Certificate Validation is bypassed for the web requests used.

[jwittner]

Right now certificate validation is bypassed, which is a serious security concern.

Currently thinking we could add support for warning the user and letting them opt-in to the bypass action (with optional future white-listing). We could only allow bypass for certs matching some factors, e.g. date ranges.

[jwittner]

This issue goes away if I run mozroots.exe --import --sync, but this executable is only available in the MonoBleedingEdge directory of Unity.

The print out of mozroots.exe says it's been deprecated and that we should use cert-sync, which may work, but requires a certificate in PEM format to sync with. I haven't figured out what the right certificate is for that yet.

[jwittner]

Note for reproducing it's useful to clear your Trusted certs after running mozroots. I'm using this powershell command : .\certmgr.exe -list -c Trust |? { $_ -match "Unique Hash:\s+(\w+)" } |% { .\certmgr.exe -del -c Trust $Matches[1] }

[ForrestTrepte]

I'm taking a look to see if this can be solved by using UnityWebRequest.

[ForrestTrepte]

I couldn't quite figure out how to make this work via UnityWebRequest. I was successful in loading package information from the VSTS feed using UnityWebRequest without the need for bypassing certificate validation. But unfortunately, when it came time to download the package itself, I had an InvalidAuthenticationInfo error and was unable to download the package even when using .NET 4.6. I'm giving up, at least for now.