EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SecureBlackbox usable for enhancing Windows Phone in-app browser?

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#30431
Posted: 08/20/2014 12:27:48
by Tom Nietsch (Basic support level)
Joined: 08/20/2014
Posts: 2

Hello,

I'm not yet a user of SecureBlackbox, but I hope you can help me finding out if the product can solve my problem.

I want to develop an in-app browser for a Windows Phone app which can display SSL certificate details.

The standard Windows Phone framework provides no access to the server certificate used for HTTPS connections. Is it possible to create the HTTPS connection and to access the server certificate using SecureBlackbox and still using the Windows Phone framework for HTML rendering? Or would it be necessary to implement the in-app browser myself?

Thanks in advance for any advice.

Kind regards,
Tom
#30432
Posted: 08/20/2014 12:37:30
by Eugene Mayevski (EldoS Corp.)

Thank you for your interest in our products.

If you need to get certificate details, the easiest you can do is establish a separate connection using TElSimpleSSLClient, handle OnCertificateValidate event, check that you have received all certificates (OnCertificateValidate can be triggered several times in a row) and then drop the connection. For the user it will be transparent.


Sincerely yours
Eugene Mayevski
#30433
Posted: 08/20/2014 12:38:36
by Eugene Mayevski (EldoS Corp.)

Still need to say that this separate connection will be literally separate as it won't go via .NET Framework classes (besides Socket class) and thus it will be subject to different network restrictions and proxy settings than the browser itself is.


Sincerely yours
Eugene Mayevski
#30438
Posted: 08/21/2014 02:16:43
by Tom Nietsch (Basic support level)
Joined: 08/20/2014
Posts: 2

Thank you for your answer.

Quote
[...] and thus it will be subject to different network restrictions and proxy settings than the browser itself is.


And it bears the risk that a man-in-the-middle might take over the browser's connection while the user thinks everything's alright because the certificate details seem ok. Right?
#30439
Posted: 08/21/2014 02:26:05
by Eugene Mayevski (EldoS Corp.)

Quote
Tom Nietsch wrote:


And it bears the risk that a man-in-the-middle might take over the browser's connection while the user thinks everything's alright because the certificate details seem ok. Right?


No. The certificate is validated by the browser itself during connection (at least it should be - I have no experience with Windows Phone), so unless the certificate is forged or the device itself is compromised (so that the certificate storages include fake certificates) the browser won't accept the fake server certificate.

The problem can arise if the browser uses some proxy while your code does not - in this case there's a chance (depending on network configuration) that your code won't connect.


Sincerely yours
Eugene Mayevski
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 623 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!