Fiddler Web调试器-为什么不能" debug& quot;https请求? [英] Fiddler Web Debugger - why can't I "debug" https requests?

问题描述

我开始使用Fiddler，并且希望能够使用它来调试https请求.

我阅读了以下文章:

一旦我单击确定"按钮，我的浏览器就会阻止所有https请求.因此，我无法输入任何包含个人信息的网站，例如Facebook或Gmail.我从浏览器中收到的错误消息是:您的连接不是私人的

攻击者可能试图从中窃取您的信息www.facebook.com(例如密码，消息或信用卡).NET :: ERR_CERT_AUTHORITY_INVALID

我可能必须更改浏览器(Chrome)的属性，以便在提琴手工作时能够提交https请求.我知道它可能是不安全的，但是一旦我使用完Fiddler，我将其更改回其默认属性.

您知道我必须在浏览器中进行哪些更改吗?

解决方案

Fiddler在充当MITM代理来解密HTTPS流量时使用其自己的根CA.Windows不信任此CA(这很好，因为Fiddler没有颁发证书的权限).Fiddler使用此根CA即时为您访问的HTTPS网站创建证书，从而使其能够解密内容.

您看到的消息是Chrome，警告您动态Fiddler生成的证书的颁发者未知.在大多数站点上，您可以通过接受警告来绕过此警告，但是某些站点采用了其他安全做法，例如严格传输安全性(HSTS)和证书固定，其中浏览器禁止您接受此类警告.

为避免浏览器显示警告，应将Fiddler根证书添加到受信任的证书中.IE和Chrome共享Windows中维护的同一证书存储，而Firefox内部维护其自己的存储.

要信任Fiddler的根证书，

1. 单击屏幕打印中的将根证书导出到桌面"按钮(在较新的versios中，该对话框后面的标题为操作"的按钮后面提供).
2. 这会将Fiddler根证书导出到您的桌面.
3. 打开证书文件，然后单击安装证书"按钮.
4. 按照其余提示进行操作，将其添加到受信任的根证书列表中.

参考文献: https://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp 和 http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert

I started to use Fiddler and I want to be able use it to debug https requests.

I read the part "Configuring for HTTPS Capture" in the following article: http://www.kleinfelter.com/content/using-fiddler-capture-encrypted-traffic-https

So I decided to change the properties of Fiddler to enable also https requests. I checked both "Capture HTTPS CONNECTs" and "Decrypt HTTPS traffic"

Once I clicked the "OK" button my browser blocked any https requests. Therefore, I couldn't enter any sites with personal information such as Facebook or Gmail. The error message that I got from the browser was: Your connection is not private

Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

I probably have to change something in the properties of my browser (Chrome) so I'll be able to submit https requests while fiddler is working. I know it may be unsecure, but once I finish using Fiddler, I'll change it back to its default property.

Do you know what I have to change in my browser?

解决方案

Fiddler uses its own root CA when acting as a MITM proxy to decrypt HTTPS traffic. This CA is not trusted by Windows (which is good, as Fiddler does not have the authority to issue certificates). Fiddler uses this root CA to create certificates on the fly for HTTPS sites you visit enabling it to decrypt content.

The message you are seeing is Chrome warning you that the issuer of the dynamically Fiddler generated certificate is unknown. On most sites, you can bypass this by accepting the warning but some sites employ additional security practices such as Strict Transport Security (HSTS) and certificate pinning where a browser prohibits you from accepting warnings such as these.

To avoid having browsers show a warning, you should add the Fiddler root certificate to your trusted certificates. IE and Chrome share the same certificate store maintained in Windows, while Firefox maintains its own store internally.

To trust Fiddler's Root certificate,

1. Click the "Export Root Certificate to Desktop" button in your screen print (in newer versios, this is available behind a button titled "Action" on the same dialog).
2. This exports the Fiddler root certificate to your desktop.
3. Open the certificate file and click the "Install Certificate" button.
4. Proceed with the rest of the prompts to add it to your list of trusted root certificates.

References: https://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp and http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert

这篇关于Fiddler Web调试器-为什么不能" debug& quot;https请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！