Re: App Transport Security exceptions App Store signed app

[Gavin Eadie]

> On Jan 27, 2016, at 7:14 PM, Alex Zavatone  wrote:
> 
> Here’s another discussion on nscurl that might help from Quinn at Apple DTS 
> with a little more info. Thanks for the tip, Gavin.

.. Quinn’s a god!

.. Here’s the CocoaHeads presentation I mentioned:

  
https://www.dzombak.com/talks/2016-01-14-App-Transport-Security--What--Why--How-.html
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Gavin Eadie]

> On Jan 27, 2016, at 12:55 AM, Trygve Inda  wrote:
> 
> Calls to http on my domain (xericdesign.com) work. Calls via http to my
> other domain (earthdeskcloudhost02.com) do not work.

.. you (and others) may find this option on the nscurl command 

nscurl --ats-diagnostics --verbose http://www.earthdeskcloudhost02.com

which will try all the Info.plist possibilities to see what works (and 
doesn’t) .. I didn’t know about this till attending a very good CocoaHeads 
presentation on the whole ATS topic.  One comment made in that presentation is 
that this topic is not documented at all well by Apple.
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Alex Zavatone]

Here’s another discussion on nscurl that might help from Quinn at Apple DTS 
with a little more info. Thanks for the tip, Gavin.

https://forums.developer.apple.com/thread/14816




On Jan 27, 2016, at 7:02 PM, Gavin Eadie  wrote:

>> On Jan 27, 2016, at 12:55 AM, Trygve Inda  wrote:
>> 
>> Calls to http on my domain (xericdesign.com) work. Calls via http to my
>> other domain (earthdeskcloudhost02.com) do not work.
> 
> .. you (and others) may find this option on the nscurl command 
> 
>nscurl --ats-diagnostics --verbose http://www.earthdeskcloudhost02.com
> 
>which will try all the Info.plist possibilities to see what works (and 
> doesn’t) .. I didn’t know about this till attending a very good CocoaHeads 
> presentation on the whole ATS topic.  One comment made in that presentation 
> is that this topic is not documented at all well by Apple.
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/zav%40mac.com
> 
> This email sent to z...@mac.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Trygve Inda]

> Also, have you looked into setting up HTTPS on those servers instead of
> working around its absence? Part of the reason Apple added ATS was to nudge
> app developers to make their network connections more secure, which will
> benefit users.

It is basically a cost issue. It is expensive to set up SSL certificates on
8 different servers... It would cost us about $700/yr and add little benefit
as it has been working fine with http (no s) for more than 10 years.

Trygve



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Trygve Inda]

> On 26 Jan 2016, at 9:55 pm, Trygve Inda  wrote:
> 
>> connection failed: (null) The resource could not be loaded because the App
>> Transport Security policy requires the use of a secure connection.
>> http://www.earthdeskcloudhost02.com/mosaic/free/clouds-2048.jpg
> 
> I'm no App Transport Security expert, but taking what you described at face
> value, that seems to make sense. You tried to load a resource from
> www.earthdeskcloudhost02.com, which is a subdomain of
> earthdeskcloudhost02.com, yet the Info.plist entries you described seemed to
> lack a NSIncludesSubdomains key for the latter domain.
> 
> I imagine that if you either drop the 'www.' or add the NSIncludesSubdomains
> it might work...?

Yeah - I guess I don't really think of the www as being a subdomain, but
indeed it is.

Trygve



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Sixten Otto]

On Tue, Jan 26, 2016 at 11:18 PM, Jens Alfke  wrote:

> I believe you’re using the wrong key. If you need non-SSL connections to
> work, the key you want is NSAllowsArbitraryLoads. The key you’re using is
> for situations where you make an SSL connection but the SSL server doesn’t
> meet ATS’s security requirements — e.g. its certificate is self-signed or
> expired.
>

According the docs, it's also for the case where the connection needs to be
made over non-S HTTP: "With this key’s value set to YES
,
your app can make secure connections to a secure server but can also
connect insecurely to a server with no certificate, or a self-signed,
expired, or hostname-mismatched certificate." (
https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html
)

Which you might want to do if you have an app where you really don't want
to allow connections to absolutely anything (which NSAllowsArbitraryLoads
does), but there's a specific, known host/domain that you need that doesn't
support TLS.
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Jens Alfke]

> On Jan 27, 2016, at 7:53 AM, Sixten Otto  wrote:
> 
> According the docs, it's also for the case where the connection needs to be
> made over non-S HTTP: "With this key’s value set to YES
>   
> >,
> your app can make secure connections to a secure server but can also
> connect insecurely to a server with no certificate, or a self-signed,
> expired, or hostname-mismatched certificate." (
> https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html
>  
> 
> )

I believe that text refers to an *SSL* server "with no certificate, or a 
self-signed, expired, or hostname-mismatched certificate”. There is a 
_separate_ key that allows non-SSL connections.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Jens Alfke]

> On Jan 27, 2016, at 7:32 AM, Trygve Inda  wrote:
> 
> It is basically a cost issue. It is expensive to set up SSL certificates on
> 8 different servers... It would cost us about $700/yr

Sounds like you’re being overcharged. SSL on hosted domains used to be pricey 
(partly due to the CPU overhead of the encryption) but hosts like Dreamhost are 
now offering it as a free add-on. And Let’s Encrypt makes getting and 
maintaining a cert free and fairly easy.


https://www.dreamhost.com/blog/2016/01/20/free-ssltls-certificates-at-dreamhost-with-lets-encrypt/
https://letsencrypt.org

> and add little benefit as it has been working fine with http (no s) for more 
> than 10 years.


This is kind of like living in a small town that’s now grown into a big city, 
and still refusing to lock your doors at night. :)
The site may have been fine so far, but the world around it is changing. Both 
attacks against and surveillance of cleartext connections are increasing, and 
there’s a growing consensus that unencrypted HTTP should be deprecated. Apple’s 
ATS is a sign of that.

https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
I think it’s pretty likely that, within a year or so, users of your website or 
app* are going to be seeing scary security warnings in their browser or mobile 
device unless you move to HTTPS.

—Jens

* My bet is that the next step (in iOS 10 / OS X 10.12?) is that the OS will 
put up a security alert when your app makes a non-SSL connection. Something 
like “FooApp wants to make an insecure connection to www.foo.com. Data could be 
eavesdropped on or tampered with. Is this OK?” Then after that, a year or two 
later, they’ll start rejecting apps from the App Store for this.
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Sixten Otto]

On Wed, Jan 27, 2016 at 10:29 AM, Jens Alfke  wrote:

> I believe that text refers to an *SSL* server "with no certificate, or a
> self-signed, expired, or hostname-mismatched certificate”. There is a
> _separate_ key that allows non-SSL connections.
>

Reading over the rest of the page, I'm fairly certain that's not the case.
Here are a couple of other bits:

Set this key’s value to YES
> ,
> if needed, to:
>
>- Enable connection to an insecure HTTP server
>- Enable connection to an untrusted HTTPS server
>- Enable connection to an HTTPS server for which you want to perform
>your own server trust evaluation
>
> For example, setting the value of a named server’s
> NSExceptionAllowsInsecureHTTPLoads key to YES
> 
>  allows
> insecure HTTP connections to that server.


To use ATS generally but allow connection to a specific server that does
> not support the HTTPS protocol—for example, a media server that your app
> uses—employ the following configuration pattern in your Info.plist file: 
> *[snip
> example using **NSExceptionAllowsInsecureHTTPLoads]*


The only other exception keys that control HTTPS behavior are
NSExceptionRequiresForwardSecrecy and NSExceptionMinimumTLSVersion, neither
of which seems to fit the role you're talking about.
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Trygve Inda]

> 
>> On Jan 27, 2016, at 7:32 AM, Trygve Inda  wrote:
>> 
>> It is basically a cost issue. It is expensive to set up SSL certificates on
>> 8 different servers... It would cost us about $700/yr
> 
> Sounds like you’re being overcharged. SSL on hosted domains used to be pricey
> (partly due to the CPU overhead of the encryption) but hosts like Dreamhost
> are now offering it as a free add-on. And Let’s Encrypt makes getting and
> maintaining a cert free and fairly easy.

This is from Pair Networks for an SSL certificate with subdomains.

https://www.pair.com/services/pairssl/

> This is kind of like living in a small town that’s now grown into a big city,
> and still refusing to lock your doors at night. :)
> The site may have been fine so far, but the world around it is changing. Both
> attacks against and surveillance of cleartext connections are increasing, and
> there’s a growing consensus that unencrypted HTTP should be deprecated.
> Apple’s ATS is a sign of that.
> https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
> https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
> I think it’s pretty likely that, within a year or so, users of your website or
> app* are going to be seeing scary security warnings in their browser or mobile
> device unless you move to HTTPS.

You could be right. I fail to see why downloading a simple image needs to be
done securely. It is not transmitting anything financial or sensitive.

T.




___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Sean McBride]

On Tue, 26 Jan 2016 22:18:45 -0800, Jens Alfke said:

>Also, have you looked into setting up HTTPS on those servers instead of
>working around its absence? Part of the reason Apple added ATS was to
>nudge app developers to make their network connections more secure,
>which will benefit users.

Someone should nudge Apple's Server.app team then, because its apache still 
supports only TLSv1.0, rather laughably! :(

Cheers,

-- 

Sean McBride, B. Eng s...@rogue-research.com
Rogue Researchwww.rogue-research.com 
Mac Software Developer  Montréal, Québec, Canada



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Ben Kennedy]

On 26 Jan 2016, at 9:55 pm, Trygve Inda  wrote:

> connection failed: (null) The resource could not be loaded because the App
> Transport Security policy requires the use of a secure connection.
> http://www.earthdeskcloudhost02.com/mosaic/free/clouds-2048.jpg

I'm no App Transport Security expert, but taking what you described at face 
value, that seems to make sense. You tried to load a resource from 
www.earthdeskcloudhost02.com, which is a subdomain of earthdeskcloudhost02.com, 
yet the Info.plist entries you described seemed to lack a NSIncludesSubdomains 
key for the latter domain.

I imagine that if you either drop the 'www.' or add the NSIncludesSubdomains it 
might work...?

-ben


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: App Transport Security exceptions App Store signed app

[Jens Alfke]

> On Jan 26, 2016, at 9:55 PM, Trygve Inda  wrote:
> 
> NSTemporaryExceptionAllowsInsecureHTTPLoads

The “Temporary” in those names was only needed for the first iOS 9 beta. It 
might still be supported, but the official names do not have Temporary in them. 
See the official docs at

https://developer.apple.com/library/prerelease/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33

> Calls to http on my domain (xericdesign.com ) work. 
> Calls via http to my
> other domain (earthdeskcloudhost02.com ) do 
> not work.

I believe you’re using the wrong key. If you need non-SSL connections to work, 
the key you want is NSAllowsArbitraryLoads. The key you’re using is for 
situations where you make an SSL connection but the SSL server doesn’t meet 
ATS’s security requirements — e.g. its certificate is self-signed or expired.

Another useful article to read is

http://lithium3141.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/

Also, have you looked into setting up HTTPS on those servers instead of working 
around its absence? Part of the reason Apple added ATS was to nudge app 
developers to make their network connections more secure, which will benefit 
users.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

App Transport Security exceptions App Store signed app

[Trygve Inda]

I am still getting an error despite my Info.plist beign configured correctly
(as far as I can tell).

Calls to http on my domain (xericdesign.com) work. Calls via http to my
other domain (earthdeskcloudhost02.com) do not work.

connection failed: (null) The resource could not be loaded because the App
Transport Security policy requires the use of a secure connection.
http://www.earthdeskcloudhost02.com/mosaic/free/clouds-2048.jpg

My Info.plist has:

NSAppTransportSecurity
- NSExceptionDomains

-- earthdeskcloudhost02.com
--- NSTemporaryExceptionAllowsInsecureHTTPLoads (YES)

-- xericdesign.com
--- NSTemporaryExceptionAllowsInsecureHTTPLoads (YES)
--- NSIncludesSubdomains (YES)

I have also tried the key: NSExceptionAllowsInsecureHTTPLoads

Since some docs say this key should be used.


Any ideas?

Trygve



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com