Comments, Code and Qt. Some words about the wonderful world of software engineering

5Jan/132

Why doesn’t Windows Phone 8 support HTTPS?

Posted by kypeli

Let me start by saying that of course does Windows Phone 8 support HTTPS in the browser, but it seems some HTTP related APIs do not. As I am developing my podcast client for Windows Phone, I occasionally get bug reports from Windows Phone 8 users that I can't reproduce on my Windows Phone 7 device. This is one of those. I use BackgroundFileTransfer and BackgroundAudioPlayer components in my podcast client. Both of them operate on HTTP(S) endpoints as clients. But I got a bug report the other day say saying that the download failed on a file and the same (audio) file cannot be played in the player. I had to start digging deeper, as the same media file does work without issues on my Windows Phone 7 device. It turns out that the file in question is behind a HTTPS endpoint. I don't know if it matters, but the server returns HTTP code 301 (Permanently moved) which means that the server requests the client to go look for the content from another location that it specifies. I looked at the network traffic using Wireshark. It turns out, as you can see below, that Windows Phone 8 terminates the connection after the initial SSL handshake by sending TCP package with [FIN, ACK]. Windows Phone 8 just throws in the towel and gives up.

wp8_download_fyp_cropped

On the other hand Windows Phone 7 responds at the same location with a TCP [SYN] package which means it wants to continue the communication. It gets the HTTP code 301 as response and moves happily on.

wp7_download_fyp_cropped

So why doesn't Windows Phone 8 support HTTPS? I have made Microsoft aware of this issue by posting on to their forum a question: http://social.msdn.microsoft.com/Forums/en-US/wpdevelop/thread/f4cc446d-534c-496f-86e2-d21e72001177. I have not yet received a response. Update: So I got a response to the forums from Microsoft saying they are indeed investigating this issue, which is very nice! Thanks 🙂 And it also turns out that very likely, this is related to the HTTPS -> HTTP change in the connection. As you can see from the WP7 traces, it's WP7 doing the first HTTP request which means it already got the HTTP 301 response from the server - over HTTPS. Hence it's not visible in the trace. So I think Microsoft tried to do something to enhance the security, but broke the experience. And I really hope they find this a bug, as this would be unexpected behavior from a browser, so why would these HTTP APIs behave differently and break things? At least give me an option to use this "insecure" way of communication.

Technorati Tags: , , ,