Fiddler Ideas

The free web debugging proxy for any browser, system or platform.

Certificate Generator broken in Win10

Clean install of Telerik Fiddler Web Debugger (v4.6.2.29442). Enabled HTTPS decryption.

HTTPS traffic is not decrypted. Log shows unicode garbage for the certificate generator.

12:42:22:8044 Assembly 'C:\Program Files (x86)\Fiddler2\CertMaker.dll' was not found. Using default Certificate Generator.
12:42:22:8044 /Fiddler.CertMaker> Using [].[][]‰+[][]˜ for certificate generation; UseWildcards=True.
12:42:25:2068 DefaultCertMaker: GetRootCertificate() did not find the root in the Windows TrustStore.
12:42:25:2068 /Fiddler.CertMaker> Caller was in ApartmentState: STA; hopping to Threadpool

  • Eric Lawrence
  • Jul 10 2016
Bug
  • Attach files
  • Eric Lawrence commented
    July 10, 2016 18:13

    Unicode garbage comes from the use of the SmartAssembly obfuscator, which will also break anybody relying upon reflection in their extensions.

    Restarting Fiddler appears to have resolved the inability to decrypt.

  • Tsviatko Yovtchev commented
    July 11, 2016 17:07

    If you find a way to reproduce the decryption failure, please, let us know immediately. That definitely should not happen.

    As for the obfuscation breaking reflection that is a somewhat desired outcome. Public API is our contract with the extension developers. If something is not public it should not be used as we have no real commitment not to introduce breaking changes on it. If an extension developer needs access to functionality that is currently private they could ask for it and we wouldl create the relevant public API.

  • Eric Lawrence commented
    July 11, 2016 18:13

    Beyond breaking APIs, obfuscation complicates troubleshooting and introduces other issues around the product. For instance, if you must use obfuscation, you should remove the code that shows exceptions to the user as they no longer have any hope of doing anything useful with it.

    I'm very disappointed about this change.

  • Tsviatko Yovtchev commented
    July 12, 2016 12:20

    Well the users can't really do much in terms of fixing exceptions themselves anyways. We can still map the obfuscated stack trace to actual code, though. So, it still makes sense that the user sees the exception stack trace and is able to send it to us.

    Other than that obfuscation does not and should not break any API. Only private classes and members have been obfuscated and these shouldn't really be available for public use as mentioned above.