v2.4.18: Proxyless capture, certificate inspection, and zstd support

Fluxzy Desktop 2.4.18 is a big release. The headline is proxyless capture, a new way to intercept everything your machine sends without configuring a proxy or touching a single setting in your apps. Around it sits a wave of improvements to certificate inspection, content decoding, and everyday ergonomics. Here is what is new.

Until now, capturing traffic in Fluxzy meant pointing an application, a browser, or your whole system at the Fluxzy proxy, then trusting that each app honored those proxy settings. Many do not. Proxyless capture, also referred to as transparent capture, removes that step entirely. When enabled, Fluxzy intercepts every outgoing TCP connection on your machine, including connections from applications that ignore the system proxy, with no proxy setup and no per-app configuration at all. It works on Windows, macOS, and Linux.

Under the hood, Fluxzy creates a virtual network interface and temporarily redirects your system's default route through it. Outgoing connections are read at the packet level and handed to the same interception and decryption pipeline that powers the rest of Fluxzy, so HTTPS traffic is decrypted exactly as it would be for a configured proxy. Fluxzy also reads the TLS server name from each connection, so captured entries are labeled by hostname instead of a bare IP address.

The mechanism is native to each platform: a WinTun adapter on Windows, a utun device on macOS, and a TUN interface on Linux. In every case the change is temporary. Your original routing is restored automatically the moment you stop the capture or close the app.

Because rerouting system traffic is a privileged operation, Fluxzy uses a small helper that asks for elevation once when you start a capture: a UAC prompt on Windows, your password on macOS, and a standard authorization prompt on Linux. The application itself keeps running unprivileged. A short dialog explains exactly what will change before anything happens, and you can dismiss it for next time.

Two options give you control over scope. You can choose whether to capture IPv6 traffic, and you can define a bypass list of IP addresses or CIDR ranges that should flow directly, untouched by Fluxzy. That split-tunnel bypass is handy for destinations you never want to intercept, such as internal services or update endpoints.

Fluxzy can now keep and inspect the actual TLS certificates presented by the servers you talk to. Turn on certificate export in settings, and the certificate chain seen during interception is stored alongside each exchange and surfaced in the Connection tab. From there you can view a certificate or download it as a .pem or .cer file. This is useful for auditing what a remote server really serves, debugging chain or expiry problems, and archiving a certificate for later comparison.

The certificate viewer itself was rewritten. Instead of a wall of base64, it now shows decoded, human-readable details: subject and issuer, validity dates, serial number, SHA-1 and SHA-256 thumbprints, subject alternative names, public key algorithm and size, and signature algorithm. A clear badge tells you at a glance whether the certificate is valid, expiring soon, expired, or not yet valid. The raw base64 is still one click away when you need it.

Zstandard (zstd) is showing up in more and more HTTP responses as sites and CDNs adopt it. Fluxzy now decodes zstd-encoded bodies automatically, the same way it already handles gzip and brotli. That means readable content in the body viewer, working full-text search, and correct exports, with no manual step. Previously these responses stayed compressed and unreadable.

Fluxzy can now tell you what changed without a trip to the website. A new icon in the toolbar lights up after an update when release notes are available for your version. Click it to read a short "What's new" summary right in the app. Once you have seen it, the icon goes quiet until the next update, so it never gets in the way.

Exporting an exchange is now a right-click away. The context menu on any exchange has a new Export entry that opens a single dialog gathering everything in one place: cURL commands (bash or cmd, with optional proxy settings and a Postman-friendly variant), file exports (.http REST-client files, HAR, and SAZ archives), and raw or decoded request and response bodies. Copy buttons confirm with a quick "Copied" message, and Fluxzy warns you when a binary payload needs to be saved next to a generated command.

• Default CA warning : The startup wizard now nudges you toward generating your own root certificate instead of relying on Fluxzy's shared built-in one. A machine-unique root keeps your setup self-contained and is the recommended way to run Fluxzy. One click generates and trusts it, or you can skip and decide later. Once a generated root is in use, global settings now label it clearly so it no longer looks like an arbitrary imported file.
• Save dialog intelligence : The native Save dialog now picks its file-type filter from the suggested file name. Saving body.json offers a JSON filter, image.png offers PNG, and so on, instead of always defaulting to Fluxzy's .fxzy archive type.
• Exchange table responsiveness : The exchange list now re-measures itself whenever you resize a pane, switch between horizontal and vertical layouts, or drag a splitter. No more blank space below the last row, and no more rows spilling past the edge of their pane.

When Fluxzy cannot complete a request because of a network, DNS, or TLS problem on the way to the server, it returns a synthetic 528 response so the failure stays visible in the exchange list rather than disappearing. In 2.4.18 those failures are far easier to read. Every 528 now carries a stable, machine-readable error category, and the desktop renders it as a labeled badge with a plain-language description and the underlying exception detail.

The categories group failures into clear buckets that mean the same thing on every operating system and with any TLS engine:

• Connection : connection refused, connection reset, timeout, host unreachable
• DNS : name not found, no data, temporary resolution failure
• TLS and certificate : expired certificate, hostname mismatch, untrusted or invalid certificate, handshake failure
• Other : protocol errors and rule failures

Instead of an opaque message whose wording changes from platform to platform, you get a consistent category that tells you immediately whether the problem is the network, name resolution, or the TLS layer. The category is also saved inside .fxzy and HAR archives, so it survives export and is there when you reopen the capture later.

• Certificate trust verification : Fluxzy now checks whether its root certificate is genuinely trusted by your operating system, not just present in a personal store. On Linux in particular, the trust indicator and the certificate wizard now reflect real system-wide trust, so a certificate that browsers and curl would actually reject is no longer reported as trusted.
• Ctrl+S on unsaved captures : Pressing Ctrl+S on a brand-new capture that was never written to disk used to fail silently. It now falls back to Save As, so the shortcut just works whether or not the capture already has a file.
• Stuck modifier keys : Ctrl, Shift, and Alt no longer get stuck in a pressed state when the window loses focus, a problem that was common on macOS when switching apps or opening a native dialog. A later plain click on a filter is no longer misread as a modified click.

This release bundles Fluxzy.Core 1.37.2, with a few engine-level changes worth calling out:

• Elliptic curve (ECDSA) root certificates : Root certificates can now be elliptic curve based in addition to RSA. EC roots are smaller and quicker to work with, and Fluxzy forges matching leaf certificates during interception. EC root generation is available through the Fluxzy CLI and library, and the desktop can use an EC root you provide.
• Cipher and hash on the Bouncy Castle path : When the Bouncy Castle TLS provider handles a connection, the negotiated cipher suite and hash now appear in the Connection tab. These fields were previously blank for those connections.
• Shorter forged certificate lifetime : The per-site leaf certificates Fluxzy generates on the fly to decrypt HTTPS are now capped at 200 days, in line with the latest CA/Browser Forum rules and what current browsers accept. This affects only the short-lived certificates Fluxzy forges for interception. Your own root certificate's validity is unchanged.

---

Fluxzy Desktop 2.4.18 is available now for Windows, macOS, and Linux. Download it here.

Found a bug or have a feature request? Open an issue on GitHub.