After generating the root certificate, Fiddler gives you the opportunity to add it to Windows’ Trusted Root Certificate Authorities store. Adding the root to the Trusted Store will allow the HTTPS server certificates Fiddler later generates to be deemed valid by browsers and other applications. This will help stop browsers from showing warning screens and prevent applications from failing to connect due to “trust errors.”
Fiddler and Windows show prompts to warn off users who might not understand the implications of trusting a certificate:
If you click Yes, Windows will then prompt you to confirm the change:
These warnings are deliberately verbose and scary, but the actual level of risk is minimal. Each Fiddler root certificate is generated uniquely per-computer, which improves security by ensuring that no other Fiddler user has the same root certificate. As such, the root certificate could only really be abused by malware running on the local computer, and if your computer is already infected by malware, you have bigger problems to worry about.
Machine-wide Trust on Windows 8
On Windows 8, Metro-style applications will not trust Fiddler’s root certificate unless it is in the per-Machine Trusted Root certificate store. Therefore, after the prior steps add the certificate to your per-User Trusted Root certificate store, Fiddler will then launch an administrative program to add the certificate to the Machine store:
100 | Configuring Fiddler and Clients
If you click Yes to launch the utility, it will confirm the operation:
After you click through this flurry of prompts, Fiddler’s root certificate will be installed and applications that rely on the Windows certificate store will no longer present security errors when Fiddler is decrypting their traffic.
To later remove all Fiddler-generated certificates, untick the Decrypt HTTPS traffic checkbox and then press the Remove Interception Certificates button.
Manually Trusting the Fiddler Root
If you’d prefer to manually trust the FiddlerRoot, launch certmgr.msc and drag the DO_NOT_TRUST_FIDDLERROOT certificate from the Personal folder to the Trusted Root Certification Authorities folder. If you wish to make this change on a machine-wide basis:
1. Right-click the DO_NOT_TRUST_FIDDLERROOT certificate from the Personal folder and choose All Tasks >
Export.
2. Export the certificate as DER Encoded X509 Binary to FiddlerRoot.cer on your desktop.
3. Launch mmc.exe.
4. Click File > Add/Remove Snap-In.
5. Select the Certificates snap-in and press Add.
6. When prompted This snap-in will always manage certificates for: choose Computer Account 7. Click Local Computer, then Finish, then OK.
8. Open the Certificates (Local Computer) node.
9. Right-click the Trusted Root Certificate Authorities folder and choose All Tasks > Import.
10. Choose the file you exported in step #2 and import it.
101 | Configuring Fiddler and Clients Additional HTTPS Options
Before closing the Fiddler Options window, consider using the dropdown to configure which processes should have their traffic decrypted:
If you only plan to decrypt browser traffic, choose that option to avoid decrypting traffic from other applications that aren’t of interest to you. Beyond saving CPU cycles and memory, doing so can prevent problems with applications that are not using HTTPS in standard ways (e.g. Outlook uses RPC-over-HTTPS tunnels to connect to Exchange Server) or that will not respect the Fiddler root certificates’ presence in the Windows Trusted store (e.g. Dropbox).
You may also use the textbox to list servers for which HTTPS traffic should not be decrypted. For instance, I use the following settings to prevent decryption of Outlook Web Access and Dropbox traffic:
Use semicolons to delimit the hostnames in the list, and use * as a wildcard character.
102 | Configuring Fiddler and Clients
C O N F I G U R I N G C L I E N T S F O R HT TPS D E C R Y P T I O N
While most applications (Internet Explorer, Microsoft Office, Chrome, Safari, etc.) use the Windows Certificate Store to validate certificate chains, some applications maintain their own certificate stores. For instance, Java Runtime Environments often have their own certificate stores, and the Firefox and Opera browsers also maintain their own certificate lists.
To configure such clients to trust Fiddler-generated certificates, you must first obtain Fiddler’s root certificate as a .CER file. You have two options to do so:
1> Click the Export Root Certificate to Desktop button on the Fiddler Options window’s HTTPS tab.
2> Visit http://127.0.0.1:8888/ in the browser and click the FiddlerRoot Certificate link to download the certificate as a .CER file.
After you have the root certificate file, you can add it to the client application’s Trusted certificates list.
Browsers
Firefox
In Firefox, click Tools > Options. Click the Advanced button, and switch to the Encryption tab. Click View Certifi-cates to open the Certificate Manager. Click the Authorities tab and click the Import button. Select the
FiddlerRoot.cer file and click Open. Tick the Trust this CA to identify websites checkbox and press Ok. Firefox will now trust HTTPS server certificates generated by Fiddler.
Opera
In Opera, click Opera > Settings > Preferences. Click the Advanced tab, and click Security in the list. Click Manage Certificates. Click the Authorities tab and click the Import… button. Select the FiddlerRoot.cer file and click Open. Click the Install button and click the Ok button to confirm that you want to trust the certificate. Opera will now trust HTTPS server certificates generated by Fiddler.