automatic tool for removing the Fiddler certs

11 posts, 0 answers
  1. Ram
    Ram avatar
    13 posts
    Member since:
    Apr 2014

    Posted 22 Feb 2015 Link to this post

    Is there an automatic tool for removing the Fiddler certs when I'm done working with them? That would save me from having to go into settings and going over the different tabs to remove all of them.

    Thanks,
    Ram.
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 24 Feb 2015 Link to this post

    Hi, Ram--

    I don't know what you mean when you say "over the different tabs to remove all of them." 

    You can click "Remove interception certificates" to clear Fiddler's certificates.

    You can type PREFS SET fiddler.CertMaker.CleanupServerCertsOnExit TRUE in QuickExec to have Fiddler clear the server certificates (not the root) from the Windows cert store when Fiddler exits. The downside is that generating certificates is slow, so recreating on every use is slow.

    Your best bet is to install the Fiddler Certificate Maker addon: http://fiddler2.com/r/?fiddlercertmaker/. This addon does not store server certificates in the Windows store, and it shares a single key for all server certificates to improve performance.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. Ram
    Ram avatar
    13 posts
    Member since:
    Apr 2014

    Posted 26 Feb 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

    Thanks for your help. I have a few issues with your answer.

    > I don't know what you mean when you say "over the different tabs to remove all of them." 

    When you look at the certificates in your Windows store there are different tabs for different kinds of certificates, like root, ca, personal. I want to remove all of them when I'm done working with Fiddler because I want my browser setup to be secure.

    > You can type PREFS SET fiddler.CertMaker.CleanupServerCertsOnExit TRUE in QuickExec to have Fiddler clear the server certificates (not the root) from the Windows cert store when Fiddler exits.

    If it doesn't delete all the Fiddler certificates, it doesn't really accomplish my goal. I assume I'm not the only person out there who wants to remove all the Fiddler certificates from the Windows store when he's done using Fiddler.

    > You can click "Remove interception certificates" to clear Fiddler's certificates.

    Does this remove ALL the Fiddler certificates, including the root one?

    > Your best bet is to install the Fiddler Certificate Maker addon: http://fiddler2.com/r/?fiddlercertmaker/. This addon does not store server certificates in the Windows store, and it shares a single key for all server certificates to improve performance.

    I installed it but it doesn't seem to be doing anything. Does it have an interface? Where am I supposed to see any difference now that I've installed it?

    Also, I checked out your addons page: http://www.telerik.com/fiddler/add-ons and saw no mention of it, otherwise I would try to read the documentation.


    Thanks,
    Ram.
  4. Ram
    Ram avatar
    13 posts
    Member since:
    Apr 2014

    Posted 26 Feb 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

    Thanks for your help. I have a few issues with your answer.

    > I don't know what you mean when you say "over the different tabs to remove all of them." 

    When you look at the certificates in your Windows store there are different tabs for different kinds of certificates, like root, ca, personal. I want to remove all of them when I'm done working with Fiddler because I want my browser setup to be secure.

    > You can type PREFS SET fiddler.CertMaker.CleanupServerCertsOnExit TRUE in QuickExec to have Fiddler clear the server certificates (not the root) from the Windows cert store when Fiddler exits.

    If it doesn't delete all the Fiddler certificates, it doesn't really accomplish my goal. I assume I'm not the only person out there who wants to remove all the Fiddler certificates from the Windows store when he's done using Fiddler.

    > You can click "Remove interception certificates" to clear Fiddler's certificates.

    Does this remove ALL the Fiddler certificates, including the root one?

    > Your best bet is to install the Fiddler Certificate Maker addon: http://fiddler2.com/r/?fiddlercertmaker/. This addon does not store server certificates in the Windows store, and it shares a single key for all server certificates to improve performance.

    I installed it but it doesn't seem to be doing anything. Does it have an interface? Where am I supposed to see any difference now that I've installed it?

    Also, I checked out your addons page: http://www.telerik.com/fiddler/add-ons and saw no mention of it, otherwise I would try to read the documentation.


    Thanks,
    Ram.
  5. Ram
    Ram avatar
    13 posts
    Member since:
    Apr 2014

    Posted 26 Feb 2015 Link to this post

    (Sorry for the double post, your website gave me an error so I tried again and then there were 2 posts.)
  6. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 26 Feb 2015 Link to this post

    Hi, Ram--

    Yes, CertMgr.msc shows folders. Fiddler's certificates should only ever appear in the Personal folder; if you see them elsewhere, some other code on your system is putting them there.

    CleanupServerCertsOnExit removes all certificates except the root; it does this on Fiddler's exit. Keep in mind that Certmgr.msc has some caching bugs whereby you need to restart the tool to see changes. If you find that certs aren't getting cleared, this indicates there is a bug or configuration problem in Windows.

    The CertMaker add-on is documented here: http://blogs.telerik.com/fiddler/posts/13-08-19/faq---certificates-in-fiddler


    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  7. Ram
    Ram avatar
    13 posts
    Member since:
    Apr 2014

    Posted 28 Feb 2015 in reply to Eric Lawrence Link to this post

    Thank you Eric. But it seems like my main concern hasn't been answered. I want to have ALL the Fiddler certificates remove when I'm done working with Fiddler, including the root. (Which is the most important one to remove...) So the quickexec thing doesn't help.

    I still didn't understand how my need is being answered by this addon. I have it installed and I don't understand what I should be seeing different except the note in the options that it's being used.
  8. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 03 Mar 2015 Link to this post

    1. Why do you believe it is important to remove the root? Have you read http://blogs.telerik.com/fiddler/posts/13-08-19/faq---certificates-in-fiddler to understand the security model for Fiddler certificates?

    2. When you use the CertMaker addon, only the root is added to the Windows certificate store (and only if you allow it). In contrast, the built-in certificate maker MUST put all server certificates in a Windows certificate store (as they're generated using the Windows certificate API).

    If you want to trust the Fiddler root but also want to remove it every time you close Fiddler, you can do so using FiddlerScript. In the OnShutdown method, add

         CertMaker.removeFiddlerGeneratedCerts(true);

    This will obviously make using Fiddler considerably less convenient.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  9. Ram
    Ram avatar
    13 posts
    Member since:
    Apr 2014

    Posted 03 Mar 2015 in reply to Eric Lawrence Link to this post

    Now I understand more, but still not completely. I have read the post a few times. I played around with CertMaker now and confirmed it doesn't place the other certificates in the Windows store, this is very nice.

    But: I don't have enough confidence that I'm safe when the Fiddler root certificate is in the Windows store. I know it's different for each install, but it's easy for you to trust this because it's your software. I would feel better if I knew that after using Fiddler, my system is clean from all Fiddler certificates.

    So: Where do I find this OnShutdown method? Can I edit it with any text editor? Do I add the line at the end?

    Thanks for your help,
    Ram Rachum.
  10. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 03 Mar 2015 Link to this post

    You should not run programs that you don't trust. See Law #1: https://technet.microsoft.com/library/cc722487.aspx#EKAA

    FiddlerScript is edited by clicking Rules > Customize Rules.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  11. Ram
    Ram avatar
    13 posts
    Member since:
    Apr 2014

    Posted 03 Mar 2015 in reply to Eric Lawrence Link to this post

    I did this and it worked. Thank you for your help Eric, and for answering all my followups!    
Back to Top