Fiddler and Channel Binding Tokens Revisited

Just under a year ago, I wrote a blog post about how the new “Extended Protection” feature (also known as Channel Binding Tokens or CBT) prevented seamless decryption of certain authenticated HTTPS traffic when Fiddler is running. The quick recap is that CBT binds a set of NTLM or Kerberos authentication credentials to the “channel”…


Fiddler and Silverlight Cross-Domain Requests

I’ve recently heard from a number of Silverlight developers who report that certain cross-domain web service requests from their applications work properly with Fiddler running, but fail when Fiddler is not active. Using lower-level tools like NetMon or by watching server logs, the developers note that their applications aren’t even issuing requests for the cross-domain…


Fiddler and Channel-Binding-Tokens

Note: Please see this post for an update. Some users of Fiddler who have HTTPS Decryption enabled have found that some of their internal HTTPS sites that used to work properly with Fiddler now endlessly prompt for credentials while Fiddler is running. Even typing the correct credentials into the authentication prompt won’t fix the problem….


Automatic Authentication with the Request Builder

The Request Builder feature in recent versions of Fiddler includes a number of enhancements, including the ability to follow HTTP redirections, and to automatically authenticate (using the current user’s credentials) to servers that demand authentication using the NTLM or Negotiate (NTLM/Negotiate) challenge-response protocols. Following redirections is simple enough, but properly constructing a response to a…


No, Fiddler is not evil

Recently, a number of people have emailed me and indicated that their security software raised warnings or blocked their download of Fiddler from the official Fiddler website. Now, I’ve reached out to vendors to help them correct their false-positives, but there are many vendors of “security” software, and only one of me. As an end-user,…