This blog post covers TLS specifics, the benefits of TLS 1.3 and the newly added support for the encryption protocol in Fiddler Everywhere.
Almost all modern-day webpages, plus many desktop and mobile applications, use the HTTPS protocol to secure communication from the client to the server and vice versa. The S in HTTPS stands for Secure and implies that the data is transferred not in plain text but in encrypted form.
The encryption in HTTPS is achieved by using a cryptographic protocol named Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The idea is to prevent an intermediate from sniffing the ongoing packets and obtaining sensitive data (like usernames, passwords, financial data, personal content, etc.)—cryptographic encryption ensures that all data is unreadable for third parties.
There is widespread support for TLS versions TLS 1.2 (in use since 2008) and TLS 1.3 (released in August 2018), which are considered a standard for creating a secure application. Older versions of TLS (TLS 1.0 and TLS 1.1) were discontinued in 2019 and, alongside the obsolete versions of SSL (SSL 2.0 and SSL 3.0), are considered insecure.
If you are writing an application today and wondering which TLS version you should use, go for TLS 1.3! The latest version of TLS has significant improvements such as:
In conclusion, TLS 1.3 provides better handshake performance, improved latency and more robust security.
By default, Fiddler Everywhere by Progress Telerik is a local forward proxy, capturing non-secure HTTP traffic. To enable capturing and decrypting of HTTPS traffic, you need to go a step further and allow Fiddler to decrypt TLS traffic by explicitly installing and trusting its root CA and enabling HTTPS capturing. Once the Fiddler CA is trusted, the proxy works as an intermediate TLS proxy.
The above depicts how Fiddler Everywhere acts as a server for the client (that sends the HTTPS request) and as a client to the server (that receives the HTTPS request and returns the HTTPS response).
It is important to note that Fiddler will negotiate the TLS connections with the client and the server separately. When the Fiddler proxy establishes the TCP connection, it uses the client’s TLS version. Then Fiddler negotiates the TLS version with the server. If the server supports the client’s TLS version, it will select it for the connection—otherwise, it will negotiate a lower version. The latest version of Fiddler Everywhere will always try to use TLS 1.3 as the default TLS version.
Fiddler Everywhere 4.2.0 officially introduced support for TLS 1.3. Note that Fiddler Everywhere will accept inbound connections using any protocol version, including obsolete ones, but only if the host operating system or client app allows them. (All supported versions are SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 and now TLS 1.3). However, there is specific behavior when the proxy stands in the middle and if the client and server are negotiating different TLS versions.
Suppose the server does not support TLS 1.3. In that case, Fiddler will negotiate a different version (through the Fiddler-Server TLS handshake in steps 7 and 8 depicted above) and establish the connection using a lower TLS version. In that case, the connections between the client and Fiddler and between Fiddler and the server will use different TLS versions.
The above behavior leads to a significant implication—Fiddler can unexpectedly "fix" your application while it fails in real life! Let’s demonstrate the above while using the BadSSL endpoint.
https://tls-v1-1.badssl.com:1011/
By default, Windows 10 does not allow an app acting as a server or proxy (like Fiddler Everywhere) to support TLS 1.3. To test TLS 1.3, you must execute the request from a compatible OS (Windows 11, the latest macOS or Ubuntu) and a client supporting TLS 1.3.
As a result, when Fiddler Everywhere stands in the middle, it will establish a TLS 1.3 handshake with the client. Then it will try to negotiate a TLS 1.3 handshake with the BadSSL server. However, the server will downgrade the TLS version to TLS 1.1 (as it explicitly supports that version). In Fiddler Everywhere, you will notice different badges that inform you of the TLS versions used for the HTTP Request and HTTP Response.
The direct implication is that you will be able to successfully load the BadSSL page because, as an intermediate, the Fiddler proxy successfully negotiated the TLS version with each of the parties (client and server).
When Fiddler is not in the middle, you might hit an unsupported protocol error (like ERR_SSL_VERSION_OR_CIPHER_MISMATCH) if the client and the server don’t support a standard SSL/TLS protocol or cipher suite.
The support for all TLS versions in Fiddler Everywhere opens many possibilities. You can create and apply specific rules for endpoints using a particular SSL/TLS version, inspect detailed TLS-related information (extensions, ciphers, compression), or filter your traffic through the TLS Version column.
And this is just the beginning! The team is planning to provide options to extend Fiddler’s TLS capabilities. Features like setting custom TLS versions and using specific cipher suites are just some things you could expect from Fiddler Everywhere in the future.
Try it yourself—download a free trial of Fiddler Everywhere.
Nikolay Iliev is a senior technical support engineer and, as such, is a part of the Fiddler family. He joined the support team in 2016 and has been striving to deliver customer satisfaction ever since. Nick usually rests with a console game or a sci-fi book.