Configure Fiddler to Decrypt HTTPS Traffic
Sometimes websites depend on resources both from HTTP and HTTPS.
Example – Many websites where speed is a concern, they operate often over HTTP instead of HTTPS. We do not get secured authentication with HTTP. Therefore, those websites implement Login Frame, which is an iFrame src-ed to a HTTPS page that helps users log in. Sometimes the login frame contains CSS and JS loaded over HTTPS.
HTTPS traffic is encrypted. And if Fiddler starts decrypting the encrypted files, well, that defeats the purpose of using HTTPS. Fiddler can neither nor is expected to decrypt HTTPS requests. Therefore, it doesn’t log them too.
To enable https logging and Auto-responding, follow these steps (as prescribed in Fiddler Manual) –
- Export the Security Certificate
- Go to Tools > Fiddler Options > HTTPS.
- Click the Decrypt HTTPS Traffic box.
- We’re not done yet
- Export the Root Certificate to the Desktop
- Click on the button “Export Root Certificate to the Desktop”
- Name it as per your convenience and save it in any other location if you wish to
- Import the certificate (For Firefox, follow these instructions)
- Go to Chrome > Settings
- Scroll down till you see “Show Advanced Settings” and click on it
- Scroll down till you find the section titled “HTTPS/SSL“
- Click on the button “Manage Certificates”
- Click on Import and import the certificate from your Computer’s hard drive
- Locate it and upload it
- For a smooth run, let’s restart the browser and fiddler, both
Congratulations. You should be able to Auto-respond to HTTPS from now on.
Because, HTTP and HTTPS operate on different ports (80 and 443 respectively), therefore they can’t fall into same domains as per CORS specs.