{"id":202,"date":"2013-05-25T08:57:06","date_gmt":"2013-05-25T07:57:06","guid":{"rendered":"http:\/\/oso.com.pl\/?p=202"},"modified":"2015-11-20T10:38:55","modified_gmt":"2015-11-20T09:38:55","slug":"windows-phone-8-to-nie-sa-certyfikaty-ktorych-szukacie","status":"publish","type":"post","link":"https:\/\/oso.com.pl\/?p=202","title":{"rendered":"Windows Phone 8: to nie s\u0105 certyfikaty, kt\u00f3rych szukacie"},"content":{"rendered":"<p>W skr\u0102\u0142cie: SSL w Windows Phone 8 jest popsute<\/p>\n<p>Testowali\u0139\u009bmy telefony z WP8 u\u0139\u017aywaj\u00c4\u0085c serwera, kt\u0102\u0142ry wymaga uwierzytelniania u\u0139\u017aytkownika za pomoc\u00c4\u0085 certyfikat\u0102\u0142w. Po wrzuceniu na urz\u00c4\u0085dzenie certyfikatu z naszego CA &#8211; telefon \u0139\u0082\u00c4\u0085czy\u0139\u0082 si\u00c4\u0099 z serwerem. Czasem pokazywa\u0139\u0082 si\u00c4\u0099 z certyfikatem naszego CA, a czasem z zupe\u0139\u0082nie innym.<\/p>\n<p>Poni\u0139\u017aej zrzuty ekranu z sesji SSL. Interesuj\u00c4\u0085co zaczyna si\u00c4\u0099 po tym, jak serwer zarz\u00c4\u0085da certyfikatu wysy\u0139\u0082aj\u00c4\u0085c &#8222;Certificate Request&#8221; (kliknij w obrazek, \u0139\u017aeby zobaczy\u00c4\u0087 go w pe\u0139\u0082nej rozdzielczo\u0139\u009bci):<\/p>\n<p><a href=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"195\" data-permalink=\"https:\/\/oso.com.pl\/?attachment_id=195\" data-orig-file=\"https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png\" data-orig-size=\"1253,606\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;}\" data-image-title=\"Certificate Request\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request-1024x495.png\" class=\"alignnone wp-image-195\" src=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png\" alt=\"Certificate Request\" width=\"752\" height=\"364\" srcset=\"https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request.png 1253w, https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request-300x145.png 300w, https:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_request-1024x495.png 1024w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 984px) 61vw, (max-width: 1362px) 45vw, 600px\" \/><\/a><\/p>\n<p>Nasz serwer za\u0139\u017a\u00c4\u0085da\u0139\u0082 certyfikatu klienta pasuj\u00c4\u0085cego do DN naszego w\u0139\u0082asnego CA.<\/p>\n<p>A oto odpowied\u0139\u015f klienta:<\/p>\n<p><a href=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_response.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Certificate Response\" src=\"http:\/\/oso.com.pl\/wp-content\/uploads\/2013\/05\/certificate_response.png\" alt=\"\" width=\"995\" height=\"389\" \/><\/a><\/p>\n<p>Co tu widzimy? Telefon odpowiedzia\u0139\u0082 certyfikatem wydanym przez Microsoft, zamiast poda\u00c4\u0087 nasz certyfikat, lub po prostu anulowa\u00c4\u0087 transakcj\u00c4\u0099.<\/p>\n<p>Hierarchia tego certyfikatu:<\/p>\n<ul>\n<li>Certificate (id-at-commonName=urn:wp-ac-hash-2:PAzCfbUuekP_SrTA0NUecBjyqN1f5,id-at-organizationalUnitName=9DFF3EFECE1B1D3E352EF654DEFBB9DED7)\n<ul>\n<li>Certificate (id-at-commonName=Microsoft Genuine Windows Phone CA4,id-at-organizationalUnitName=GFS,id-at-organizationName=Microsoft Corporation,id-at-localityName=Redmond,id-at-stateOrProvinceName=WA,id-at-countryName=US)\n<ul>\n<li>Certificate (id-at-commonName=Microsoft Windows Phone PCA,id-at-organizationName=Microsoft Corporation,id-at-localityName=Redmond,id-at-stateOrProvinceName=Washington,id-at-countryName=US)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Wujek Google niestety nie pom\u0102\u0142g\u0139\u0082 w odpowiedzi na pytanie czym jest &#8222;wp-ac-hash-2&#8221;, ale wygl\u00c4\u0085da to na certyfikat urz\u00c4\u0085dzenia wystawiony przez Global Foundation Services (GLS) Microsoftu. Wg.\u00c2\u00a0<a href=\"http:\/\/www.globalfoundationservices.com\/\">http:\/\/www.globalfoundationservices.com\/<\/a>\u00c2\u00a0jest to jednostka zarz\u00c4\u0085dzaj\u00c4\u0085ca chmur\u00c4\u0085 w MS, wi\u00c4\u0099c nie zdziwi\u0139\u0082bym si\u00c4\u0099, gdyby by\u0139\u0082 to certyfikat odpowiedzialny za uwierzytelnianie telefonu z us\u0139\u0082ugami Microsoftu takimi jak Zune, sklep etc.<\/p>\n<p>Nie wygl\u00c4\u0085da to ciekawie. Wnioski nasuwaj\u00c4\u0085 mi si\u00c4\u0099 takie:<\/p>\n<ul>\n<li>Uwierzytelnianie za pomoc\u00c4\u0085 certyfikat\u0102\u0142w mo\u0139\u017ae dzia\u0139\u0082a\u00c4\u0087 lub nie &#8211; w zale\u0139\u017ano\u0139\u009bci od tego czy telefon b\u00c4\u0099dzie mia\u0139\u0082 dobry humor i odpowie poprawnym certyfikatem lub nie<\/li>\n<li>Telefon mo\u0139\u017ae mie\u00c4\u0087 problemy z kontaktem z us\u0139\u0082ugami Microsoftu, je\u0139\u017aeli takowe wymagaj\u00c4\u0085 certyfikatu. Wyobra\u0139\u017aam sobie, \u0139\u017ae mo\u0139\u017ae przesta\u00c4\u0087 dzia\u0139\u0082a\u00c4\u0087 na telefonie sklep, lub telefon nie b\u00c4\u0099dzie w stanie uwierzytelni\u00c4\u0087 oprogramowania<\/li>\n<li>Certyfikaty mog\u00c4\u0085 by\u00c4\u0087 wystawione na atak poprzez proxy wywo\u0139\u0082a\u0139\u0084 telefonu do us\u0139\u0082ug korzystaj\u00c4\u0085cych z uwierzytelniania za pomoc\u00c4\u0085 certyfikat\u0102\u0142w. Atakuj\u00c4\u0085cy nak\u0139\u0082ania u\u0139\u017aytkownika do wej\u0139\u009bcia na sw\u0102\u0142j serwer w internecie, kt\u0102\u0142ry \u0139\u017a\u00c4\u0085da certyfikatu i liczy na to, \u0139\u017ae telefon u\u0139\u017aytkownika przedstawi certyfikat wykorzystywany np. do korporacyjnej poczty. Nast\u00c4\u0099pnie atakuj\u00c4\u0085cy przekierowuje negocjacj\u00c4\u0099 SSL do docelowego serwera, gdzie b\u00c4\u0099dzie wygl\u00c4\u0085da\u0139\u0082o jakby to u\u0139\u017aytkownik kontaktowa\u0139\u0082 si\u00c4\u0099 ze swoj\u00c4\u0085 skrzynk\u00c4\u0085 pocztow\u00c4\u0085.<\/li>\n<\/ul>\n<p>A tak przy okazji &#8211; wygl\u00c4\u0085da na to, \u0139\u017ae obs\u0139\u0082uga certyfikat\u0102\u0142w w Windows Phone 8 zosta\u0139\u0082a potraktowana po macoszemu. Wystarzczy obejrze\u00c4\u0087 ten dokument:\u00c2\u00a0<a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkID=278984\" target=\"_blank\">Windows Phone 8 Certificate Installation<\/a>. Jedyn\u00c4\u0085 opcj\u00c4\u0085 na dostarczenie certyfikatu jest poczta lub IE? Nie ma mo\u0139\u017aliwo\u0139\u009bci instalowania certyfikat\u0102\u0142w przez protok\u0102\u0142\u0139\u0082 MDM?<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>W skr\u0102\u0142cie: SSL w Windows Phone 8 jest popsute Testowali\u0139\u009bmy telefony z WP8 u\u0139\u017aywaj\u00c4\u0085c serwera, kt\u0102\u0142ry wymaga uwierzytelniania u\u0139\u017aytkownika za pomoc\u00c4\u0085 certyfikat\u0102\u0142w. Po wrzuceniu na urz\u00c4\u0085dzenie certyfikatu z naszego CA &#8211; telefon \u0139\u0082\u00c4\u0085czy\u0139\u0082 si\u00c4\u0099 z serwerem. Czasem pokazywa\u0139\u0082 si\u00c4\u0099 z certyfikatem naszego CA, a czasem z zupe\u0139\u0082nie innym. Poni\u0139\u017aej zrzuty ekranu z sesji SSL. Interesuj\u00c4\u0085co &hellip; <a href=\"https:\/\/oso.com.pl\/?p=202\" class=\"more-link\">Czytaj dalej<span class=\"screen-reader-text\"> \u201eWindows Phone 8: to nie s\u0105 certyfikaty, kt\u00f3rych szukacie\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[12],"tags":[],"class_list":["post-202","post","type-post","status-publish","format-standard","hentry","category-wp8"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p217OK-3g","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=202"}],"version-history":[{"count":4,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/202\/revisions"}],"predecessor-version":[{"id":295,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/202\/revisions\/295"}],"wp:attachment":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}