Why make use of HTTPS when Fiddler can decrypt it

Joe Borg picture Joe Borg · Mar 6, 2013 · Viewed 33k times · Source

I have just discovered that Fiddler can decrypt HTTPS traffic.

For instance, I deployed a website on localhost using HTTPS. When inspecting the data packets in Fiddler, I was able to view all the information since it has an option to decrypt it.

My question is, why make use of HTTPS when Fiddler can easily decrypt it?

Answer

Andrea Ligios picture Andrea Ligios · Mar 6, 2013

Fiddler performs a MITM technique.

To make it work, you need to trust its Certificate:

http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

If you don't, it won't decrypt anything...

how can Fiddler2 debug HTTPS traffic?

A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.

Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser [...]