Notice (2018-05-24): bugzilla.xamarin.com is now in
Please join us on
Visual Studio Developer Community and in the
Mono organizations on
GitHub to continue tracking issues. Bugzilla will remain
available for reference in read-only mode. We will continue to work
on open Bugzilla bugs, copy them to the new locations
as needed for follow-up, and add the new items under Related
Our sincere thanks to everyone who has contributed on this bug
tracker over the years. Thanks also for your understanding as we
make these adjustments and improvements for the future.
Please create a new report on
Developer Community or GitHub with
your current version information, steps to reproduce, and relevant error
messages or log files if you are hitting an issue that looks similar to
this resolved bug and you do not yet see a matching new report.
Given that a lot of developers sit on public WiFi (ignoring DNS poisoning), it would be a good idea not to load resources over the internet, unencrypted. Especially so when we have people hacking internet routers and doing effectively 'man in the middle attacks' which race the server to send the reply and how easy software like evilgrade will make it to inject content into the application.
When starting XS some mtouch-64 tries to load insecure resources. See screenshot.
Start by moving everything to HTTPS and using HSTS for your domains, as well as making XS ignore downgrade attacks; HTTPS to HTTP.
Created attachment 9995 [details]
insecsure content loaded
You're not a TV, but it's a fun podcast: https://kasperskycontenthub.com/threatpost/files/2014/09/digital_underground_168.mp3
XS already uses HTTPS for everything, not sure why mtouch is accessing the internet.
We'll check. I do not recall any direct* use of port 80. In fact there's not much network activity from mtouch.
Just for confirmation can you tell us which version of XI you're using (e.g. you can copy-paste the text from XS about box dialog).
* It could come from some Apple API we're using (hopefully only if you opted in to share information with Apple for either OSX or Xcode).
The IP address you gave us, 220.127.116.11, trace back to a184-86-13-15.deploy.static.akamaitechnologies.com (in NL, Europe).
Several Apple services are using Akamai, e.g. itunes , and `mtouch` is reusing some of Xcode/iTunes libraries to access your iOS devices.
I still want to be 100% sure, if possible, about what's going on (and where) since I have not seen this behaviour locally (but it could be a periodic, e.g. daily/weekly, check).
* Does this happen when doing a specific operation ? e.g. build, deploy to simulator, deploy to device...
* Does your tool report the exact URL (not just the host) being accessed ?
It's to these links:
It's on every start of XS.
Thanks for the additional information.
Every *.plist contains that specific (http) URL. If resolved then it's not surprising it's using http (that's the URL present in the files).
I'll check just in case some XML code is resolving it at runtime. IIRC we're using text or Apple API's for the .plist (not any BCL Xml* classes) but I'll double check (more as an optimization than anything else).
That's not (directly) from mtouch. Note that downloading a X.509 certificate from http is likely* fine, as the structure itself is signed.
* it depends on how it's used later (but that same is true even if was downloaded from https).
I found the case (at XS startup) where parsing an XML document triggered the .dtd to be downloaded. That's done automatically by the .NET framework (but I added extra code so avoid it).
Fixed in maccore/master dc0cba04861853e0fd2dcf3a3a09902367254a8d
The certificate case is not an issue (and it comes from something out of our control).
Thanks again for the details.