Fiddler not capturing certain websites - ssl

I am using fiddler version 4 and am unable to capture some websites like Facebook, google, gmail, yahoo; however, it captures some other websites correctly.
I checked the filters option and found that they use filters option "Unchecked" and also checked fiddler through its IP and its running correctly.

I think that's causes by missing https decryption.
There is a menu point to import the fiddler root certificate in the local certificate store.
http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/TrustFiddlerRootCert
How to:
Click Tools > Fiddler Options > HTTPS.
Click the Decrypt HTTPS Traffic box.

Related

Jmeter Recorder - can't access github website

I'm new to Jmeter and I have the following case:
I'm trying to record using Jmeter by going to github.com/login. I set localhost and port to jmeter, also to Mozilla. Certificate created by jmeter is added to mozilla.
If I access for example stackoverflow, it works, but if I want to go to github I don't have the button Accept the risk and continue as it was for stackoverflow, therefore github can't be accessed. I even installed a clean Mozilla in order to not have any old certificate for github.
Does anyone know why is this happening?
jmeter configuration
github certificate message
firefox proxy config
Later edit: This is how it looks for example
stackoverflow
I'm not able to access facebook, google besides github.
It is a matter of certificate installation. Once you install the certificate, there shouldn't be an "Accept the risk and continue". Rather you should be able to directly navigate to the website.
Please try the below steps to install appropriately in Firefox
Launch Firefox -> Navigate to Options -> Search Certificates -> Click View Certificates -> Click on "Authorities" tab -> Click Import -> Choose certificate file types to include ".crt" files in the File Browser Pop-up -> Choose "ApacheJMeterTemporaryRootCA.crt"
Pop-up such as this should appear if you have followed appropriately
Check Trust this CA to identify Websites -> Click OK -> Navigate to Authorities tab once again -> Ensure JMeter certificate is available
If all the above steps are followed, you should be able to record https://github.com/login without any hiccups
Why this error appears in the first place
Basically when a browser tries to access a website via HTTPS, it tries to establish a secure connection post validation of the SSL certificate. In our case, since JMeter is the proxy with which Firefox interacts, Firefox believes it is the actual server and hence it is trying its best to ensure your safety by preventing you from sending the request since JMeter's SSL certificate is not one of the approved SSLs (not part of Trusted CA certificates).
How the certificate helps
When you add the JMeter's Root CA certificate into Trusted CA folder, you let Firefox know that SSL provided by JMeter is trustworthy and hence things are alright
Hope this helps!
You need to import JMeter's certificate into Firefox browser in order to be able to intercept and decrypt secure traffic, see HTTPS recording and certificates chapter of the HTTP(S) Test Script Recorder documentation for more details.
Remember that JMeter's MITM certificate has limited lifetime (7 days as of JMeter 5.3), so it might be the case you need to re-import the certificate if it's expired. The lifetime of the certificate is controlled by proxy.cert.validity property
If you still experience problems try cleaning your browser history and remove everything from the beginning of the time, it will remove cached certificates as well
More information: Recording HTTPS Traffic with JMeter's Proxy Server
Also be aware that you can use an alternative way of recording a JMeter test - JMeter Chrome Extension, in this case you won't have to worry about proxies and SSL certificates

IIS 8.5 not showing the ssl sign on the left of the URL

Hello I have a problem with an IIS 8.5 server where I have a 3.8 joomla. the problem is that I have installed the certificate and every time I enter the page only the sign of the certificate appears for a moment and then disappears I have configured the firewall and the URLs have also changed the .htacces and nothing seems to be a clear solution .
And there are times when I get a 403.3 error when I activate the ssl request in the ISS.
firstly, check if the https connection was established by checking the certificate
Chrome:- Press F12; click on security and view certificate; ALso check if the padlock is available.
If the padlock is not visible but https is shown on the address bar, then this seems to be an issue with mixed content. In short http links (images, codes) are served over https .

Safari 9 disallowed running of insecure content?

after upgrading to Safari 9 I'm getting this error in the browser:
[Warning] [blocked] The page at https://localhost:8443/login was not allowed to run insecure content from http://localhost:8080/assets/static/script.js.
Anyone knows how to enable the running of insecure content on the new Safari?
According to the Apple support forums Safari does not allow you to disable the block on mixed content.
Though this is frustrating for usability in legitimate cases like yours, it seems to be part of their effort to force secure content serving / content serving best practices.
As a solution for you you can either upgrade the HTTP connection to HTTPS (which it seems you have done) or proxy your content through an HTTPS connection with an HTTPS-enabled service (or, in your case, port).
You can fix the HTTPS problem by using HTTPS locally with a self signed SSL certificate. Heroku has a great how-to article about generating one.
After setting up SSL on all of your development servers, you will still get an error loading the resource in Safari since an untrusted certificate is being used(self signed SSL certificates are not trusted by browsers by default because they cannot be verified with a trusted authority). To fix this, you can load the problematic URL in a new tab in Safari and the browser will prompt you to allow access. If you click "Show Certificate" in the prompt, there will be a checkbox in the certificate details view to "Always allow content from localhost". Checking this before allowing access will store the setting in Safari for the future. After allowing access just reload the page originally exhibiting a problem and you should be good to go.
This is a valid use case as a developer but please make sure you fully understand the security implications and risks you are adding to your system by making this change!
If like me you have
frontend on port1
backend on port2b
want to load script http://localhost:port1/app.js from http://localhost:port2/backendPage
I have found an easy workaround: simply redirect with http response all http://localhost:port2/localFrontend/*path to http://localhost:port1/*path from your backend server configuration.
Then you could load your script directly from http://localhost:port2/localFrontend/app.js instead of direct frontend url. (or you could configure a base url for all your resources)
This way, Safari will be able to load content from another domain/port without needing any https setup.
For me disabling the Website tracking i.e. uncheck the Prevent cross-site tracking worked.

How do you remove the root CA certificate that fiddler installs

Fiddler helpfully offers to add a unique root CA certificate to intercept HTTPS traffic.
Once this certificate has been added, how do you go about removing it?
Either of two ways:
1) Disable HTTPS decryption and click the button titled "Remove Interception Certificates"
2) Open CertMgr.msc, open the Personal and Trusted Stores, and use the Delete key on the root.
Since Fiddler 4.6.1.5 the GUI is a bit different.
Go to Tools -> Fiddler Options -> HTTPS. Then click the "Actions" button and then "Reset All Certificates"
It will popup a message that it could take a while but it's really quick. Approve all popups and there you go.
Pay attention not to re-approve the certificate again (when I did it the message for approving the certificates popped up when I finished to approve all the popups.)
In Fiddler go to Tools » Options » HTTPS.
Then uncheck Decrypt HTTPS traffic and run Actions » Remove Interception Certificates.
This will remove all Fiddler certs from the Windows certificate store.
Background:
Fiddler is obviously using a kind of white hat "man in the middle" approach to decrypt and inspect any HTTPS traffic. To do that, it needs its own certs to be trusted. Therefore leaving Decrypt HTTPS traffic checked but removing the Fiddler certs as proposed in other answers does not make a lot of sense, as Fiddler can't decrypt then anyway.
Just expanding on EricLaw's 2nd option, which is more useful if you've put that cert on multiple devices (fairly common during network testing), and you only want to remove it on one (source - http://www.cantoni.org/2013/11/06/capture-android-web-traffic-fiddler):
Go to the Security tab in settings
Tap Trusted credentials, then select the User tab
Tap on the Fiddler “Do not trust” certificate, then scroll down to remove it
You may need to power cycle your device to get all apps to forget about the Fiddler certificate (e.g., the Chrome browser will continue to try to use it for a while)
Here is the procedure with Progress Telerik Fiddler Classic in its version v5.0.20211.51073.
Go to Tools > Options > HTTPS. The option to Remove Interception Certificates is greyed out, because Decrypt HTTPS traffic is still toggled ON.
Untick the box in front of Decrypt HTTPS traffic. You should be able to Remove Interception Certificates.
In the end:
Fiddler Classic's root certificate has been removed.
Fiddler-generated Certificates have been removed.
To ensure that certificates related to Fiddler have been effectively removed, in accordance with the messages displayed above, you could browse through authorized certificates with the following procedure.
Click on Open Windows Certificate Manager.
NB: if you prefer to use Windows' built-in tools, e.g. if Fiddler has been uninstalled,
Press Win+R, type certmgr.msc in the search box, then press Enter
Then:
Go to Action > Find Certificates...
In the search box for Contains:, type DO_NOT_TRUST_FiddlerRoot
In the drop-down box for Look in Field:, ensure that the option is set to Issued By. If the option were set to Issued To, you would find fewer matches.
Click on the button Find Now to list every certificate .
In my case, there was one Fiddler-related certificate left after the procedure. If that is the case for you as well, then you may want to manually delete it, by right-clicking on this entry.

Outlook and Gmail blocking images off an SSL Newsletter

I have a newsletter tool that, well, shows newsletters. Well, the site was on non-SSL hosting and now is on an SSL host. When a user receives the newsletter in Gmail or Outlook the images have a blue question mark on it and the image doesn't show. They can click the 'view in browser' option and everything shows up fine.
This is also with images displayed option turned on in both Outlook and Gmail.
Here's where I think I see the problem - the site does not have it's own SSL cert. It's using a server one so there is a name mismatch.
Would that be the reason why the images are not showing up in Outlook/Gmail? If so, would the solution be to get an SSL cert that matches the domain name?
Here's where I think I see the problem - the site does not have it's own SSL cert. It's using a server one so there is a name mismatch.
The certificate you're using must be valid for the host name you're using (see RFC 2818, Section 3.1). If this is not the case, your HTTPS server isn't set up properly, so you shouldn't be surprised clients don't like it.
They can click the 'view in browser' option and everything shows up
fine.
Presumably, this works because your users are willing to ignore an error message, which they shouldn't do.