As promised in my previous post, I will now talk about using Fiddler to monitor network traffic and see the encrypted data of a REST based web service encrypted with SSL.
When I run the REST based web service I created in my previous post (from Visual Studio 2010 in debug mode), I immediately found that Fiddler does not monitor the web service. The problem is not with Fiddler but with internet explorer and .NET framework as mentioned here (Look at the topic: Why don't I see traffic sent to http://localhost or http://127.0.0.1?). The workaround was to use my machine name instead of “localhost” in the URL for the REST web service.
When you run the Fiddler application, here is what it typically looks like:
The Fiddler window is divided into three major portions (apart from the menus and toolbar). The Pane on the left is where all the web service and web page URLs are listed each time a client application (typically the web browser) accesses that URL. The pane on the top right allows you to monitor the request and the data traffic from the client application to the web server:
The pane on the bottom right allows you to monitor the responses and the data traffic from the web server to the client application:
In order to make sure that my data is indeed getting encrypted with SSL, I should see what it looks without SSL. So I run my application without SSL encryption (if you are interested here is the sample from my previous post *without* the SSL configuration; i.e., just plain HTTP).
When I run this web service with the right URL (requesting for XML based REST response) my browser looks like this:
Here is a closer look at the URL and browser content:
When I look at fiddler, the URL pane looks like this:
The request pane looks like this:
And the response pane looks like this:
As you can see, everything is in plain text and the request and response data are readable in Fiddler. Now let us run the web service with SSL enabled. Here is the browser:
The URL looks like this (ignore the certificate error, I will discuss that in a later post):
The URL pane in fiddler looks like this:
The request pane looks like this:
And the response pane looks like this:
Success!! All I see is gibberish that I cannot make sense off. So SSL successfully encrypted my request and and response for the same web service while the browser (the client application) is still able to do its job and display the response.
Now, you will observe the yellow note at the top of the request pane that says “HTTPS decryption is disabled. Click to configure…..”. You can actually configure Fiddler to view your SSL encrypted data if you like. I will leave it as an exercise for you to learn how to do this. You will find more information about this here.
Comments
You can follow this conversation by subscribing to the comment feed for this post.