我刚刚发现 Fiddler 可以解密 HTTPS 流量。
例如,我使用 HTTPS 在本地主机上部署了一个网站。在 Fiddler 中检查数据包时,我能够查看所有信息,因为它有解密选项。
我的问题是,当 Fiddler 可以轻松解密时,为什么还要使用 HTTPS?
最佳答案
Fiddler 执行MITM
技术。
要使其正常工作,您需要信任其证书:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
如果你不这样做,它就不会解密任何东西......
how can Fiddler2 debug HTTPS traffic?
A: Fiddler2 relies on a "man-in-the-middle" approach to HTTPS interception. To your web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server, Fiddler2 dynamically generates a HTTPS certificate.
Fiddler's certificate is not trusted by your web browser (since Fiddler is not a Trusted Root Certification authority), and hence while Fiddler2 is intercepting your traffic, you'll see a HTTPS error message in your browser [...]
关于debugging - 当 Fiddler 可以解密时为什么还要使用 HTTPS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15245718/