Facebook，SnapChat或Gmail iOS应用如何阻止Fiddler解密其https流量? [英] How Facebook, SnapChat, or Gmail iOS apps prevent Fiddler decrypting their https traffic?

问题描述

我尝试使用Fiddler捕获一些iOS应用流量，例如:Facebook，SnapChat，Gmail和Instagram.

I tried to use Fiddler to capture some iOS apps traffic, ex: Facebook, SnapChat, Gmail, and Instagram.

Instagram没有使用https，因此我可以获取所有流量并查看我发送的cookie，但Fiddler无法解密其他三个应用程序.它只显示如下内容:

Instagram is not using https so I can get all the traffic and see the cookies I sent out but Fiddler cannot decrypt other three apps. It only shows something like this:

找到了与SSLv3兼容的ClientHello握手.提琴手提取 以下参数.版本:3.3(TLS/1.2)随机:54 3F 49 C4 20 08 09 BC A8 84 24 92 08 BF B4 38 39 C9 BB 1C B2 7B 95 6A 39 34 E7 AC FE 0F 62 67会话ID:空扩展名:server_name graph.facebook.com elliptic_curves

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below. Version: 3.3 (TLS/1.2) Random: 54 3F 49 C4 20 08 09 BC A8 84 24 92 08 BF B4 38 39 C9 BB 1C B2 7B 95 6A 39 34 E7 AC FE 0F 62 67 SessionID: empty Extensions: server_name graph.facebook.com elliptic_curves

任何人都可以帮助我了解他们如何做到这一点，以便我可以使用相同的技术来保护我的应用程序.

Could anyone help me understand how they do this so I can use the same technology to protect my app.

推荐答案

Fiddler可以使用自己的证书来解密HTTPS流量.但是，当Facebook/Snapchat/Gmail检测到该证书不受系统信任(并且在更严格的情况下，并且将证书限制在受信任的范围内，因此第三方受信任的证书可能会被拒绝)时，它将拒绝连接带有证书.

The way in which Fiddler can decrypt HTTPS traffic is by using their own certificate. However, when Facebook/Snapchat/Gmail detects that the certificate is not trusted by the system (and in cases will be more strict and limit the certificates within the trusted, so a third party trusted cert might be rejected), it will refuse to connect with the cert.

Fiddler可以为iOS生成证书以接受并安装到系统上，但是您首先需要遵循这些说明:

Fiddler can generate certs for the iOS to accept and install onto the system, but you first need to follow these instructions:

1. 安装 CertMaker
2. 从提琴手生成证书，然后该证书应该在您的桌面上
3. 从Safari浏览器访问证书(仅限Safari，其他浏览器将不起作用)
4. 安装证书

1. Install CertMaker
2. Generate the certificate from fiddler, it should then be on your desktop
3. Visit the certificate from your Safari browser (Safari only, others will not work)
4. Install the certificate

由此，您应该就能嗅探这些应用程序的流量.

From this, you should then be able to sniff traffic from these applications.

所以要再次回答这个问题，并不是说它们在阻止，如果服务器提供了不受信任的证书，SSL应用程序通常会拒绝来自服务器的响应. Fiddler所做的就是欺骗证书的一部分，以便在通过SSL进行通信时，Fiddler可以使用其证书来解密您的流量.

So to answer the question again, it's not that they're preventing, it's common for SSL applications to deny responses from the server if the server provides an untrusted certificate. What Fiddler does, is spoof the part of the certificate with its so that when you are communicating over SSL, Fiddler can then use its cert to decrypt your traffic.

要回答问题的第二部分，请查看此问题以获取详细信息.本质上，您可以强制用户使用特定的证书，从而阻止用户使用已安装的证书.

To answer the second part of your question, please check out this question for details. Essentially, you can force the user to use a specific certification and thus prevent the user from using installed certs.

但是，他们仍然可以绕开它-只是偷偷摸摸的方式，但是在客户端的指导下，一切都会发生.

However, they can still get around this -- just in a bit more sneaky way, but guided, this is on the client side, anything goes.

这篇关于Facebook，SnapChat或Gmail iOS应用如何阻止Fiddler解密其https流量?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！