HSTS Preload Lists Chrome/Edge/Chromium
405 views
Skip to first unread message
David P.
Aug 9, 2022, 9:58:04 PM8/9/22
to Fiddler
Problem:
I am recently having trouble analyzing HTTPS decrypted traffic using the latest version of Fiddler.
Background:
Google Chrome / MS Edge / and other Chromium based browsers come with preloaded HSTS databases that seemingly cannot be altered.
This means that I cannot analyze all of the HTTPS traffic to those websites using Fiddler.
Some of the browsers have work-arounds that allow you to bypass the security error by typing a special key sequence. Chrome for example would let you type "badidea" and at the moment "thisisunsafe" to get around the HSTS issue for the current page. The problem is, there does not seem to be a workaround for all of the other content loaded via HTTPS that is considered unsafe for a given page due to HSTS lists. All of that content is blocked at the browser level and never makes it to Fiddler
Question:
Does anyone know of a workaround to this issue so that I can continue to analyze ALL HTTPS traffic to websites with Fiddler that are protected by the preloaded HTST databases.
Additional notes:
I would greatly appreciate any workaround that anyone can offer. The solution would only need to work on my local development machine / VM instance using official browser builds from Microsoft or Chome.
Dave
I am recently having trouble analyzing HTTPS decrypted traffic using the latest version of Fiddler.
Background:
Google Chrome / MS Edge / and other Chromium based browsers come with preloaded HSTS databases that seemingly cannot be altered.
This means that I cannot analyze all of the HTTPS traffic to those websites using Fiddler.
Some of the browsers have work-arounds that allow you to bypass the security error by typing a special key sequence. Chrome for example would let you type "badidea" and at the moment "thisisunsafe" to get around the HSTS issue for the current page. The problem is, there does not seem to be a workaround for all of the other content loaded via HTTPS that is considered unsafe for a given page due to HSTS lists. All of that content is blocked at the browser level and never makes it to Fiddler
Question:
Does anyone know of a workaround to this issue so that I can continue to analyze ALL HTTPS traffic to websites with Fiddler that are protected by the preloaded HTST databases.
Additional notes:
- My Fiddler Root Certificate is properly installed and functional for websites not included is the HSTS databases.
- I have a workaround in place that will strip the " Strict-Transport-Security" response header for sites not in the preloaded HSTS database.
- I know how to remove sites that have been dynamically added to Chrome's dynamic HSTS database but preloaded sites cannot be removed.
- I am using:
Fiddler v5.0.20211.51073 for .NET 4.6.1 / Built: Wednesday, December 15, 2021
Chrome v104.0.5112.79
MS Edge v104.0.1293.47
I would greatly appreciate any workaround that anyone can offer. The solution would only need to work on my local development machine / VM instance using official browser builds from Microsoft or Chome.
Dave
David P.
Aug 13, 2022, 12:07:38 PM8/13/22
to Fiddler
This issue is completely resolved -- It turned out to have nothing to due with Fiddler or the
preloaded HSTS databases and everything to do with misconfigured/certificates.
I manually went through my Win10 user and machine certificate stores and deleted ALL of the various Fiddler Root CA "do not trust" certificates.
I manually went through my Win10 user and machine certificate stores and deleted ALL of the various Fiddler Root CA "do not trust" certificates.
Then I used two wonderful built in featured to properly reinstall my Fiddler certificate where it needs to go
After exiting Fiddler and "killing" (force quitting) all of my browser processes, this issue disappeared when I restarted the browsers.
Thank you to everyone that took a look at this issue. Tracking down certificate errors can be a pain. Using the features baked into Fiddler ultimately saved the day. Thank you Eric.
Best,
Dave
Fiddler => Tools => Options (Window) => Https (Tab) => Actions (Button) to:
(1) Reset All Certificates and
(2) Trust Root Certificate using admin credentials
(1) Reset All Certificates and
(2) Trust Root Certificate using admin credentials
After exiting Fiddler and "killing" (force quitting) all of my browser processes, this issue disappeared when I restarted the browsers.
Thank you to everyone that took a look at this issue. Tracking down certificate errors can be a pain. Using the features baked into Fiddler ultimately saved the day. Thank you Eric.
Best,
Dave
Reply all
Reply to author
Forward
0 new messages