Fiddler Web调试器 - 为什么我不能“调试” https请求？ [英] Fiddler Web Debugger - why can't I "debug" https requests?

问题描述

我开始使用Fiddler，我希望能够用它来调试https请求。

我在$ b中阅读了为HTTPS捕获进行配置部分$ b以下文章：

一旦我点击确定按钮，我的浏览器就会阻止任何https请求。因此，我无法进入任何带有个人信息的网站，例如Facebook或Gmail。我从浏览器得到的错误消息是：
您的连接不是私人的

攻击者可能试图窃取您的信息从
www.facebook.com（例如，密码，信息或信用卡）。
NET :: ERR_CERT_AUTHORITY_INVALID

我可能必须更改浏览器（Chrome）的属性，所以我会能够在小提琴手工作时提交https请求。我知道这可能是不安全的，但是一旦我完成使用Fiddler，我会将其更改回它的默认属性。

你知道我必须改变我的浏览器吗？

解决方案当作为MITM代理解密HTTPS流量时，Fiddler使用自己的根CA.这个CA不被Windows信任（这很好，因为Fiddler没有颁发证书的权限）。 Fiddler使用此根CA为您访问的HTTPS网站创建证书，以使其能够解密内容。

您看到的消息是Chrome警告您，发行人动态Fiddler生成的证书是未知的。在大多数网站上，您可以通过接受警告来绕过这一点，但某些网站会采用其他安全措施，例如严格传输安全性（HSTS）和证书锁定，因为浏览器禁止您接受诸如此类警告。

为避免浏览器显示警告，您应该将Fiddler根证书添加到您的可信证书中。 IE和Chrome共享Windows中维护的相同证书库，而Firefox则在内部维护自己的商店。

要信任Fiddler的根证书，

1. 单击屏幕打印中的将根证书导出到桌面按钮（在新版本中，在同一个对话框中标题为操作的按钮后面可以找到） li>
   
2. 这将Fiddler根证书导出到您的桌面。 打开证书文件，然后单击安装证书按钮。


3. 继续提示的其余部分，将其添加到受信任的根证书列表中。

参考资料： https：// www.fiddlerbook.com/fiddler/help/httpsdecryption.asp 和 http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert

I started to use Fiddler and I want to be able use it to debug https requests.

I read the part "Configuring for HTTPS Capture" in the following article: http://www.kleinfelter.com/content/using-fiddler-capture-encrypted-traffic-https

So I decided to change the properties of Fiddler to enable also https requests. I checked both "Capture HTTPS CONNECTs" and "Decrypt HTTPS traffic"

Once I clicked the "OK" button my browser blocked any https requests. Therefore, I couldn't enter any sites with personal information such as Facebook or Gmail. The error message that I got from the browser was: Your connection is not private

Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

I probably have to change something in the properties of my browser (Chrome) so I'll be able to submit https requests while fiddler is working. I know it may be unsecure, but once I finish using Fiddler, I'll change it back to its default property.

Do you know what I have to change in my browser?

解决方案

Fiddler uses its own root CA when acting as a MITM proxy to decrypt HTTPS traffic. This CA is not trusted by Windows (which is good, as Fiddler does not have the authority to issue certificates). Fiddler uses this root CA to create certificates on the fly for HTTPS sites you visit enabling it to decrypt content.

The message you are seeing is Chrome warning you that the issuer of the dynamically Fiddler generated certificate is unknown. On most sites, you can bypass this by accepting the warning but some sites employ additional security practices such as Strict Transport Security (HSTS) and certificate pinning where a browser prohibits you from accepting warnings such as these.

To avoid having browsers show a warning, you should add the Fiddler root certificate to your trusted certificates. IE and Chrome share the same certificate store maintained in Windows, while Firefox maintains its own store internally.

To trust Fiddler's Root certificate,

1. Click the "Export Root Certificate to Desktop" button in your screen print (in newer versios, this is available behind a button titled "Action" on the same dialog).
2. This exports the Fiddler root certificate to your desktop.
3. Open the certificate file and click the "Install Certificate" button.
4. Proceed with the rest of the prompts to add it to your list of trusted root certificates.

References: https://www.fiddlerbook.com/fiddler/help/httpsdecryption.asp and http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert

这篇关于Fiddler Web调试器 - 为什么我不能“调试” https请求？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！