Decrypting HTTPS-protected traffic
Frequently Asked Questions
Q: The HTTPS protocol was designed to prevent traffic viewing and tampering. Given that, how can Fiddler2 debug HTTPS traffic?
A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.
Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser, like so:
Q: Can I reconfigure my Windows client to trust the Fiddler root certificate to avoid error messages in IE and Chrome, as well as enabling logon to services like LiveID, etc?
Q: How do I configure Firefox to trust the Fiddler root certificate?
A: Open Fiddler 2.2.9+. Click Tools > Fiddler Options. Select the HTTPS tab, and click the Export Fiddler Root Certificate to Desktop button.
In Firefox, click Tools > Options.... Click the Advanced button at the top. Click the Encryption tab. Click View Certificates. Click the Authorities tab. Click Import. Pick the .CER file from your desktop. Check the "Trust this CA to identify web sites" checkbox.
Q: I seem to always get an endless loop of 401 Errors when visiting an internal server when HTTPS Decryption is enabled?
A: This may be related to the Extended Protection feature recently added to IIS. This feature binds authentication credentials to the HTTPS-channel; since Fiddler intercepts this channel, the credentials are no longer valid. See this article for more information.
Q: Can Fiddler decrypt HTTPS traffic from a different machine?
A: Yes, if you've configured Fiddler to proxy traffic from a second computer or device, you can decrypt that traffic, with two caveats:
Q: Can Fiddler intercept traffic from Apple iOS devices like iPad/iPhone/iPod Touch and Android devices?
A: Yes, but these devices may not be compatible with the default certificates Fiddler generates.
To resolve the incompatibility, you may replace Fiddler's default certificate generator with one that generates certificates containing flags (e.g. AKID, SKID) that are compatible with these platforms. Simply download and install the new Certificate Maker and restart Fiddler.
Q: Can Fiddler be configured to decrypt traffic only from certain hosts or processes?
Yes. You can do so by setting the x-no-decrypt flag on a
given session. For instance, here's a bit of script that you can put inside
OnBeforeRequest to prevent decryption of traffic to all hosts except a target
Alternatively, you could disable HTTPS-decryption for
traffic from an entire application (e.g. boring.exe) using a rule like
this inside OnBeforeRequest:
Q: Does Fiddler2 demonstrate a flaw in HTTPS?
A: No. HTTPS relies on certificates in order to secure web traffic. Web browsers prevent man-in-the-middle attacks by relying upon Trusted Root Certification authorities to issue certificates that secure the traffic. As designed, web browsers will show a warning when traffic is not protected by a certificate issued by a trusted root.
Q: Does Fiddler2 support sites that require client certificates?
A: Yes, Fiddler 188.8.131.52 and later support client certificates. See Attaching Client Certificates for more information.
Q: Is Fiddler2 the only tool that debugs HTTPS traffic?
A: No. There are a number of other free tools which offer this capability, including the Charles and Burp proxies, written with Java.