Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debookee v6 beta is out - Welcome SSL/TLS decryption #2

tomlabaude opened this issue Jul 10, 2017 · 9 comments

Debookee v6 beta is out - Welcome SSL/TLS decryption #2

tomlabaude opened this issue Jul 10, 2017 · 9 comments


Copy link

@tomlabaude tomlabaude commented Jul 10, 2017

Update on 4th Sept 17: v6 is not private anymore but in public beta, checkout and docs

After 7 months of work, I'm pleased to release Debookee 6.0.0 beta, which implements SSL/TLS decryption in less than 4 clic for all your devices.


  • Debookee v6 introduces two new paying modules: SSL & PRO modules
  • NA & WM of previous versions are still valid and haven't changed
  • You can download the beta here in Menu Debookee -> Preferences -> General -> Check Propose beta version updates
  • New combos are available (SSL+PRO, NA+WM+SSL, etc ...). More information here
  • Minimum macOS version is now 10.12
  • Documentation is being implemented:

SSL Module

  • SSL/TLS decryption of your own traffic and all your targets traffic
  • Some applications won't accept fake CA due to Key Pinning. Working on alerting/workaround/bypass.
  • SSL decryption must be enabled manually (3 modes: No SSL decryption / All targets only / Own traffic + All targets)
  • You can test for free in the trial, decrypted results will be obfuscated at some point without SSL licenses
  • As always, if you don't have any result at all, SSL license won't unblock results. A paying license in Debookee just deobfuscate results.
  • To avoid browser warnings, you'll have to install CA cert
    • On your own Mac with the button "Add CA cert to Keychain"
    • On your targets, by browsing when their traffic is intercepted

PRO Module

  • IMAPS / SMTPS / POPS decryption of your own traffic and all your targets traffic
  • Compressed data are not uncompressed yet, so you'll see IMAP commands in clear text, but maybe not email's content depending server's configuration. Soon to come
  • Allows you to create your own Certificate Authority details (Common Name, Organization, etc ...)
  • Allows you to decrypt SSL/TLS on different port than the default (For ex: 8443)


This new version is the results of the integration of mitmproxy and SSLsplit.
Integrating open source projects in a software is not an easy ethical task. We do our best by contacting them, trying to contribute to their projects and respecting their open source licenses.

Thanks to alpha testers for their patience:

Next steps

  • Be indulgent, it's only a beta (although modules are paying)
  • More docs at
  • Fix some bugs you'll find
  • Enhance PRO modules with new AUTHENTICATE methods, DEFLATE data, etc ...

Contact / Bug reporting

Current Status

  • Alpha tests with small group of testers
  • Half-public beta tests with private URL (
  • Public beta tests for users who have beta checked in Debookee's preferences
  • Coming: Stable version for all users
@tomlabaude tomlabaude changed the title Debookee 6.0.0b1 is out - Welcome SSL/TLS decryption Debookee v6 beta is out - Welcome SSL/TLS decryption Jul 10, 2017
Copy link

@richtestani richtestani commented Jul 11, 2017

I finally got a version setup, so far it works well on my own Mac, but my iPhone doesn't seem to work.
I installed the cert from mitm, but I the instructions weren't matching my window. Though the cert is listing and everything is trusted, I got an warning about verifying the server identity.

Is this how it will work?

Copy link

@richtestani richtestani commented Jul 11, 2017

Also apps like Instagram won't load if targeted.

Copy link
Contributor Author

@tomlabaude tomlabaude commented Jul 12, 2017

You may be hitting Key Pinning for some apps, I'm currently writing the docs, but meanwhile, I've added a line in the post above in SSL Module part about it.

For ex, on Mac, Evernote and Slack apps don't accept the fake CA, and there's nothing to do (except patching the apps with fake CA public key hash to validate key pinning)

In Debookee, an enhancement could be to notify the user about Key Pinning for specific URLs. Also the choice for the user to allow the SSL/TLS connection to continue, without being decrypted.

Not sure to understand "The instructions weren't matching my window", we can continue the discussion by email for more details.

To be sure SSL/TLS interception works at its best, on your iPhone, check browsing on a simple website like, it doesn't use Key Pinning, and you must see HTTP headers.

Else, contact us by email and let's troubleshoot that.

Copy link

@chrismccoy chrismccoy commented Jul 22, 2017

wil i have to re purchase the wm and na license i bought for v5?

Copy link
Contributor Author

@tomlabaude tomlabaude commented Jul 22, 2017

No, NA & WM licenses will be valid for all future versions. You paid for some features for lifetime.
I've clarified this in the post above, enjoy!

Copy link

@richtestani richtestani commented Jul 29, 2017

Hi - I had written to contact on your site, but I got no reply. Where can I write to help get my SSL decryption working.

Copy link
Contributor Author

@tomlabaude tomlabaude commented Jul 30, 2017

Richard, I received an email on the 12th of July and replied you on the 14th on your email.
I've just resent you my answer to both and
Please update to 6.0.0b2, as there are new warnings concerning HTTP Key Pinning that can't be decrypted. (cf

Copy link

@xenio xenio commented Aug 1, 2017

Thanks, just bought the SSL license and trying the beta.

Copy link

@marca56 marca56 commented Sep 4, 2017

@tomlabaude just upgraded to the beta and looks good. I have not had the recurring warnings I mentioned in Slack :)

Good job!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants