Support server SSL certificate chain inspection in Portable Class Libraries
As requested in http://visualstudio.uservoice.com/forums/121579-visual-studio/suggestions/3158400-add-httpclient-support-in-portable-class-libraries there is now an HttpClient that can be used in Portable Class Libraries. The latest version of portable HttpClient today is 2.2.15 and it supports also SSL connections.
When a SSL connection is created, the HttpClient doesn't offer any way to inspect the x.509 certificate chain returned by the remote server. I want to implement certificate pinning for additional security in my app and therefore I need an API to read the values of individual x.509 certificates.
I've understood that this could be done in these frameworks:
- .NET FW 2.0 (or newer): using System.Net.ServicePointManager.ServerCertificateValidationCallback API (http://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.servercertificatevalidationcallback.aspx)
- .NET FW 4.5 (or newer): using System.Net.Http.WebRequestHandler.ServerCertificateValidationCallback API (http://msdn.microsoft.com/en-us/library/system.net.http.webrequesthandler.servercertificatevalidationcallback.aspx)
- Windows runtime (8.1 onwards) : using APIs from Windows.Web.Http and Windows.Web.Http.Filfers namespaces (e.g. a custom filter assigned provided HttpClient that inspects certificate from request/response message HttpTransportInformation)
In particular, there seems to be no solution from Microsoft to do this in Windows Phone 8 platform (see http://stackoverflow.com/questions/17741740/read-ssl-certificate-details-on-wp8).
Now, given all these APIs already available in .NET FW or Windows Runtime, could we please get the support for inspecting the details of the server certificate chain directly from Portable Class Library? If you would implement this, I would be able to do certificate pinning in a Windows Phone 8 app and the portable library could work also on other .NET platforms.
The "inspection of SSL certificates returned by the server" *does not cut it*.
By that time, you have *already* sent out the sensitive information in the request to a middleman who happens to have paid for a public-CA-approved certificate.
Certificate pinning means that we need to tell WinRT that this and only this *exact certificate* is acceptable, and that any _other_ certificate should not be accepted in TLS negotiation stage, nor should the sensitive http request data end up sent.
This is perfectly achievable on iOS, Android and the "Win32 .NET". (the latter via the ServerCertificateValidationCallback). It is a major issue that WinRT is the only platform not covering this important security feature.
Sidharth Nabar commented
For Windows Phone platform, please see this post on how you can inspect SSL certificate returned by the server: https://wpdev.uservoice.com/forums/110705-dev-platform/suggestions/1930835-self-signed-certification-ssl-https
[.NET Networking team]
we are also searching for Certificate Pinning on WP8 but still no luck....if have any details then please share
This needs to be fixed.
Alexander-Derek Rein commented
any clue whether this has been added in WP8.1?
It would be really great if we could get support for HttpClient certificate handling to use it for certificate pinning.
Totally agree, WP is the only mobile platform not supporting SSL pinning, which makes it just unfeasible and way less secure than the other dominant mobile platforms ... missed chance.
WP is the only mobile platform that doesn't support this.
I think this is seriously needed because there's a major threat of MiTM and CA compromise.