Video icon
Video Tutorials
Search this site
Get Fiddler! Addons Help & Documentation Developer Info Discuss Contact

Decrypting HTTPS-protected traffic

Introduction

Fiddler2 includes the ability to decrypt, view, and modify HTTPS-secured traffic for debugging purposes.  This feature is disabled by default, but can be enabled in Fiddler's Tools > Fiddler Options dialog.

Frequently Asked Questions

Q: The HTTPS protocol was designed to prevent traffic viewing and tampering.  Given that, how can Fiddler2 debug HTTPS traffic?

A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception.  To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser.  In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate. 

Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser, like so:

IE Cert Error

Q: Can I reconfigure my Windows client to trust the bogus root to avoid error messages and enable logon to services like Passport?

A: Yes, although this is not a recommended configuration.  You should never make this configuration change on a non-Test machine.

  1. Visit a HTTPS site with Fiddler2 running, ensure that you see the Certificate Error warning page
  2. START > RUN > CERTMGR.MSC
  3. Drag the DO_NOT_TRUST_FiddlerRoot certificate from the Personal folder to the Trusted Root Certification Authorities folder

certstore

You can make a similar configuration change for Firefox and other clients that do not use the Windows Certificate store; use the appropriate Options dialog in the browser.

Mozilla Firefox Certificate Configuration

Q: Does Fiddler2 demonstrate a flaw in HTTPS?

A: No.  HTTPS relies on certificates in order to secure web traffic.  Web browsers prevent man-in-the-middle attacks by relying upon Trusted Root Certification authorities to issue certificates that secure the traffic.  As designed, web browsers will show a warning when traffic is not protected by a certificate issued by a trusted root.

Q: What limitations are present in Fiddler2?

A: There are several minor limitations which will be resolved in new versions

  • The Request Builder tab cannot yet generate HTTPS requests

Q: Does Fiddler2 support sites that require client certificates?

A: Yes, Fiddler 2.1.0.3 and later support client certificates.  See Attaching Client Certificates for more information.

Q: Do I need to use RPASpy with Fiddler2?

A: No, you should no longer need to use RPASpy with Fiddler2.  RPASpy provides a read-only view of HTTPS headers only, and hence it's less functional than Fiddler2.

Q: Is Fiddler2 the only tool that debugs HTTPS traffic?

A: No.  There are a number of other free tools which offer this capability, including the Charles and Burp proxies, written with Java.

< Back to Help Homepage



©2008 Microsoft Corporation