Video icon
Video Tutorials 		Fiddler Logo
RSS Icon Get Fiddler! Addons Help & Documentation Developer Info Discuss Contact

Decrypting HTTPS-protected traffic

Introduction

Fiddler2 includes the ability to decrypt, view, and modify HTTPS-secured traffic for debugging purposes.  This feature is disabled by default.

Enable this option by clicking Tools > Fiddler Options > HTTPS and ticking the "Decrypt HTTPS Traffic" box.

Frequently Asked Questions

Q: The HTTPS protocol was designed to prevent traffic viewing and tampering.  Given that, how can Fiddler2 debug HTTPS traffic?

A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception.  To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser.  In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate. 

Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser, like so:

IE Cert Error

Q: Can I reconfigure my Windows client to trust the Fiddler root certificate to avoid error messages and enable logon to services like Passport?

A: Yes.  I recommend that you only make this configuration change on Test-only machines.

  1. When you tick the "Decrypt HTTPS Traffic" checkbox in Fiddler 2.2.9+, you will see the following prompt:
    Trust Prompt
  2. If you click Yes, you will see the following prompt:
    Windows Trust Prompt
  3. If you click "Yes" then Windows will trust your Fiddler Root certificate and certificate warnings will be suppressed in any application which relies upon the Windows Certificate Store.

Q: How do I configure Firefox to trust the Fiddler root certificate?

A: Open Fiddler 2.2.9+. Click Tools > Fiddler Options. Select the HTTPS tab, and click the Export Fiddler Root Certificate to Desktop button.

In Firefox, click Tools > Options…. Click the Advanced button at the top. Click the Encryption tab. Click View Certificates. Click the Authorities tab. Click Import. Pick the .CER file from your desktop. Check the "Trust this CA to identify web sites" checkbox.

Trust Certificate UI

Q: Does Fiddler2 demonstrate a flaw in HTTPS?

A: No. HTTPS relies on certificates in order to secure web traffic.  Web browsers prevent man-in-the-middle attacks by relying upon Trusted Root Certification authorities to issue certificates that secure the traffic.  As designed, web browsers will show a warning when traffic is not protected by a certificate issued by a trusted root.

Q: Does Fiddler2 support sites that require client certificates?

A: Yes, Fiddler 2.1.0.3 and later support client certificates.  See Attaching Client Certificates for more information.

Q: Is Fiddler2 the only tool that debugs HTTPS traffic?

A: No.  There are a number of other free tools which offer this capability, including the Charles and Burp proxies, written with Java.

< Back to Help Homepage



©2010 Eric Lawrence