Recently I have read a lot about secure connection and all that stuff. What I understood was it is not about encryption but about a secure end to end communication which nobody in the middle can listen..
But now I am confused.. Here is the scenario.
I have Fiddler running in background. I have enabled https decryption. I am signing in my hotmail account. Gave my username password and submit, logs in. I came back to Fiddler and inspected the POST request and I was able to read username and password from the request body.
I dont know if I am wrong.. But this shouldn't be possible right? Hotmail established a secure connection and I was able to read the body with Fiddler. So using any other advanced tool, someone else can easily get my username password???
Please give me some insight on this scenario. Thanks a lot.
You are basically cooperating with fiddler to launch a Man in the Middle attack against yourself. You trust Fiddler's certificate, so Fiddler then acts as a proxy and pretends to be the website you are talking to, from your perspective (which is possible since you have trusted Fiddler as your proxy). From Hotmail's perspective, Fiddler is pretending to be you.
This is only possible because you have trusted Fiddler. Of course, there is the question about rogue Certificate Authorities, but that's a different matter entirely.