How to secure HTTP traffic inside a WinForms application from sniffing

What are the methods used to secure HTTP traffic inside a WinForms application from sniffing.

I want to ensure that all HTTP traffic originating from say the WebRequest is not directly visible to someone using a sniffing application such as Fiddler.

Apart from using HTTPS are there any alternatives for sending web traffic out of a WinForms开发者_开发知识库 application that is unsniffable?

You could create a VPN connection to the webserver, and then route the traffic over that?

You could create a SSH connection to a server that has a VPN tunnel to the webserver, then route all the traffic via SHH, then the VPN?

You can encrypt your payload but if you want the whole transmission secure HTTPS is the way to do it.

If you are using WCF as the communication tool behind your WinForms application then this MSDN series could be usesful. It describes a range of alternative security options in a good level of detail.

Just using HTTPS isn't enough of course. You have to also have to make sure that the server at the other end of the HTTPS pipe is the server you expect with the correct certificate.

Otherwise someone using Fiddler (or something similar) can respond to your HTTPS requests with their own self signed certificate.

Fiddler has a feature where it acts as a proxy between the client and the HTTPS connected server. It uses its own self signed certificate to talk to the client and then uses HTTPS to talk to the remote server, proxying the data between them and allowing the user to see the plain text of the data. If the client isn't checking that the certificate at the other end is the right one, it never knows that the connection isn't actually secure.

And yes, you need to use HTTPS/SSL or some other form of encryption, as someone with admin rights on the local machine can see any data you send over the network, there is no other way of hiding it from them.