Video icon
Video Tutorials
Search this site
Get Fiddler! Addons Help & Documentation Developer Info Discuss Contact

Fiddler2 - Frequently asked questions

Q: How is Fiddler2 different from Fiddler?

A: Fiddler2 is an new version of Fiddler which offers support for debugging HTTPS-encrypted traffic. 

Fiddler2 requires version 2 of the Microsoft .NET Framework, but has no other additional requirements. 

Q: Can I have both Fiddler v1.x and Fiddler v2 installed at the same time?

A: Yes.  Fiddler2 uses its own folders (E.g. C:\program files\fiddler2\ and C:\documents and settings\username\My Documents\Fiddler2") and registry keys to store its settings.  

Q: What limitations are present in this new version?

A: Fiddler2 is a fork of the regular Fiddler v1.x beta source tree, and hence it will generally behave similarly to the latest Fiddler beta.  There are a number of other limitations:

  • The Request Builder tab cannot yet generate HTTPS requests

Q: Does Fiddler2 support sites that require client certificates?

A: Fiddler 2.1.0.3 and later support client certificates.  See Attaching Client Certificates for more information.

Q: Do I need to use RPASpy with Fiddler2?

A: No, you should no longer need to use RPASpy with Fiddler2.  RPASpy provides a read-only view of HTTPS headers only, and hence it's less functional than Fiddler2.

Q: Where can I get Fiddler2?

A: Please visit the Fiddler2 homepage.

Q: Where can I find information about Fiddler v1.x?

A: Please visit the Fiddler website.

Q: Is Fiddler2 the only tool that debugs HTTPS traffic?

A: No.  There are a number of other free tools which offer this capability, including the Charles and Burp proxies, written with Java.

Q: Why release Fiddler2?

A: Fiddler2 was released to help web developers discover and correct performance, functionality, and security bugs within their HTTPS sites.  Fiddler2 brings Fiddler v1.x's ease-of-use to debugging HTTPS sites.

Q: The HTTPS protocol was designed to prevent traffic viewing and tampering.  Given that, how can Fiddler2 debug HTTPS traffic?

A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception.  To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser.  In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate. 

Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser, like so:

Q: Can I reconfigure my Windows client to trust the bogus root to avoid error messages and enable logon to services like Passport?

A: Yes, although this is not a recommended configuration.  You should never make this configuration change on a non-Test machine.

  1. Visit a HTTPS site with Fiddler2 running, ensure that you see the Certificate Error warning page
  2. START > RUN > CERTMGR.MSC
  3. Drag the DO_NOT_TRUST_FiddlerRoot certificate to the Trusted Root Certification Authorities folder

You can make a similar configuration change for Firefox and other clients that do not use the Windows Certificate store; use the appropriate Options dialog in the browser.

Mozilla Firefox Certificate Configuration

Q: Does Fiddler2 demonstrate a flaw in HTTPS?

A: No.  HTTPS relies on certificates in order to secure web traffic.  Web browsers prevent man-in-the-middle attacks by relying upon Trusted Root Certification authorities to issue certificates that secure the traffic.  As designed, web browsers will show a warning when traffic is not protected by a certificate issued by a trusted root.