Problem:
I am recently having trouble analyzing HTTPS decrypted traffic using the latest version of Fiddler.
Background:
Google Chrome / MS Edge / and other Chromium based browsers come with preloaded HSTS databases that seemingly cannot be altered.
This means that I cannot analyze all of the HTTPS traffic to those websites using Fiddler.
Some of the browsers have work-arounds that allow you to bypass the security error by typing a special key sequence. Chrome for example would let you type "
badidea" and at the moment "
thisisunsafe" to get around the HSTS issue for the
current page. The problem is, there does not seem to be a workaround for all of the other content loaded via HTTPS that is considered unsafe for a given page due to HSTS lists. All of that content is blocked at the browser level and never makes it to Fiddler
Question:
Does anyone know of a workaround to this issue so that I can continue to analyze ALL HTTPS traffic to websites with Fiddler that are protected by the preloaded HTST databases.
Additional notes:
- My Fiddler Root Certificate is properly installed and functional for websites not included is the HSTS databases.
- I have a workaround in place that will strip the "
Strict-Transport-Security" response header for sites not in the preloaded HSTS database.
- I know how to remove sites that have been dynamically added to Chrome's dynamic HSTS database but preloaded sites cannot be removed.
- I am using:
Fiddler v5.0.20211.51073 for .NET 4.6.1 / Built: Wednesday, December 15, 2021
Chrome v104.0.5112.79
MS Edge v104.0.1293.47
I would greatly appreciate any workaround that anyone can offer. The solution would only need to work on my local development machine / VM instance using official browser builds from Microsoft or Chome.
Dave