Telerik Forums / Fiddler

https certificate name is DO_NOT_TRUST

1 Answer 17444 Views
Windows
Fiddlerizer
Top achievements
Rank 1
Fiddlerizer asked on 07 Mar 2016, 12:59 AM

I went to try to use the new DECRYPT HTTPS TRAFFIC option.

The Fiddler warning box said "This is generally safe."

But the Windows Security Warning box said the certificate is from "DO_NOT_TRUST_FiddlerRoot"

What is the deal?  I find it hard to trust a certificate named "DO_NOT_TRUST."

 

1 Answer, 1 is accepted

Sort by
0
Tsviatko Yovtchev
Telerik team
answered on 10 Mar 2016, 03:12 PM
Hello,

It is generally safe to trust this certificate when using Fiddler. It is named this way so that a system admin can easily see this is not a regular root certificate. It is also supposed to alarm the end user in case Fiddler is not running and some websites use certificates generated with this root certificate.

Regards,
Tsviatko Yovtchev
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
rad
Top achievements
Rank 1
commented on 17 Jan 2022, 12:41 PM

I'm looking to inspect HTTP traffic sent and received by a WFC client using Fiddler. To do this I've added the Fiddler Root Certificate to the Windows certificate store.

My question: is there are any risk of leaving this certificate in the Windows store ready for when I may need to test again? Could an attacker take advantage of the fact that it's there? Should I remove it once I've finished testing? slope unblocked


 
Nick Iliev
Telerik team
commented on 17 Jan 2022, 01:32 PM

The risk of leaving the Fiddler certificate (in the keychain app or store) is equal to leaving any other certificate. Overall, it is safe to leave the certificate as it can be used only by the Fiddler application and not by a third party. If a third party has root access to your system, it will make no difference if the certificate was explicitly removed or not. It is a good practice to remove old or unused certificates, but it is not a mandatory security requirement. The most important thing is to understand that Fiddler is working as MITM (which is why we have explicitly named the certificate DO_NOT_TRUST). Any traffic that goes through it is fully exposed to the one that uses the Fiddler application (ideally, that would be only the user that installed the app and the certificate).
Ember
Top achievements
Rank 1
commented on 11 Dec 2023, 09:40 AM | edited


You are correct. The "DO_NOT_TRUST_FiddlerRoot" certificate is used by Fiddler, a web debugging tool, to intercept and inspect HTTPS traffic. While the naming might seem alarming, it is actually intended to serve as a security feature.

Tags
Windows
Asked by
Fiddlerizer
Top achievements
Rank 1
Answers by
Tsviatko Yovtchev
Telerik team
Share this question
or