Automatic authentication with matching client certificates?

Privacy & Security General
ebf development
ebf development OP
Created Aug ’15
Replies 5
Boosts 0
Views 1.6k
Participants 5

When testing the iOS 9 Beta with MobileIron, we discovered a very problematic change in the device's behavior.

When opening a Webclip, which refers to a websitre requesting a client certificate, there shows up a prompt to explicitly choose the client certificate to authenticate with.

The website requests a client certificate issued by a specific certificate authority, for instance CN=CA1/O=Acme (this is part of the TLS handshake).

The device does only have one client certificate issued by this CA (subprofile of a MDM profile).

The prompt to choose appears, even as the list does only contain this single client certificate.

In iOS 8 the device does automatically authenticate with the matching client certificate.

Therefore this feature is widely used for securing and authenticating access to corporate websites, and in regards of MobileIron for the Enterprise AppStore.

If this is no bug, and will remain in final iOS 9 release, we will be seeing immense user impact.

Please provide us with clarity on whether this is simply a bug or not.

Replies  5
Boosts  0
Views  1.6k
Participants  5
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Aug ’15

I definitely recommend that you file a bug about this. It doesn’t sound like a deliberate change but, even if it were, the fact that it’s causing substantial user-level grief is bugworthy.

Please post your bug number, just for the record.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Tschenser
Tschenser OP
Sep ’15

This seems still be the case for final iOS 9 release. Not checked with iOS 9.1 though. Any news on this behavior? This really IS a big issue as the thread owner laid out in detail.


EDIT: Just filed a bug for this with number 22804234


Many thanks and kind regards

0
woodapple
woodapple OP
Sep ’15

Hello eskimo,


we suffer from the same issue. In addition, we realized that the problem only exists for webclips, but not for direct calls from Safari. If the website which requests the client certificate is called via url in safari, the prompt for selecting the certificate does not appear and the webpage is displayed.

In iOS 9.0.1 the behaviour still exists.


Any news to this issue?

Kind regards

0
Tschenser
Tschenser OP
Oct ’15

It seems that while using safari, it also prompts you, but keeps your decission at least for the remainder of safari being opened, regardless if you closed the tab / page in between. For Webclips it seems you allways get prompted.


In iOS 9.1 beta 3 there seems a change in how the user is getting prompted about the certificate btw. Instead of two separate popups, theres now only one combined popup, where the certificate is chosen and you could also cancel the process. So Apple seems to be working on this but also it seems that this prompt is not going away anytime soon.


My guts feeling is, that this is some kind of bad (from a user experience point of view) workaround for a security issue with certificates. Maybe someone from Apple could clarify on this.


I also would encourage everybody to raise a bug report for this to get up in Apples attention.


Cheers

Jens

0
appleidespria
appleidespria OP
Oct ’15

We have the same issue on our Apple IOS deployment (iOS 9.1 B5). What used to be a fantastic way to authenticate users in a user friendly and seamless fashion has now changed for no apparant reason. I can understand querying the user if there are more than one certificate on the device which could be used to authenticate with but that is not the case here.

0
Automatic authentication with matching client certificates?
First post date Last post date
 
 
Q