There are three component here in case 1- Client device, 2- Interceptor(Burp or Fiddler), 3- Application Sever.
Step you might follow:
1 – You enter HTTPS enabled url in Browser and try to intercept in Fiddler, while you try to intercept. you will get fiddler prompt “HTTPS Decryption is disabled click to configure”, and you clicked on that prompt and that will redirect you to Fiddler -> Options -> HTTPS, and you checked on Decrypt HTTPS traffic which will ask you to install Fiddler root certificate, and ask you to configure in windows.
In doing so, you explicitly begin to trust any certificate signed by Fiddler’s root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.
In all you trusted Fiddler to decrypt your HTTPS request, by enabling to install signed certificate in your device, which should not be happen in this case.
Fiddler is installed in your device and from your device only you are accessing HTTPS site through installed browser, that’s not actually man in the middle you have all the things with you.
No one can installed any software or any CA certificate without your consent in your device, If you allow to do so, then no one can stop you.
If a person(intruder) wants to install CA certificate in your machine from his machine by some means, will you allow, I think you won’t. Then you are safe here.
I hope that this piece of information will help you to be more aware of the security risks while authenticating third party software.
Swati Rajput is a IBM Certified Big Data Architect working as a Technical Analyst and a Client Advocate for the Marketing Suite at HCL.