You finally did it.
You installed Burp Suite.
Configured the proxy.
Opened your browser.
Visited Google.
And then...
Instead of seeing Google, you saw this:
Your connection is not private
Or:
NET::ERR_CERT_AUTHORITY_INVALID
Or:
Certificate Error
At this point, most beginners think:
"I configured something wrong."
Or even worse:
"Burp Suite is broken."
The truth is much more interesting.
Burp isn't broken.
HTTPS is protecting you.
And understanding why this happens is one of the most important lessons in web security.
The Problem Burp Creates
Let's first remember what Burp does.
Normally:
Browser
↓
Website
Your browser talks directly to the website.
But when Burp is introduced:
Browser
↓
Burp Suite
↓
Website
Burp sits in the middle.
This creates a problem.
A very important problem.
HTTPS Was Designed to Prevent This
Imagine you're sending a confidential letter.
You place it inside a locked box.
Only the recipient has the key.
Even if someone intercepts the box, they cannot read the contents.
That's essentially what HTTPS does.
HTTPS encrypts communication between:
Browser
↔
Server
So that nobody in the middle can read it.
Not:
- Attackers
- WiFi operators
- ISPs
- Network administrators
Nobody.
Only the browser and server should understand the contents.
What Happens When Burp Appears?
Now let's introduce Burp.
Browser
↓
Burp
↓
Website
Burp needs to see the encrypted traffic.
But HTTPS says:
"Nobody in the middle should be able to read this."
So who wins?
HTTPS.
At least initially.
Why Browsers Start Complaining
Let's say you visit:
https://google.com
Your browser expects:
Google Certificate
Because it's talking to Google.
But Burp intercepts the traffic.
Now the browser sees:
Burp Certificate
Instead of:
Google Certificate
The browser immediately becomes suspicious.
It thinks:
"Wait a second..."
"I wanted Google's certificate."
"Who is this Burp guy?"
And it displays:
Your connection is not private
Which is exactly what a secure browser should do.
The Hotel Reception Analogy
Imagine calling a hotel.
You expect to speak directly with reception.
You
↓
Hotel Reception
Instead:
You
↓
Random Stranger
↓
Hotel Reception
A stranger answers first.
Even if that stranger claims:
"Trust me, I'll relay your messages."
You would be suspicious.
That's exactly how the browser feels about Burp.
Why Burp Needs Its Own Certificate
Burp must convince the browser that it's trustworthy.
To do that, Burp creates its own Certificate Authority (CA).
Think of it as:
Burp CA
Once your browser trusts the Burp CA:
Browser
↔
Burp
becomes trusted.
And:
Burp
↔
Website
remains encrypted as well.
Burp can now safely inspect traffic.
What Is a Certificate?
A certificate is like an identity card.
When you visit:
https://example.com
The website presents a certificate.
The browser checks:
Is this certificate valid?
If yes:
Connection Trusted
If no:
Warning Message
Certificates help prevent impersonation attacks.
Without certificates, attackers could pretend to be any website.
How Burp Handles HTTPS
Burp performs something called:
SSL/TLS Interception
Don't worry about the fancy term.
Here's what actually happens.
Step 1
Browser requests:
https://google.com
Step 2
Burp intercepts request.
Step 3
Burp generates a certificate for:
google.com
on the fly.
Step 4
Browser checks:
Do I trust Burp?
If not:
Certificate Error
If yes:
Connection Successful
Installing the Burp Certificate
Now let's fix the problem.
Method 1: Using Burp Browser (Recommended)
Launch:
Proxy
↓
Open Browser
or:
Open Burp Browser
depending on your version.
Modern Burp Browser usually installs and trusts the certificate automatically.
In many cases:
No manual steps required.
This is one reason beginners should start with Burp Browser.
Installing the Certificate Manually
If you're using Chrome, Firefox, or another browser:
Follow these steps.
Step 1
Open Burp Suite.
Step 2
Open Burp Browser.
Navigate to:
http://burp
or:
http://burpsuite
Depending on the version.
You should see Burp's certificate page.
Step 3
Download:
CA Certificate
A file similar to:
cacert.der
will be downloaded.
Step 4
Import the certificate into your browser.
Firefox Installation
Firefox manages certificates separately.
Navigate:
Settings
↓
Privacy & Security
↓
Certificates
↓
View Certificates
↓
Authorities
↓
Import
Select:
cacert.der
Enable:
Trust this CA to identify websites
Save.
Chrome Installation
Chrome uses your operating system's certificate store.
Windows:
Manage User Certificates
↓
Trusted Root Certification Authorities
↓
Import
Select:
cacert.der
Finish installation.
Restart Chrome.
How To Verify Everything Works
After certificate installation:
Visit:
https://google.com
or:
https://portswigger.net
If pages load normally:
✓ Proxy works
✓ Certificate works
✓ HTTPS interception works
You're ready.
How To Confirm Burp Is Seeing Traffic
Inside Burp:
Navigate:
Proxy
↓
HTTP History
You should see:
GET https://google.com
or other requests.
This confirms Burp is successfully decrypting and inspecting HTTPS traffic.
Common Beginner Mistakes
Installing Proxy But Not Certificate
Result:
Certificate Error
Most common issue.
Importing Into Wrong Certificate Store
The certificate must be trusted by the browser being used.
Forgetting To Restart Browser
Some browsers require restart after certificate installation.
Thinking HTTPS Is Broken
HTTPS is working perfectly.
The browser is protecting you from an untrusted intermediary.
That's exactly what it's supposed to do.
What Security Researchers Learn Here
This chapter teaches something much bigger than Burp.
It teaches how HTTPS trust actually works.
Most internet users never think about certificates.
Security professionals think about them constantly.
Because every secure website depends on them.
Key Takeaways
✓ HTTPS encrypts communication between browsers and websites
✓ Burp sits in the middle of that communication
✓ Browsers do not automatically trust Burp
✓ Burp uses its own Certificate Authority
✓ Installing the Burp certificate creates trust
✓ Once trusted, Burp can inspect HTTPS traffic
✓ Certificate errors are usually a sign that security is working correctly
✓ Understanding certificates is a foundational web security skill
What's Next?
Now that Burp can successfully inspect encrypted traffic, it's time to start capturing real requests.
In the next chapter, we'll enable interception, capture our first request, and learn how to pause web traffic before it reaches the server.
Top comments (0)