Use Fiddler to decrypt https traffic

[Francesco Alfano]

Hi,
I initially received real time data from a website in a browser page, to allow data processing using a my own program I have use a sniffer similar to that proposed by http://www.freeproject.co.in/source/Network-Packet-Sniffer.aspx?pf=Java&t=web  or http://packetsnifferusingjpcap.blogspot.it/ which write on file all tcp/ip traffic that passes through the network interface from a given ip address.
Now my data provider supply the data using ssl (https), then my sniffer doesn't receive decrypted data in clear.
To connect to my provider I must provide user, password and then in a new page a temporarily generated key code, then the browser open a web page related to an address xxx.yyy.nnn.zzz (without https prefix) which show realtime data.
Using wireshark and the instruction provided in https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/ I'm able to decrypt ssl page.

Is it possible to use fiddler in order to maintain the same sniffer program ?

[Eric Lawrence]

Generally speaking, I would expect Fiddler to be able to accomplish your task more easily than the approach you describe.

Fiddler is a HTTP/HTTPS proxy, which captures and displays all of the data sent through it. It decrypts data using a MITM approach (basically, it re-signs the traffic) rather than by using any sort of post-facto key leakage approach.

[Francesco Alfano]

Could you explain and help me how can I do It ?
I have tried and I have this message "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem."

[Eric Lawrence]

What is the client application, specifically? A browser (which?)? Some other thing?

If the client does not automatically use the system's certificate trust store (see http://www.telerik.com/blogs/faq---certificates-in-fiddler for discussion) then you must manually import Fiddler's root certificate into that store in order for the certificate chain to validate.

[Francesco Alfano]

I use Linux, the I use this version of fiddler http://fiddler.wikidot.com/mono an Firefox 43.0.4

[Eric Lawrence]

From that page:

Trusting Fiddler's Certificate
If you enable HTTPS decryption in Fiddler, you must configure your browser to trust Fiddler's root certificate.

In Fiddler, click Tools > Fiddler Options > HTTPS and click the "Export Root certificate to desktop" button.

Trusting the Root in Firefox
Click Edit > Preferences > Advanced > Encryption > View Certificates. Click the Authorities tab. Click the Import button. Select the FiddlerRoot.cer file from your desktop. Tick the "Trust this CA to identify websites" box and click Ok.

[Francesco Alfano]

I have tried under windows, I see the https traffic, but I don't see the ip traffic which is encrypted using ssl (https) coming from ip xxx.yyy.zzz.nnn (without https prefix).
I'm sure that the traffic come from  xxx.yyy.zzz.nn because I've tried using wireshark and I have decrypted then.

[Eric Lawrence]

When you say "the IP traffic" -- What format is the traffic in question? Is it HTTP over TLS over IP, or is it a raw bytestream over TLS over IP? (If the latter, how is that bytestream being read by the webpage)?

[Francesco Alfano]

Thanks for your help,
this is a sample data decrypted using wireshark, I hope it is the answer to your question:

GET / HTTP/1.1
Host: serverpush.dot.it:7072
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
Origin: https://severdata.dot.it
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: 1VkXxdjYOBuOjfa+gAQ91A==
Cookie: _ga=GA1.2.458778788.1410278708; _gat=1; _gali=Avanti
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
 
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: fIKoaTEDrGcC8Qyxt5bppaevP9U=
 
...t...t.a.7...I...F...C...M...D...........F...................M...B...L.......~.......
RESULT=ACK
....5h..0m..s!..p:..q"...;...X.....8...=...~.B.}.3.|.G...^.......T.C.W.F.FP
..S..gR..w%..a&s...t...v...t...8...I...=...$...~.J.....C3DJI;0=16391.69;1=1.4877;4=104196873;20=2511792525067.33;7=21:52:35
.B.....;3SP500;0=1923.67;4=637246226;20=1677783824894.07;7=21:52:35
..L...N...L.......q...........
.......
...F...7...C...O......a...E...(...3...5...5....s..Cq..bs..
?...N...:...6......Y...{........... ... ...J.....DATA1I;0=16391.28;1=1.4851;4=104210258;20=2511792541458.61;7=21:52:36
.-.....&DATA2;4=637298282;20=1677783826817.68
.+.....$DATA2;0=1923.61;1=1.7632;7=21:52:36
..cq>.ar;.cQxU/%{N^BzV*R O3D.,@BxH04sU!R X)84........ ...N.Y.M.(.L.\.;.E.8.6.N.F.E.W.;._...J.....DATA1I;0=16389.91;1=1.4767;4=104222192;20=2511792557848.52;7=21:52:37
.K.....DATA2;0=1923.48;1=1.7564;4=637378052;20=1677783828741.16;7=21:52:37

[Eric Lawrence]

This is HTML5 WebSocket traffic, which is shown inside Fiddler using the WebSockets inspector. See http://www.telerik.com/blogs/what-s-new-in-fiddler-4-5 for details on Fiddler's WebSocket viewer.

[Francesco Alfano]

Thanks for your response,
with reference to the initial request how can I redirect to a file the network traffic captured by Fiddler or how can I continue to use the sniffer already developed but working only for data traffic in clear and not encrypted in ssl ?

I'm sorry if my requests seem not perfectly defined, I am willing to all clarifications.

Thanks for your help.

[EricLaw]

There are MANY options here (e.g. mvark.blogspot.com/2010/07/http-traffic-export-options-in-fiddler.html?m=1) depending on how you need this to work (eg what target file format, do you need it fully automated, etc).

If your goal is to log WebSocket Messages to some format that you wish to view outside of Fiddler (eg not using Fiddler's WebSocket Inspector to show traffic from a previously stored SAZ file) then you should probably look at using the OnWebSocketMessage function in FiddlerScript (look at WebSockets section in www.telerik.com/blogs/what-s-new-in-fiddler-2-4-4-5 )