This question already has an answer here:
I have just discovered that Fiddler can decrypt HTTPS traffic.
For instance, I deployed a website on localhost using HTTPS. When inspecting the data packets in Fiddler, I was able to view all the information since it has an option to decrypt it.
My question is, why make use of HTTPS when Fiddler can easily decrypt it?
Fiddler performs a
MITM
technique.To make it work, you need to trust its Certificate:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
If you don't, it won't decrypt anything...
In order to decrypt HTTPS traffic you must first install the Fiddler's root certificate in to your "trusted/root certificates" list. Fiddler's root certificate is NOT a Root certificate which by default comes with your Operating System. The OS will usually warn you when you're trying to install this.
In doing so, you explicitly begin to trust any certificate signed by Fiddler's root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.
Suppose you make a request in the form https://google.com. Fiddler will now act as the actual Google server and will create a dummy certificate for Google.com and sign it using Fiddler's Root certificate. You will receive this dummy certificate which has been signed by Fiddler. This certificate will pass your device's validation since Fiddler's Root certificate is now in your trusted certificates. Now, your device will start communicating with Fiddler through a secure HTTPS connection. Fiddler will relay your messages to Google.com and back to you. Of course Fiddler will able to decrypt them.
It is to note that the traffic from Fiddler to Google will occur through a second Secure https channel.
Therefore, not to worry about the security provided by https.