Adware" business model) but if you think that it was truly installed without your permission, you should probably submit it to your antivirus company and/or discuss it with the relevant authorities. UPDATE: Microsoft's SmartScreen blocks the download of BrowserSafeguard from their site, which suggests that the software is considered "Potentially Unwanted" according to Microsoft's Legal "Objective Criteria." The most likely explanation is that the tool is being "crammed" without proper notice to the user.

To remove Browser Safeguard, open your PC's Control Panel, click Add/Remove Programs, choose Browser Safeguard from the list, and click the Remove button.