12

I've been playing with the twitter API for an iPhone test application, and I've missed the ability to proxy the requests I did to the twitter API with a software like Charles (http://www.charlesproxy.com/). Even though it has a SSL Proxying feature, twitter seems to not like the fact that there's a different certificate in the middle signing the requests. Is there any way to do this? I'd be very useful to be able to see the requests and the way Charles formats the JSON responses, etc...

Javier Soto
  • 4,840
  • 4
  • 26
  • 46
  • Interesting. Hope you get an answer. – Prof. Falken Nov 08 '11 at 17:01
  • Man... im still waiting this response too. – Oscar Godson Jan 06 '12 at 01:50
  • I've used charles proxy before with the Twitter API. Can you explain a little more about how you are are trying to connect through charles and what sort of errors you are running into. – abraham Feb 28 '12 at 02:51
  • All twitter clients basically use HTTPS connections. To proxy them, you have to enable the SSL Proxying feature, and with that turned on, all twitter calls fail because of a certificate error (it detects it as if there were a Man In the Middle attack...) – Javier Soto Mar 04 '12 at 13:24
  • More than 3 years later and I think I've just hit a similar issue (http://stackoverflow.com/questions/28180063/how-to-proxy-requests-to-api-twitter-com-including-ssl-certificates). Has anyone found a solution in the end? – jenzz Jan 27 '15 at 21:18

1 Answers1

2

Twitter can't know that there is a man in the middle. I've not used Charles, but I've used Fiddler2. Try that one.

http://www.charlesproxy.com/documentation/proxying/ssl-proxying/

http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

Decrypting HTTPS works by the proxy making its own certificate, and giving it to the browser. The browser will notice it connects with a bad certificate and give a warning, but the server (Twitter) will just see the proxy as another browser. The proxy-server connection uses Twitter's certificate, so it's still secure.

Perhaps this is your problem:

Q: Can Fiddler intercept traffic from Apple iOS devices like iPad/iPhone/iPod Touch and Android devices? A: Yes, but these devices may not be compatible with the default certificates Fiddler generates.

To resolve the incompatibility, you may replace Fiddler's default certificate generator with one that generates certificates containing flags (e.g. AKID, SKID) that are compatible with these platforms. Simply download and install the new Certificate Maker and restart Fiddler.

Chloe
  • 25,162
  • 40
  • 190
  • 357
  • 1
    I think that it may be worth noting that before resuming regular internet browsing, this should be disabled or the Fiddler process killed. Their proxy certificate will "break" other TLS connections. – Anthony Mason Jun 13 '16 at 15:04