Unable to decrypt https traffice between dropbox window client and dropbox server
Kenny Lai
EricLaw
Certificate Pinning
A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate.
To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Chrome browser supports pinning (although it should exempt Fiddler’s locally-trusted certificate) and the Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Update).
When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate.
Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption by setting the x-no-decrypt Session flag on the CONNECT tunnel. This flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
To avoid blocking DropBox App traffic while Fiddler is running, you can use Tools > Fiddler Options > HTTPS to either only decrypt Browser traffic or you can configure Fiddler not to decrypt traffic to *.dropbox.com.
You may find this recent paper on Reverse-Engineering DropBox interesting: https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdf