W3C home > Mailing lists > Public > public-xg-webid@w3.org > May 2011

FW: [Fiddler] - 3594 Re: Capturing SSL traffic from iPhone

From: peter williams <home_pw@msn.com>
Date: Mon, 2 May 2011 14:39:26 -0700
Message-ID: <SNT143-ds13547B3EB897B4672928E8929F0@phx.gbl>
To: <public-xg-webid@w3.org>

Apple https woes, on another list.

Some useful tools emerging though. E.g. web browser in an iphone app, much
like folks have done web browser controls in windows forms (for years).
Note, like in IE vs IE control world, behavior of HTTPS *changes*. In
IE-land, all the cert-related providers change from the Mozilla-aping model,
to .. programmer pick your own. Not every app wants to behave like Mozilla,
when working with structured data.


-----Original Message-----
From: httpfiddler@googlegroups.com [mailto:httpfiddler@googlegroups.com] On
Behalf Of EricLaw
Sent: Monday, May 02, 2011 1:25 PM
To: Fiddler
Subject: [Fiddler] - 3594 Re: Capturing SSL traffic from iPhone

Yeah, I took it down after buying an IPOD Touch yesterday and confirming
that while the certificate is marked as "Trusted" in the device's store, the
cert chain still reports errors. Investigation continues...

On May 2, 1:18 pm, Eric Vermeire <er...@allrecipes.com> wrote:
> The link tohttps://www.fiddler2.com/dl/MakeFiddlerRoot.zipis
> returning HTTP 404 (Not found)
>
> Eric
>
> On Apr 29, 8:44 am, EricLaw <bay...@gmail.com> wrote:
>
>
>
> > Okay, so I may have a workaround for this, based on generating a new 
> > root certificate with AKI and SKI extensions.
>
> > Can you please try the following:
>
> > 1> In Fiddler, click Tools > Fiddler Options > HTTPS.
> > 2> Untick Decrypt HTTPS Traffic.
> > 3> Click the "Remove decryption certificates" button and accept the
> > prompt to delete all certificates.
> > 4> Downloadhttps://www.fiddler2.com/dl/MakeFiddlerRoot.zipandrun
> > the MakeFiddlerRoot.exe
> > 5> Click through the import dialogs to import the new root.
> > 6> Retick the Decrypt HTTPS Traffic checkbox
>
> > Try the scenario again.
>
> > thanks,
> > -Eric
>
> > On Apr 28, 9:49 am, Eric Vermeire <er...@allrecipes.com> wrote:
>
> > > Glad to see others are discussing this topic, but I feel that 
> > > there is still work to be done for get a working solution.  
> > > Currently, I have to use the Charles HTTP proxy in order to view 
> > > SSL traffic from native apps on my iOS devices.  The keyword is 
> > > "native" apps.  This is possible on Charles, because the 
> > > certificate it generates is marked as "Trusted" (green colored 
> > > text) on my iOS devices.  The Fiddler generated cert. is marked as 
> > > "Untrusted" (red colored text) and therefore is not automatically 
> > > used by native apps when making SSL requests.
>
> > > So, what exactly is the difference between the Charles cert. and 
> > > the Fiddler cert.?  If we could get Fiddler to generate a SSL 
> > > cert. with the same settings so that iOS devices consider the 
> > > cert. to be "Trusted", then I can switch back to Fiddler.
>
> > > Eric
>
> > > On Mar 31, 12:04 pm, Max Vaysburd <max.vaysb...@angrykitten.com>
> > > wrote:
>
> > > > Hello.
>
> > > > Has anyone successfully used Fiddler to capture SSL traffic from 
> > > > iPhone apps other than Safari?  I am running into issues, likely 
> > > > due to self-signed nature of the Fiddler Root cert, in trying to 
> > > > get an iPhone application with embedded UIWebView control to 
> > > > reveal it's SSL traffic.  Here's what I've done
>
> > > > 1. Set up Fiddler to decrypt SSL traffic and exported the root cert.
> > > > 2. Renamed FiddlerRoot.cer to FiddlerRoot.crt, loaded it to the 
> > > > phone via Safari and marked it as trusted.
> > > > 3. Connected iPhone to WiFi and set proxy to Fiddler's IP 
> > > > address and port 8888
>
> > > > When I point Safari at a site using SSL, I am first shown a 
> > > > dialog warning about untrusted SSL cert (fiddler injecting 
> > > > itself) and once I accept then I can see the traffic in fiddler.
> > > > When I point an app hosting UIWebView to the same URL, there is 
> > > > no prompt (expected behavior) and all I see are a bunch of 
> > > > CONNECT requests in Fiddler and the app doesn't work correctly.
>
> > > > In contrast, using Charles proxy and following the same steps as 
> > > > above I see two significant differences.  First of all Safari 
> > > > doesn't prompt about untrusted certificate.  Presumably because 
> > > > Charles cert was imported and trusted.  Secondly, the app using 
> > > > UIWebView functions normally and SSL traffic is automatically
decrypted by Charles.
>
> > > > Perhaps the difference in behavior is that Fiddler dynamically 
> > > > generates a cert rooted to untrusted root, where as Charles just 
> > > > uses the same certificate?  Can anyone offer suggestions on how 
> > > > to make iPhone trust Fiddler's certs?
>
> > > > Thanks,
> > > > Max.- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

--
You received this message because you are subscribed to the Google Groups
"Fiddler" group.
To post to this group, send email to httpfiddler@googlegroups.com.
To unsubscribe from this group, send email to
httpfiddler+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/httpfiddler?hl=en.
Received on Monday, 2 May 2011 21:39:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 2 May 2011 21:39:55 GMT