Fiddler Web Debugger - why can't I "debug" https requests?

1
votes

I started to use Fiddler and I want to be able use it to debug https requests.

I read the part "Configuring for HTTPS Capture" in the following article: http://www.kleinfelter.com/content/using-fiddler-capture-encrypted-traffic-https

So I decided to change the properties of Fiddler to enable also https requests. I checked both "Capture HTTPS CONNECTs" and "Decrypt HTTPS traffic"

enter image description here

Once I clicked the "OK" button my browser blocked any https requests. Therefore, I couldn't enter any sites with personal information such as Facebook or Gmail. The error message that I got from the browser was: Your connection is not private

Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

I probably have to change something in the properties of my browser (Chrome) so I'll be able to submit https requests while fiddler is working. I know it may be unsecure, but once I finish using Fiddler, I'll change it back to its default property.

Do you know what I have to change in my browser?

1
google-chromehttpsfiddler

1 Answers

2
votes

Fiddler uses its own root CA when acting as a MITM proxy to decrypt HTTPS traffic. This CA is not trusted by Windows (which is good, as Fiddler does not have the authority to issue certificates). Fiddler uses this root CA to create certificates on the fly for HTTPS sites you visit enabling it to decrypt content.

The message you are seeing is Chrome warning you that the issuer of the dynamically Fiddler generated certificate is unknown. On most sites, you can bypass this by accepting the warning but some sites employ additional security practices such as Strict Transport Security (HSTS) and certificate pinning where a browser prohibits you from accepting warnings such as these.

To avoid having browsers show a warning, you should add the Fiddler root certificate to your trusted certificates. IE and Chrome share the same certificate store maintained in Windows, while Firefox maintains its own store internally.

To trust Fiddler's Root certificate,

  1. Click the "Export Root Certificate to Desktop" button in your screen print (in newer versios, this is available behind a button titled "Action" on the same dialog).
  2. This exports the Fiddler root certificate to your desktop.
  3. Open the certificate file and click the "Install Certificate" button. Fiddler root certificate install
  4. Proceed with the rest of the prompts to add it to your list of trusted root certificates.

References: https://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp and http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert