37

I have just discovered that Fiddler can decrypt HTTPS traffic.

For instance, I deployed a website on localhost using HTTPS. When inspecting the data packets in Fiddler, I was able to view all the information since it has an option to decrypt it.

My question is, why make use of HTTPS when Fiddler can easily decrypt it?

Roman C
  • 49,761
  • 33
  • 66
  • 176
Joe Borg
  • 875
  • 3
  • 10
  • 15
  • HTTPS protects against eavesdroppers between the client and the server. – Colonel Panic Mar 06 '13 at 11:11
  • @ColonelPanic I understand that. However, I just discovered that Fiddler can decrypt HTTPS easily. I would like to know what is the point of using HTTPS when Fiddler can easily decrypt it? – Joe Borg Mar 06 '13 at 11:13
  • Or is it due to the fact that the website decrypted using Fiddler is deployed from localhost? – Joe Borg Mar 06 '13 at 11:13

2 Answers2

36

Fiddler performs a MITM technique.

To make it work, you need to trust its Certificate:

http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

If you don't, it won't decrypt anything...

how can Fiddler2 debug HTTPS traffic?

A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.

Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser [...]

Andrea Ligios
  • 49,480
  • 26
  • 114
  • 243
  • 1
    So the only way to protect against HTTPS decryption is not to trust the certificate in the first place. Am I understanding correctly? – Joe Borg Mar 06 '13 at 11:16
  • 1
    Let us say that the user accepts the certificate. Am I correct in saying that Fiddler will then be able to decrypt the information? – Joe Borg Mar 06 '13 at 11:19
  • Yes, because it claims to be the destination ;) If you don't trust it, you should be safe – Andrea Ligios Mar 06 '13 at 11:20
  • 3
    The provided answer is good. If you're curious about how this works internally, there's a good explanation for a similar tool - MITMProxy - on slides 10 and 11 here https://www.owasp.org/images/7/73/SlayingDragons-ccbysa30nz.pdf. As Andrea Ligios points out Fiddler2 and MITMProxy both require the user to trust an intermediate certificate. Requests are then forwarded to the upstream (legitimate) HTTPs site. Responses are similarly received by the proxy from the legitimate server, decrypted as if it were the client, re-encrypted using the intermediate secret key and forwarded to the client. – Aaron Newton Jun 07 '14 at 15:51
  • @JoeBorg: HTTPS (correct way) is safe until 1/ You choose to trust the certificate by attacker 2/ There is a man/computer connected between sender and receiver of HTTPS communication. This is always 99% happen but you don't realize it, all governments and company boss have this power. – Andiana Jul 07 '16 at 04:35
  • what if I am on a public computer where the admin accepted the fiddler certificate ? – Sylvain Gantois May 10 '20 at 03:34
  • You should barely trust _your_ computer... Guess what you should do with a public computer (or WiFi network, or whatever): zero trust! – Andrea Ligios May 10 '20 at 15:25
20

In order to decrypt HTTPS traffic you must first install the Fiddler's root certificate in to your "trusted/root certificates" list. Fiddler's root certificate is NOT a Root certificate which by default comes with your Operating System. The OS will usually warn you when you're trying to install this.

In doing so, you explicitly begin to trust any certificate signed by Fiddler's root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.

Suppose you make a request in the form https://google.com. Fiddler will now act as the actual Google server and will create a dummy certificate for Google.com and sign it using Fiddler's Root certificate. You will receive this dummy certificate which has been signed by Fiddler. This certificate will pass your device's validation since Fiddler's Root certificate is now in your trusted certificates. Now, your device will start communicating with Fiddler through a secure HTTPS connection. Fiddler will relay your messages to Google.com and back to you. Of course Fiddler will able to decrypt them.

It is to note that the traffic from Fiddler to Google will occur through a second Secure https channel.

Therefore, not to worry about the security provided by https.

Ruchira Randana
  • 4,021
  • 1
  • 27
  • 24