Fiddler to replay HTTPS requests

Question

Can HTTPS request be replayed using Fiddler/TamperData, probably due to poor handling of login process? Once I logout of my system (https), I am able to login back using replay. Simon Buchan has already mentioned that HTTPS cannot be replayed. Ref: https://stackoverflow.com/a/2770133/1502619

If replay logs me in, does that mean that my login doesn't handle replay attack or is it that I am not logging out correctly?

Answer 1

Simon Buchan notes (correctly) that a client cannot send exactly the same encrypted bytes to the HTTPS server and have it accept them as valid; one of the protections HTTPS provides is protection against that sort of "blind" replay.

What Fiddler & TamperData do isn't the same thing-- these tools start with the the same unencrypted bytes (e.g. your username and password) and establish a new HTTPS connection to the server and then send the HTTPS request to the server again on that new connection.

So, it's a replay of the same HTTPS request, but not a replay of the same raw bytes.

There's no practical way to prevent a tool with access to the unencrypted data (like Fiddler has) from logging into your site using that information.