Unplanned
Last Updated: 20 Oct 2020 11:34 by ADMIN
Carsten
Created on: 08 Jun 2020 05:45
Type: Bug Report
1
Fiddler thinks "gateway.icloud.com" certificate is invalid

I'm unable to connect to "gateway.icloud.com" when Fiddler is open and decrypting HTTPS traffic.

This is Fiddler Everywhere 0.10.0 on macOS 10.15.5.

To reproduce:

Open Fiddler and make sure it's decrypting HTTPS traffic.

Open any browser and go to https://gateway.icloud.com/

Expected result: Page loads (it's blank. This is normal.)

What actually happens: fiddler.network.https> HTTPS handshake to gateway.icloud.com (for #820) failed. System.Security.Authentication.AuthenticationException The remote certificate is invalid according to the validation procedure.

 

Same thing happens on https://configuration.apple.com/

6 comments
ADMIN
Nick Iliev
Posted on: 20 Oct 2020 11:34

Hi Carsten,

 

 

After some additional investigation, it looks like that Apple recently introduced an additional security layers for all servers under the icloud.com domain. The full statement from Apple can be found here.

The crucial part is at the very beginning:

Apple is deeply committed to protecting our customers’ privacy and security. We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.

The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed. Users should never enter their Apple ID or password into a website that presents a certificate warning. To verify that they are connected to the authentic iCloud website, users can check the contents of the digital certificate as shown below for Safari, Chrome, and Firefox—each of which provides both certificate information and warnings.

So that said, when Fiddler Everywhere is on, the Fiddler root trust certificate is used to establish a secure connection. Apple won't allow this certificate to connect to the server and instead of a blank page or normal content, you are receiving the expected connection refused. Actually, if you make the request through Safari the following descriptive error is logged:

Safari can't open the page "https://gateway.icloud.com" because Safari can't establish a secure connection to the server "gateway.icloud.com".

 

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Carsten
Posted on: 15 Oct 2020 20:09

Is there an update? The issue still happens with Fiddler Everywhere version 1.1.1.

ADMIN
Nick Iliev
Posted on: 16 Jun 2020 10:55

Hi Carsten Jonas,

 

Thanks for the provided details on this issue. On WIndows the gateway.icloud.com returns 400 (on my side and on several other test Windows PCs) which is expected and happens with or without Fiddler. It seems that the issue appears only on Mac OS. Marked this one as a bug and the team will investigate it further.

 

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Carsten
Posted on: 13 Jun 2020 16:49

I figured out how to bypass certificate pinning on macOS, but the issue still occurs. This is definitely a Fiddler bug.

As a suggestion, I would recommend that Fiddler give a more detailed error.

The issue is not the browser rejecting Fiddler's certificate - the issue is that Fiddler is rejecting the server's *real* certificate.

Carsten
Posted on: 12 Jun 2020 00:50

Actually, this seems to be a Fiddler issue. The error is occurring in Fiddler itself - not originating from the browser. The error seems to suggest that Fiddler itself isn't able to verify the server's real certificate.

This still happens even if the browser I'm using is Firefox - which does not use the system certificate validation library.

In addition, many other iCloud servers (e.g. https://p35-mailws.icloud.com/) work just fine with Fiddler open. I don't have access to a Windows PC. Could someone with a Windows PC kindly test if https://gateway.icloud.com/ opens with Fiddler (Everywhere, not the old Windows version) decrypting HTTPS traffic?

 

In the meantime, it would be good if Fiddler had an option to ignore certificate errors on a one-time basis.

ADMIN
Nick Iliev
Posted on: 11 Jun 2020 10:19

Hello Carsten Jonas,

 

The thing is that most likely, iCloud by Apple is using certificate pinning (a check for a specific hardcoded certificate), and this is causing the issue with validating procedure. See a more detailed explanation about the issue related to Fiddler and certificate pinning here. There is no out-of-the-box solution, apart from having the actual private keys so that said there is currently not an option to support decrypting traffic coming from a certificate pinning.

 

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.