Decrypting TLS 1.3

4 posts, 0 answers
  1. Jack
    Jack avatar
    1 posts
    Member since:
    Feb 2019

    Posted 11 Feb 2019 Link to this post

    Hello,

    Is there any way to decrypt TLS 1.3 yet? Some app's have started using TLS 1.3 only, so proxying my phone through Fiddler leaves me with undecryptable tunnels only.

     

    An example of such a capture is attached.

     

    Best regards,

    Jack

  2.
  3. Alexander
    Admin
    Alexander avatar
    383 posts

    Posted 15 Feb 2019 Link to this post

    Hello,

    Rather unfortunately, the short answer is no, Fiddler does not support TLS 1.3 yet. The long answer - Fiddler's support for TLS 1.3 is coupled with .NET Framework's support for TLS 1.3. This means that Fiddler can have support for TLS 1.3 only after .NET Framework add support for it. As of this page there is no word from Microsoft if and when this is going to happen.

    Regards,
    Alexander
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. cora
    cora avatar
    1 posts
    Member since:
    Dec 2019

    Posted 30 Nov 2019 Link to this post

    This is Sad for everyone that .NET Framework doesn't support the latest TLS1.3. Many web applications are now using the latest TLS version. Really looking forward to it. Until it support, is there a simple tool like fiddler that also supports TLS1.3
  7. Eric R | Senior Technical Support Engineer
    Admin
    Eric R | Senior Technical Support Engineer avatar
    366 posts

    Posted 04 Dec 2019 Link to this post

    Hi Cora,

    Unfortunately, we are unaware of any other tools like Fiddler that support TLS 1.3. However, Fiddler includes the <client> token and will offer TLS/1.3 if the client does.

    With that said, there are different ways a website or mobile application could block a Man-in-the-Middle Attack from Decrypting SSL traffic. The most well-known is is Certificate Pinning. Essentially, if the client-server key-chain is not exact then the traffic cannot be decrypted. This is the most likely cause for not being able to decrypt traffic using Fiddler.

    Let me provide an example. I can see that as of today, the domain i.instagram.com from the screenshot provided in the Original Post hasn't enabled the TLS 1.3 or SSLv3 protocols which means these sessions will appears as Tunnels in Fiddler. This is for security reasons.

    In the above example, Fiddler is probably not the best tool to use. Fiddler works best when the developer has access to the application source and certificates.

    I hope this helps. Please let me know if you have any additional questions. Thank you for using the Fiddler forums.

    Regards,


    Eric R | Technical Support Engineer
    Progress Telerik

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top