How can we improve the Windows dev platform?

Self Signed Certification SSL HTTPS

For those of us wanting to provide free applications it would be nice if the WP7 supported self signed certs or the very least a widely known free SSL authority.

Add ServicePointManager.

Or at the very least add a free service to your accepted list of SSL authorities. Like cacert.org for instance.

185 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    TemplarianTemplarian shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    Jani LirkkiJani Lirkki shared a merged idea: Support SSL certificate pinning  ·   · 

    32 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • TemplarianTemplarian commented  ·   ·  Flag as inappropriate

        Yay! SSL certs are free now-a-days so this isn't really as useful anymore, but still nice to have.

      • raviravi commented  ·   ·  Flag as inappropriate

        Hi All,

        By using WebView i can not able to continue to self-signed website, at least there should be some possibility to show conformation from user to continue, i'ts possible in IOS and Android, please provide some libraries or something to do it, really i am feeling bad on this.

      • Anonymous commented  ·   ·  Flag as inappropriate

        socket.Information.ServerCertificate only available for "Windows Phone 8.1 [Windows Runtime apps only]", not available for "Windows Phone 8" or "Windows Phone 8.1 Silverlight App".

      • NandajitNandajit commented  ·   ·  Flag as inappropriate

        In Socket.Information.ServerCertificate , ServerCertificate property is available for WP8 not for WP8.1

      • Sidharth NabarSidharth Nabar commented  ·   ·  Flag as inappropriate

        Hi Matt,

        In addition to the Mobile Device Management feature I mentioned below, there is another way to add a trusted CA to the trusted root CA list on the phone - please see this blog post: http://blogs.msdn.com/b/wsdevsol/archive/2014/06/05/including-self-signed-certificates-with-your-windows-runtime-based-windows-phone-8-1-apps.aspx

        Once you add the enterprise CA to the trusted root CA list, your HTTPS requests should "just work" - you should not need to ignore any server errors or do the validation yourself.

        Thanks,
        Sidharth
        [Windows Networking API team]

      • Sidharth NabarSidharth Nabar commented  ·   ·  Flag as inappropriate

        Hi Matt,

        I am not suggesting that your app allow untrusted CAs - let me try to explain my recommendation part by part:

        1. The OS has a list of root CAs that it trusts by default. In general, for self-signed cert scenarios, the enterprise CA will not be in this list. The recommended route to enable the self-signed cert scenario is for the enterprise to use the Mobile Device Management feature of Windows Phone and add the enterprise CA to the trusted CA list on the phone (See http://www.microsoft.com/en-us/download/details.aspx?id=42508)

        2. Now, let’s assume the enterprise did not want to go this route. You now need to do two things in your app: a) bypass the default list of trusted CAs and then b) perform the trust validation yourself. Of course, if you only do a) and not b), your app will be unsecure.

        3. The call to "filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted)" lets you perform 2. a) . To do 2. b), you can access the server SSL certificate using “Certificate serverCert = request.TransportInformation.ServerCertificate”. You then need to perform the validation of this certificate against the enterprise CA inside your own app. APIs for this are available under Windows.Security.Cryptography.Certificates (http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.aspx)

        Note: Since the server certificate is available only AFTER the request has been sent to the server, you need to ensure that the initial request does not contain any sensitive information.

        Hope this helps to clarify my recommendation. In summary:
        1. Try to get the enterprise to add their CA as a trusted CA using mobile device management.
        2. If not, then use available Windows APIs to: a) bypass the default list of trusted CA’s and then b) perform the trust validation yourself.

        Thanks again for your interest in Windows Phone app development.

        Sidharth
        [Windows Networking API Team]

      • Matt CecileMatt Cecile commented  ·   ·  Flag as inappropriate

        Thanks for the reply, Sidharth. Looking at your code, it seems that you are suggesting that my app be modified to allow untrusted CAs. Is that correct?

        This would not be acceptable to enterprise customers and my application would fail any security audit.

        Or am I misunderstanding the effect of the code you posted?

        Thanks!

        Matt

      • Sidharth NabarSidharth Nabar commented  ·   ·  Flag as inappropriate

        Hi Matt,

        Thanks for the investigation and feedback. My comment is incomplete - I only explained how to get over the roadblock of SSL certificate verification while testing with self-signed certs.

        For apps intended for corporate environments, I agree that there is a need to access the server certificate and its properties. For this, you can use the TransportInformation property of the HttpRequestMessage class (http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.httprequestmessage.aspx). Here is a code snippet:

        using Windows.Web.Http;
        using Windows.Security.Cryptography.Certificates;

        HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
        filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted);//Allow untrusted CA's
        HttpClient client = new HttpClient(filter);
        HttpRequestMessage request = new HttpRequestMessage();
        request.Method = HttpMethod.Get;
        request.RequestUri = new Uri("https://www.contoso.com"); //Insert your https URI here
        HttpResponseMessage responseMsg = await client.SendRequestAsync(request);

        Certificate serverCert = request.TransportInformation.ServerCertificate;
        //serverCert now contains the SSL server certificate.

        Please let us know if this addresses the scenario you were targeting.

        Thanks,
        Sidharth
        [Windows Networking API team]

      • Matt CecileMatt Cecile commented  ·   ·  Flag as inappropriate

        I've been working on this problem over a course of several days and finally came across this blog: http://blogs.msdn.com/b/davidhardin/archive/2010/12/30/wp7-and-self-signed-ssl-certificates.aspx

        Key Point:
        "You can implement your own certificate authority using Microsoft Certificate Services but you’ll still need a certificate from one of the phone’s certificate authorities to chain your certificate authority to."

        How is this ever going to be workable in a corporate environment? I have to tell my customers that in order to use SSL for my application, they have link every MCS CA back to a 3rd party root CA?

        Even worse is the suggestion that we ignore certificate errors. That would really not go over in a corporate environment.

        This restriction on MCS CAs needs to be removed to function like other mobile OSes or it will be impossible to implement a solution that will be accepted in enterprise environments.

      • sajjan malliksajjan mallik commented  ·   ·  Flag as inappropriate

        I am a big lover of microsoft products. But this product is really frustrating. I don't know what is the security issue in allowing this in windows phone apps which allowed in other platforms and ofcourse most popular than this platform. Microsoft should re think of it in making these kind of restrictions before releasing into the market which is highly competitive.

      • Sidharth NabarSidharth Nabar commented  ·   ·  Flag as inappropriate

        Hi Templarian and Others,

        Thanks for your feedback.

        One way to use self-signed certs in modern apps is to use the WinRT HttpClient (Windows.Web.Http.HttpClient) and the associated HttpBaseProtocolFilter class (http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.filters.httpbaseprotocolfilter.aspx). In the HttpBaseProtocolFilter, you can set the property "IgnorableServerCertificateErrors" to ignore the untrusted CA error.

        The WinRT HttpClient and HttpBaseProtocolFilter are designed very similar to the .NET HttpClient and HttpClientHandler, so it should be easy to move from one to the other. Meanwhile, the .NET Networking team is also investigating adding this support to the .NET HttpClient API.

        Thank you,
        Sidharth
        [Windows Networking API team]

      • Mike Bishop [MSFT]Mike Bishop [MSFT] commented  ·   ·  Flag as inappropriate

        Thanks for the input, Jani! This is actually already possible using StreamSocket -- after doing await socket.UpgradeToSslAsync(), check socket.Information.ServerCertificate for the cert that was provided by the server. You can verify that it's the cert you were expecting before you send any data.

      • AnonymousAnonymous commented  ·   ·  Flag as inappropriate

        This is simply pathetic that I could not attach a client certificate to WebRequest. How the certificate based authentication then work without for exchange servers and LDAP server would work. What big security threat do you see on doing this. I cannot have all certificate put in windows phone certificate store as I do not want to untidy users phone. iOS and Android works gret with this

      • Jani LirkkiJani Lirkki commented  ·   ·  Flag as inappropriate

        There is SSL/TLS socket support in Windows Phone 8. However, currently no WP8 platform component seems to support SSL certificate pinning.

        When a SSL connection is created, there is no way to inspect the x.509 certificate chain returned by the remote server. I want to implement certificate pinning for additional security in my app and therefore I need an API to read the values of individual x.509 certificates.

        I am not the only one who needs this: http://stackoverflow.com/questions/17741740/read-ssl-certificate-details-on-wp8

        Please provide a way to do certificate pinning using platform components in WP8.

      • Jerry HuangJerry Huang commented  ·   ·  Flag as inappropriate

        I can't believe there is no way to check certificate on client side. So I can't use SSL to protect data. Please give me a way to check certificate on client side.

      ← Previous 1

      Feedback and Knowledge Base