Telerik Forums / Fiddler
This is a migrated thread and some comments may be shown as answers.

Decrypting TLS 1.3

3 Answers 1828 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
Jack
Top achievements
Rank 1
Jack asked on 11 Feb 2019, 08:42 AM
2019-02-11-09_41_19-progress-telerik-fiddler-web-debugger.png

Hello,

Is there any way to decrypt TLS 1.3 yet? Some app's have started using TLS 1.3 only, so proxying my phone through Fiddler leaves me with undecryptable tunnels only.

 

An example of such a capture is attached.

 

Best regards,

Jack

3 Answers, 1 is accepted

Sort by
0
Alexander
Telerik team
answered on 15 Feb 2019, 12:17 PM
Hello,

Rather unfortunately, the short answer is no, Fiddler does not support TLS 1.3 yet. The long answer - Fiddler's support for TLS 1.3 is coupled with .NET Framework's support for TLS 1.3. This means that Fiddler can have support for TLS 1.3 only after .NET Framework add support for it. As of this page there is no word from Microsoft if and when this is going to happen.

Regards,
Alexander
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
cora
Top achievements
Rank 1
answered on 01 Dec 2019, 04:50 AM
This is Sad for everyone that .NET Framework doesn't support the latest TLS1.3. Many web applications are now using the latest TLS version. Really looking forward to it. Until it support, is there a simple tool like fiddler that also supports TLS1.3
0
Eric R | Senior Technical Support Engineer
Telerik team
answered on 04 Dec 2019, 09:21 PM

Hi Cora,

Unfortunately, we are unaware of any other tools like Fiddler that support TLS 1.3. However, Fiddler includes the <client> token and will offer TLS/1.3 if the client does.

With that said, there are different ways a website or mobile application could block a Man-in-the-Middle Attack from Decrypting SSL traffic. The most well-known is is Certificate Pinning. Essentially, if the client-server key-chain is not exact then the traffic cannot be decrypted. This is the most likely cause for not being able to decrypt traffic using Fiddler.

Let me provide an example. I can see that as of today, the domain i.instagram.com from the screenshot provided in the Original Post hasn't enabled the TLS 1.3 or SSLv3 protocols which means these sessions will appears as Tunnels in Fiddler. This is for security reasons.

In the above example, Fiddler is probably not the best tool to use. Fiddler works best when the developer has access to the application source and certificates.

I hope this helps. Please let me know if you have any additional questions. Thank you for using the Fiddler forums.

Regards,


Eric R | Technical Support Engineer
Progress Telerik

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
Fiddler Classic
Asked by
Jack
Top achievements
Rank 1
Answers by
Alexander
Telerik team
cora
Top achievements
Rank 1
Eric R | Senior Technical Support Engineer
Telerik team
Share this question
or