{"id":192,"date":"2013-05-25T08:39:35","date_gmt":"2013-05-25T07:39:35","guid":{"rendered":"http:\/\/oso.com.pl\/?p=192"},"modified":"2013-05-25T09:00:35","modified_gmt":"2013-05-25T08:00:35","slug":"windows-phone-8-these-are-not-the-certificates-you-are-looking-for","status":"publish","type":"post","link":"https:\/\/oso.com.pl\/?p=192&lang=en","title":{"rendered":"Windows Phone 8: these are not the certificates you are looking for"},"content":{"rendered":"<p>tl;dr Looks like SSL stack on Windows Phone 8 is completely broken.<\/p>\n<p>We were running some tests of WP8 devices against a server that requires client certificate-based authentication. After issuing a device certificate from our own CA &#8211; the device would authenticate against the server. Sometimes it would authenticate using our certificate, but sometimes it would show up with a completely different certificate.<\/p>\n<p>Here are snippets of the SSL handshake. The interesting part starts when server sends a Certificate Request (click the image for full resolution):<\/p>\n<p><a href=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"195\" data-permalink=\"https:\/\/oso.com.pl\/?attachment_id=195\" data-orig-file=\"https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png\" data-orig-size=\"1253,606\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;}\" data-image-title=\"Certificate Request\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request-1024x495.png\" class=\"alignnone  wp-image-195\" alt=\"Certificate Request\" src=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png\" width=\"752\" height=\"364\" srcset=\"https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png 1253w, https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request-300x145.png 300w, https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request-1024x495.png 1024w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Our server issues a Certificate Request, with the request for the client to provide a certificate matching the Distinguished Name of our own local CA.<\/p>\n<p>And here&#8217;s the response we see from the client:<\/p>\n<p><a href=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_response.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Certificate Response\" alt=\"\" src=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_response.png\" width=\"995\" height=\"389\" \/><\/a><\/p>\n<p>So what happened here? The client responded with a certificate issued by Microsoft, rather than providing our certificate or failing the authentication.<\/p>\n<p>The hierarchy of certificate is:<\/p>\n<ul>\n<li>Certificate (id-at-commonName=urn:wp-ac-hash-2:PAzCfbUuekP_SrTA0NUecBjyqN1f5,id-at-organizationalUnitName=9DFF3EFECE1B1D3E352EF654DEFBB9DED7)\n<ul>\n<li>Certificate (id-at-commonName=Microsoft Genuine Windows Phone CA4,id-at-organizationalUnitName=GFS,id-at-organizationName=Microsoft Corporation,id-at-localityName=Redmond,id-at-stateOrProvinceName=WA,id-at-countryName=US)\n<ul>\n<li>Certificate (id-at-commonName=Microsoft Windows Phone PCA,id-at-organizationName=Microsoft Corporation,id-at-localityName=Redmond,id-at-stateOrProvinceName=Washington,id-at-countryName=US)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Google is not very helpful in explaining what &#8222;wp-ac-hash-2&#8221; is. But it looks to me like a device-specific certificate issued by Microsoft\u00c2\u00a0Global Foundation Services. Looking at\u00c2\u00a0<a href=\"http:\/\/www.globalfoundationservices.com\/\">http:\/\/www.globalfoundationservices.com\/<\/a> &#8211; looks like this is the team that delivers Zune and other MS cloud services, so I would not be too surprised to see this certificate being used for WP8 store authentication or other MS services.<\/p>\n<p>There are couple upsetting conclusions from seeing this Windows Phone 8 behavior:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">WP8 may or may not be able to authenticate against your server if you need client certificate-based authentication<\/span><\/li>\n<li>If there are multiple certificates on the device &#8211; phone may fail to reach out to Microsoft services, if they require client certificate. So I can imagine the Microsoft Store not being available, or phone not being able to verify software developer.<\/li>\n<li>Your certificate is exposed. I think it may be possible now for a malicious user run an attack against services that rely on certificate-based authentication. All an attacker has to do is make the user access your website with her phone, attacker&#8217;s website would issue a Certificate Request hoping for the phone to respond with your certificate, and then proxy the request to your services. The traffic would look like issued by user&#8217;s device where in fact it would originate from malicious source.<\/li>\n<\/ul>\n<p>Oh and did I mention that on top of that looks like certificates were an afterthought for Windows Phone 8? All you have to do is take a look at <a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkID=278984\" target=\"_blank\">Windows Phone 8 Certificate Installation<\/a> document. The only option of installing certificates being through IE or email? No MDM-installed certificates user can use?<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>tl;dr Looks like SSL stack on Windows Phone 8 is completely broken. We were running some tests of WP8 devices against a server that requires client certificate-based authentication. After issuing a device certificate from our own CA &#8211; the device would authenticate against the server. Sometimes it would authenticate using our certificate, but sometimes it &hellip; <a href=\"https:\/\/oso.com.pl\/?p=192&#038;lang=en\" class=\"more-link\">Czytaj dalej<span class=\"screen-reader-text\"> \u201eWindows Phone 8: these are not the certificates you are looking for\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[],"tags":[14],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","tag-wp8-2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p217OK-36","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=192"}],"version-history":[{"count":7,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":206,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions\/206"}],"wp:attachment":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}