Fiddler – The missing string of Web Development (Decrypting HTTPS) – Part III

Configure Fiddler to Decrypt HTTPS Traffic

This is the final post of the 3-part-series on using Fiddler. Please visit the First, and Second post for more insight

Sometimes websites depend on resources both from HTTP and HTTPS.

Example – Many websites where speed is a concern, they operate often over HTTP instead of HTTPS. We do not get secured authentication with HTTP. Therefore, those websites implement Login Frame, which is an iFrame src-ed to a HTTPS page that helps users log in. Sometimes the login frame contains CSS and JS loaded over HTTPS.

HTTPS traffic is encrypted. And if Fiddler starts decrypting the encrypted files, well, that defeats the purpose of using HTTPS. Fiddler can neither nor is expected to decrypt HTTPS requests. Therefore, it doesn’t log them too.

To enable https logging and Auto-responding, follow these steps (as prescribed in Fiddler Manual) –

  • Export the Security Certificate
    • Go to Tools > Fiddler Options > HTTPS.
    • Click the Decrypt HTTPS Traffic box.
    • Fiddler Options -- Decrypt HTTPS Traffic
    • We’re not done yet
  • Export the Root Certificate to the Desktop
    • Click on the button “Export Root Certificate to the Desktop”
    • Name it as per your convenience and save it in any other location if you wish to
  • Import the certificate (For Firefox, follow these instructions)
    • Go to Chrome > Settings
    • Scroll down till you see “Show Advanced Settings” and click on it
    • Scroll down till you find the section titled “HTTPS/SSL
    • Click on the button “Manage Certificates
      • Click on Import and import the certificate from your Computer’s hard drive
      • Locate it and upload it
      • For a smooth run, let’s restart the browser and fiddler, both

Congratulations. You should be able to Auto-respond to HTTPS from now on.

Pro Tip:
Despite the fact that domain names are same for
And, these two are treated as different domains.

Because, HTTP and HTTPS operate on different ports (80 and 443 respectively), therefore they can’t fall into same domains as per CORS specs.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s