We're behind Google. It doesn't look like anything was removed - so we're not marking things as EV that shouldn't be.

See diff https://chromium.googlesource.com/chromium/src/+/93e404c51625c47621a67121d5c73a70251c9a35%5E%21/

Seems like the Certificate info should be shown when a Tunnel is selected?

If it can't be for whatever reason (or on a HTTP site) maybe show an explanatory text label?

Please change this:

https://github.com/vcsjones/FiddlerCert/blob/master/VCSJones.FiddlerCert/CertInspector.cs#L84

...to a saner number (e.g. 10000).

Right now, Fiddler's InspectorComparer implementation attempts to use integer operations (InspectorA.GetOrder() - InspectorB.GetOrder()) to sort the inspectors, and these behave unexpectedly in the face of integer underflow.

https://feedback.telerik.com/fiddler/1384254-response-inspector-sort-order-broken-when-pdfview-inspector-is-installed#

HPKP is on the way out. We should leave the SPKI tab but remove info about pins. Will indirectly solve #13

Display https://crt.sh/?q=[THUMBPRINT]

e.g. https://crt.sh/?q=5BA7B281F76F69F2F6AE59916EBC8AA31700844A

obsoleting this script: https://gist.github.com/ericlaw1979/6dd32babc67233b62a30

This would be another tab on each individual certificate. The purpose of this would be to show an ASN.1 tree of the contents of the certificate.

Maybe have it so that when a certificate is near expiration (e.g. next two months), the Valid From field is orange or otherwise highlighted?

Message boxes are intrusive and annoying when they occur without the user doing any action.

These should be alerts in the extension itself, either with a bar, label, etc.

• Remove MessageBox for "HTTPS Interception is required to work"
• Remove MessageBox for "Your operating system is not supported".

Such as a plain HTTP session.

When I install FiddlerCert in the latest Fiddler Classic (v5.0.20204.45441 for .NET 4.6.1) on a laptop with Windows 10 Pro 20H2 and high DPI display (4K), it messes up scaling and the whole Fiddler GUI becomes unreadable. I normally use scaling 250% (as recommended by the system) and Fiddler with other extensions is OK with this scaling, except with FiddlerCert. The culprit seems to be the VCSJones.FiddlerCert.dll installed in the subdirectory Inspectors.

Drawing when changing sessions seems slow.

1. Drag/drop a cert into Fiddler's Web Sessions list.
2. Select it.
3. Select the Certificates tab.

OBSERVE:
Tab is blank until you click the Content Certificates tab button.

Using the keyboard to zoom the font (Ctrl++). Report of an exception occurring.

Vertical space is precious, and Fiddler has too many nested tabs already.

Today, the last update check is not persistent. That is, it checks once when the application starts up, and every day thereafter (under normal circumstances) so long as the app is running.

If you are frequently starting and stopping Fiddler, this can cause you to hit GitHub's API limit kinda quick, especially if you are on a shared corporate IP.

We should instead keep the last update check in configuration somewhere so the data survives application restarts.

FiddlerCert shows some warning indicators, but does not have good explanations as to what they are.

• The shield - Is used to indicate if there are any certificate errors. It does not display what they are, or indicate why the shield is initially blank (the revocation check happens asynchronously).
• Why Signature Algorithm is yellow / red (SHA1 / MD5 are bad).
• What SPKI Fingerprints are.

Placeholder task for CT branch. Goals:

• If the certificate has an embedded SCT, display it

Maybe make the PKP hash label a LinkLabel that has the behavior, when clicked, of copying the appropriate HTTP Header string (including the name and prefix) to the clipboard? Show a message box indicating that this has been done?

Also maybe have messagebox show info on best practices (e.g. must include on cert not in the chain, and should probably use an intermediate's hash not the EE)?

The current chain builder is doing online revocation checking by default. Unless that is desired, maybe we should set .NoCheck?

            X509Chain oChain = new X509Chain();
            oChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
            oChain.Build(oEECert);

Currently FiddlerCert only works if HTTPS traffic decryption is enabled. This should not be a requirement as it should still be able to show the certificate chain in CONNECT tunnels.

@ericlaw1979 Is the SessionFlags.IsBlindTunnel the right way to check if a CONNECT tunnel is for an HTTPS connection that doesn't have traffic decryption? My "Should I show certificate" check looks like this right now:

if (oS.isHTTPS || (oS.BitFlags & SessionFlags.IsDecryptingTunnel) == SessionFlags.IsDecryptingTunnel || (oS.BitFlags & SessionFlags.IsBlindTunnel) == SessionFlags.IsBlindTunnel)
{
     //Do fascinating things
}

Add a button in the tab header that opens a dialog that tells you about your current FiddlerCert installation.

• The current version.
• The latest version, if known (may not be if the user did not enable this).
• A checkbox to enable or disable checking for updates.

Cert Inspector should check for new versions.

• Use the GitHub JSON API to get the latest version: https://api.github.com/repos/vcsjones/FiddlerCert/releases/latest . The name shall be used to identify the version number, and shall always come in the form "vx.x.x.x". It must have prerelease and draft as false.
• Do not send anything about the current version in the request. Strip off the UA, cookies, etc.
• Use a preference setting to disable automatic updates. The default will be "true" and will be changeable via the Quick Exec bar. If false, none of the below applies.
• Check every 24 hours for a new version, and on start up.
• When a new version is available, show an action bar at the top of the certificates tab. No modals.
• The actions on the bar are "Download", "Close", and "Don't show me again". "Download" will open the browser to the html_url in the JSON response.
• The bar will remain persistent until either an action is taken. In the case of "Download" or "Close", Fiddler Cert will no longer show update notifications for that version. "Don't show again" turns off update checking altogether.
• Keep a persistent value of the latest version ever run. If a new version is installed, this value should be incremented. If the current version is less than the latest version, assume that this is an intentional downgrade.