Why httpfox can capture google account clear password in HTTPS?

Question

I have installed httpfox on firefox. and I tried to capture traffic on Google Account login page, I typed a wrong password for my test, and, to my surprise, It captured clear password in https pages.

But I tried fiddler on Firefox/IE, no clear data was captured.

I heard that HTTPS headers are also encrypted. but why they still get captured in httpfox? Is it possible for a hacker to do the same thing over the network?

Answer 1

It really depends on where you're probing for these values or the data.

I've never used either tool, but from my understanding I assume the following:

• httpfox is a browser addon. As such it simply captures the traffic data (i.e. what is sent) before it's encrypted and sent and after its received and decrypted.
• fiddler in comparison is an external proxy and as such won't see anything unencrypted as it only monitors traffic passing through.

Overall, httpfox will show you what the browser knows about your connection. fiddler will show you what any server/proxy on the way to the connected server will see (garbage).

This is also the reason why you should only install and use addons you trust. You can have perfect network security, always use https/SSL, etc. but it won't help you if one of your addons is stealing the tasty bits.