Menu
I have just discovered that Fiddler can decrypt HTTPS traffic.
For instance, I deployed a website on localhost using HTTPS. When inspecting the data packets in Fiddler, I was able to view all the information since it has an option to decrypt it.
My question is, why make use of HTTPS when Fiddler can easily decrypt it?
400
Fiddler allows you to decrypt HTTPS traffic by installing its root certificate and enabling HTTPS decryption. First, start Fiddler on the device that will be intercepting traffic. Next, go to Tools > Options > HTTPS, and check the checkbox that says “Decrypt HTTPS Traffic”.
You can define policies to decrypt HTTPS traffic from selected Web categories. While decrypted, data is treated the same way as HTTP traffic to which URL filtering and scanning rules can be applied. In addition, decrypted data is completely secure since it is still in the IWSVA server's memory.
Fiddler performs a MITM technique.
To make it work, you need to trust its Certificate:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
If you don't, it won't decrypt anything...
how can Fiddler2 debug HTTPS traffic?
A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.
Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser [...]
95
In order to decrypt HTTPS traffic you must first install the Fiddler's root certificate in to your "trusted/root certificates" list. Fiddler's root certificate is NOT a Root certificate which by default comes with your Operating System. The OS will usually warn you when you're trying to install this.
In doing so, you explicitly begin to trust any certificate signed by Fiddler's root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.
Suppose you make a request in the form https://google.com. Fiddler will now act as the actual Google server and will create a dummy certificate for Google.com and sign it using Fiddler's Root certificate. You will receive this dummy certificate which has been signed by Fiddler. This certificate will pass your device's validation since Fiddler's Root certificate is now in your trusted certificates. Now, your device will start communicating with Fiddler through a secure HTTPS connection. Fiddler will relay your messages to Google.com and back to you. Of course Fiddler will able to decrypt them.
It is to note that the traffic from Fiddler to Google will occur through a second Secure https channel.
Therefore, not to worry about the security provided by https.
18
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
