Fiddler Everywhere (MacOS) -> Google "This browser or app may not be secure." error

2 Answers 1058 Views
Fiddler Everywhere MacOS
Warrick
Top achievements
Rank 1
Iron
Warrick asked on 18 Apr 2022, 10:42 PM

- I have Fiddler Anywhere Version : 3.1.1Built : Friday, April 1, 2022

- I'm getting the following error when trying to login to a site that uses Google Authentication

 

 

I have SSL enabled as well as HTTP 2 

I followed this following article to test via Curl: https://docs.telerik.com/fiddler-everywhere/knowledge-base/troubleshoot-traffic-capturing

And that seems to work fine


curl -v --url https://accounts.google.com/ -x 127.0.0.1:8866
*   Trying 127.0.0.1:8866...
* Connected to 127.0.0.1 (127.0.0.1) port 8866 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to accounts.google.com:443
> CONNECT accounts.google.com:443 HTTP/1.1
> Host: accounts.google.com:443
> User-Agent: curl/7.79.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection Established
< FiddlerGateway: Direct
< StartTime: 16:38:22.875
< Connection: close
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Created by http://www.fiddler2.com; O=DO_NOT_TRUST_BC; CN=*.google.com
*  start date: Apr 11 00:00:00 2022 GMT
*  expire date: Mar 18 00:00:00 2023 GMT
*  subjectAltName: host "accounts.google.com" matched cert's "*.google.com"
*  issuer: OU=Created by http://www.fiddler2.com; O=DO_NOT_TRUST_BC; CN=DO_NOT_TRUST_FiddlerRoot
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x141011400)
> GET / HTTP/2
> Host: accounts.google.com
> user-agent: curl/7.79.1
> accept: */*
> 
< HTTP/2 302 
< content-type: text/html; charset=UTF-8
< strict-transport-security: max-age=31536000; includeSubDomains
< x-frame-options: DENY
< content-security-policy: script-src 'nonce-VYoRQAxt6ue7JSa7k4ypgQ' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
< location: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
< content-length: 338
< date: Mon, 18 Apr 2022 22:38:23 GMT
< expires: Mon, 18 Apr 2022 22:38:23 GMT
< cache-control: private, max-age=0
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< server: GSE
< set-cookie: __Host-GAPS=1:d7lQPkd-mj-X5xjZLsdLHUWgaG92oA:9aBwNT8dN9_fk9ZE;Path=/;Expires=Wed, 17-Apr-2024 22:38:23 GMT;Secure;HttpOnly;Priority=HIGH
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< 
<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://accounts.google.com/ServiceLogin?passive=1209600&amp;continue=https%3A%2F%2Faccounts.google.com%2F&amp;followup=https%3A%2F%2Faccounts.google.com%2F">here</A>.
</BODY>
</HTML>
* Connection #0 to host 127.0.0.1 left intact

Not sure what else I can do here. What else can I do to debug an application that uses Google Auth? The login process itself is exactly what I'm trying to debug in my application. 

I'm using Chrome Version 100.0.4896.127 (Official Build) (x86_64 translated)

 

 

2 Answers, 1 is accepted

Sort by
0
Nick Iliev
Telerik team
answered on 19 Apr 2022, 05:38 AM

Hello Warrick,

 

You should be able to capture Google Authentication traffic from any browser that uses the system proxy (and thus the Fiddler Everywhere proxy), so you are likely facing any issue related to the specific app that uses the GA. That said, you can check the following:

- Try to switch to the default browser and retry the GA login with another browser.

- If you are using Google Chrome, make sure to update it to the latest version.

- Check if the application that is using the GA login is not listed as Less Secure app and try to turn off that option.

- Try to reset your Fiddler root certificates. In case, you are using a browser that doesn't respect the system keychain, you will need to add the Fiddler root certificate in the browser certificate store.

Additionally, please elaborate more on the following:

1. Is the issue you describe happening entirely within the browser (and if so, which browser is used)?

2. Is the site that utilizes the GA login and which you are trying to debug a public site? If so, please share its URL so that we can test the behavior on our side.

3. Is the same behavior observed if you uncheck the "Ignore server certificate errors (unsafe)" option from the HTTPS settings?

4. Is the same behavior observed if you uncheck the "Enable HTTP/2 support" option from the Connections settings?

Regards,
Nick Iliev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Warrick
Top achievements
Rank 1
Iron
commented on 20 Apr 2022, 12:34 AM

1. Is the issue you describe happening entirely within the browser (and if so, which browser is used)?

Yes

2. Is the site that utilizes the GA login and which you are trying to debug a public site? If so, please share its URL so that we can test the behavior on our side.

Yes, https://oreid.io/ 

3. Is the same behavior observed if you uncheck the "Ignore server certificate errors (unsafe)" option from the HTTPS settings?

I can't get that far now. Things are so painfully slow that I can't get to that point. See videos listed in response to Question 4 below. 

4. Is the same behavior observed if you uncheck the "Enable HTTP/2 support" option from the Connections settings?

https://youtu.be/Ue5UhfIseu4
In the 1st part of the video I show how the site loads without Fiddler Anywhere running. Then at 85 seconds I launch Fiddler anywhere and you see how everything comes to a grinding hault. 
https://youtu.be/Ue5UhfIseu4?t=85

Then in this video, I disable the "Ignore server certificate errors (unsafe)" and "Enable HTTP/2 support"
https://youtu.be/IDqd16BhUCk

 

Lini
Telerik team
commented on 20 Apr 2022, 07:30 AM

Thank you for the provided details! I have a few suggestions that you can try and see if they have an effect:

1) Do not use the "Open Browser" option in Fiddler Everywhere. This Chrome instance is automatically configured as a test browser and when Google services detect that, you will not be able to login to a Google account. Only use a normal browser instance with capturing turned in Fiddler Everywhere.

2) Switch off the "Stream" option for responses in Fiddler Everywhere. It might interfere with the specific response the browser expects during the login process and cause it to fail.

3) Disable HTTP/2 support. In your second video, you disable it, but then use the "Open Browser" option, which will not work for different reasons as I mentioned above.

Finally, if possible, try updating your Chrome version to a newer release. We are testing using the current official build (100.0.x) and the problem you have might be a caused by combination of the Fiddler Everywhere proxy and the insecure (old) browser version.

0
Warrick
Top achievements
Rank 1
Iron
answered on 21 Apr 2022, 03:09 AM

Wow, thank you! that did seem to fix it.

 2 above)  Switch off the "Stream" option for responses in Fiddler Everywhere.  seems to have made a HUGE difference. 

I did also upgrade Chrome at the same time, so that could have helped. 

I'm curious how Google detects that I'm using a test browser when use I the "Open Browser" option?

Tags
Fiddler Everywhere MacOS
Asked by
Warrick
Top achievements
Rank 1
Iron
Answers by
Nick Iliev
Telerik team
Warrick
Top achievements
Rank 1
Iron
Share this question
or