Understanding HTTPS, Certificate Trust Chains, and Fiddler Decryption Techniques

HTTPS uses an initial asymmetric key exchange (e.g., RSA) to negotiate a symmetric session key, after which all communication is encrypted symmetrically.

A Certificate Authority (CA) is a trusted third‑party that issues digital certificates; a CA certificate is the credential proving the CA’s authority.

Certificates form trust relationships: one certificate can vouch for another, creating a trust chain that ultimately ends at a root certificate, which self‑signs and anchors the chain.

Root certificates are critical because if they become untrusted, every certificate that depends on them is compromised.

Certificates are used to verify website authenticity (HTTPS) and to ensure files have not been tampered with.

Fiddler can intercept HTTPS traffic by installing its root certificate on the client, allowing it to act as a man‑in‑the‑middle and decrypt the traffic.

Fiddler’s HTTPS decryption process involves:

Capturing the client’s HTTPS request and masquerading as the client.

Receiving the server’s certificate, decrypting it with the root certificate’s public key, and forging a fake CA certificate to present to the client.

Proceeding with the normal handshake using the forged certificate to obtain the pre‑master secret and derive the symmetric key.

Intercepting encrypted data, decrypting it with the forged private key, re‑encrypting the symmetric key with the server’s public key, and forwarding it.

Completing the handshake so both client and server trust the established session.

The key to successful HTTPS capture with Fiddler is trusting the installed root certificate on the device.

For Android, install the FiddlerRoot.cer certificate via Settings → Security → Install certificate, then configure Fiddler’s proxy.

To extract a public key from a certificate, use OpenSSL:

openssl x509 -in cert.cer -pubkey -noout -inform der | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Finally, note the difference between asymmetric encryption (encrypt with receiver’s public key, decrypt with receiver’s private key) and digital signatures (sign with sender’s private key, verify with sender’s public key).