Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

← Back to Stories (view on slashdot.org)

Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

Posted by Soulskill on Wednesday January 9, 2013 @07:50AM from the you-can-trust-us dept.

An anonymous reader writes "On Wednesday, security professional Gaurang Pandya outlined how Nokia is hijacking Internet browsing traffic on some of its phones. As a result, the company technically has access to all your Internet content, including sensitive data that is sent over secure connections (HTTPS), such as banking credentials and pretty much any other usernames and passwords you use to login to services on the Internet. Last month, Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a proxy, instead of directly hitting the requested server. The connections are either redirected to Nokia/Ovi proxy servers if the Nokia browser is used, and to Opera proxy servers if the Opera Mini browser is used (both apps use the same User-Agent)."

200 comments

Min score:

Reason:

Sort:

So...um... by grasshoppa · 2013-01-09 07:52 · Score: 3, Insightful

Are they actively trying to kill the company? I have to ask, because it really seems as if that's their goal.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
1. Re:So...um... by Anonymous Coward · 2013-01-09 07:57 · Score: 5, Insightful
  
  The Opera and Silk (Amazon) browsers channel their data through to home servers to render most of the page there and is especially useful for situations with high bandwidth but low end CPU.
  This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.
  Non-story. Yawn.
2. Re:So...um... by Anonymous Coward · 2013-01-09 07:59 · Score: 1
  
  Devalue it enough for Microsoft to buy it.
3. Re:So...um... by AliasMarlowe · 2013-01-09 08:08 · Score: 5, Interesting
  
  Non-story. Yawn.
  Indeed. Same behavior as any of several other smartphone browsers, and with no MITM attack over https.
  But we're left wondering what sort of "security professional" this Gaurang Pandya might be.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
4. Re:So...um... by Anonymous Coward · 2013-01-09 08:20 · Score: 0
  
  Google has been spying on your web hits via Android's default DNS servers for years. Hasn't hurt their sales.
5. Re:So...um... by grasshoppa · 2013-01-09 08:43 · Score: 2
  
  It's a question of liability; sniffing dns traffic is radically different than purposefully performing a MIM attack.
  My bank account gets cleared out; Nokia is now a suspect.
  
  --
  Mod me down with all of your hatred and your journey towards the dark side will be complete!
6. Re:So...um... by Anonymous Coward · 2013-01-09 08:59 · Score: 0
  
  This is what Blackberry did 10 years ago, and made their phone so successful.
7. Re:So...um... by Anonymous Coward · 2013-01-09 09:01 · Score: 0
  
  Opera Turbo (as it is called, and can be turned of, and is turned off when on WiFi, by default) has this nasty habbit of compressing images by proxy, in order to er-... say... reduce your web browsing data consumption, by five times.
  Next to offline maps, and many other features, it somehow appears that one does not need a very expensive data plan, which kind of rules.
  On Symbian, there is also a VPN 'proxy' with encryption for Facebook and Twitter, so when over the air, your stuff is encrypted.
  And to top that, one does not need a credit card to buy apps, music, and whatnot, unlike the iPhone or whatever Android App devs comes up with; it's calculated on top of your service provider monthly fee.
  Welcome to shit done right.
8. Re:So...um... by kelemvor4 · 2013-01-09 09:31 · Score: 1
  
  This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.
  Non-story. Yawn.
  I don't think it's a non-story, I think it's awesome! Automatic transcoding of videos should be touted as a feature.
9. Re:So...um... by Anonymous Coward · 2013-01-09 09:50 · Score: 0
  
  No killing, elop.exe just has orders to get the value down so no chairs have to be launched...
10. Re:So...um... by ron_ivi · 2013-01-09 12:12 · Score: 1
  
  February 2011, Nokia has had a strategic partnership with Microsoft, as part of which all Nokia smartphones will incorporate Microsoft's Windows Phone.
  
  (from wikipedia) Perhaps they see more potential in stealing people's credit card information than in Windows 8 phones.
11. Re:So...um... by DeepLinux · 2013-01-09 12:32 · Score: 1
  
  A real one?
  This is MITMing https via a Nokia wildcarded certificate installed on the phone.
  Amazon Silk on Kindles does the same and shouldn't be touched with a barge pole.
  Opera MINI does the same but is worse as you end up with a secure connection from Opera to the site in question and an insecure connection from you to opera. Again should not be touched with a barge pole.
  True smartphone browser such as Safari on the iPhone and the built in android browser provide end to end encryption from the device to the website.
12. Re:So...um... by __aablib8664 · 2013-01-09 12:55 · Score: 2
  
  He doesn't show Opera doing a MITM for HTTPS traffic. Infact, from Operas Privacy Policy regarding their boost:
  
  Privacy in Opera Turbo
  When Opera Turbo is enabled, the service will compress network traffic, thereby increasing download speed and reducing data volume. The service requests normal Web content through an Opera Software proxy server. Opera Turbo will exclude Web pages located on an intranet or by using secure connections (HTTPS). Opera collects IP addresses, usage patterns, and the point in time at which the service is used for the purpose debugging, maintenance, optimization of the service, or maintaining the customer relationship. Analysis of service usage is conducted by aggregating data, anonymizing individual identities.
  
  this clearly states that HTTPS traffic is untouched....Compared to Nokia which is rewrapping your encrypted data. whats the point then?? I'm not connecting to https xyx, im connecting to nokia, who is then connecting to https xyx....that is so stupid. A single compromised certificate or proxy server would expose enormous amounts of data.
  
  Nokias privacy policy makes not a mention of intercepting HTTPS traffic. Good job to Opera to following their privacy policy.
13. Re:So...um... by oztiks · 2013-01-09 13:06 · Score: 1
  
  Mod points +insightful for this one I believe!
14. Re:So...um... by theedgeofoblivious · 2013-01-09 16:09 · Score: 1
  
  No, this is how Nokia intends to make money in the future: by selling stolen credit card information.
15. Re:So...um... by sdsucks · 2013-01-10 08:30 · Score: 1
  
  Apparently one that understands the significance of intentionally breaking SSL - something you seem to not understand.
  If the end users are completely aware this is happening - then OK. But from the sound of it most users would not realize this is happening with SSL traffic.
Many mobile browsers do this. by Kenja · 2013-01-09 07:53 · Score: 5, Insightful

Is this different then the acceleration offered by Amazon on the Kindles or other browsers? I know that in Amazons case it can be turned off, but they use a proxy so that the can recompress images and run scripts off of the mobile device. I know of one or two third party browsers including Opera Mobile that do much the same thing.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 08:20 · Score: 5, Insightful
  
  They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.
2. Re:Many mobile browsers do this. by EkriirkE · 2013-01-09 08:40 · Score: 3, Informative
  
  Opera does this for even HTTPS. On their site they explain "no caching, totally secure, etc"
  
  --
  from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
3. Re:Many mobile browsers do this. by Baloroth · 2013-01-09 08:42 · Score: 4, Informative
  
  They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.
  No, it's not a MITM attack. From the sound of it, that's exactly how the browser was always intended to work. I haven't used the Nokia browser, but the Opera Mini "browser" isn't actually a browser properly speaking, it downloads everything onto Opera's servers, renders it, compresses it to an image file, and sends it to the phone (reduces bandwidth and CPU costs). It does this to HTTPS and HTTP connections alike (couldn't use HTTPS without it at all). I'm guessing that is exactly what the Nokia browser is doing too. There's no legal trouble with doing that, at least if they aren't recording the data (Opera doesn't, I'd assume Nokia doesn't either). FFS, Wikipedia lists the damned browser as a proxy-based one, as does Nokia's website. It's like being surprised your browser can see the passwords you type into a website. Can't be an "attack'" if they publicly inform you that's how the thing works.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
4. Re:Many mobile browsers do this. by Dahamma · 2013-01-09 08:45 · Score: 1
  
  No it's not. This has been done on older and/or low end cell phone browsers for years. This "security researcher" mentioned must be completely clueless if he didn't know that...
  Think of it this way - the *browser* it really on their server, and the app on the phone just displays simplified/pre-rendered content. This is the only way you are going to get a decent web browser on low end phones without enough memory or CPU power to handle all of the HTML/JS that can be thrown at it.
5. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 08:59 · Score: 3, Interesting
  
  And what's to stop a disgruntled Nokia worker from firing up Wireshark and recording whatever they want without approval?
6. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 09:02 · Score: 5, Insightful
  
  If you open an SSL connection, I think most people assume that the protocol is working as intended, and ONLY the sender and the receiver have knowledge of the exchange. It *IS* an active MITM attack; they have done exactly what an attacker would do. Why the HELL should I trust Nokia's certificate? Do they run a CA using industry standard practices that assure the identity of the sites on the other side of the connection? No? Then get their freaking certificate OFF of my trust list!
7. Re:Many mobile browsers do this. by Luckyo · 2013-01-09 09:10 · Score: 2
  
  Prison sentence.
8. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 09:14 · Score: 0
  
  So, we're supposed to go to Wikipedia to research every piece of software on every phone now?
  Seriously. The default browser sends https to its own server, where it's processed and sent back. With no warning. But to find this out, we're supposed to go look it up on Wikipedia, apparently.
  Does that sound remotely good, reasonable, or right? No.
9. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 09:18 · Score: 1
  
  That didn't stop thousands of career criminals. Plus they could just claim they were troubleshooting the network.
10. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 09:21 · Score: 0
  
  They shouldn't do this for https, but using a proxy, even one that parses en transcodes html, doesn't mean it will be used for a MitM attack. The CONNECT command should tunnel data thought the proxy transparent. But if the client and the proxy are under control of the same entity there is a greater risk for rogue certificate chains to perform a MitM attack.
11. Re:Many mobile browsers do this. by Daniel_Staal · 2013-01-09 09:33 · Score: 1
  
  Opera Mini does it even for HTTPS. Opera Mobile has it as an option, like their desktop browsers. (And then I don't think it does HTTPS.) That's the difference, and the advertising all mentions it. (And why they have two browsers for the same market. Mini does have a slightly smaller CPU footprint on the consumer device, so it works on lower-end devices as well.)
  
  --
  'Sensible' is a curse word.
12. Re:Many mobile browsers do this. by Mr.+Slippery · 2013-01-09 09:35 · Score: 1
  
  Opera does this for even HTTPS. On their site they explain "no caching, totally secure, etc"
  If Opera is calling their MITM attack "totally secure", then they are lying bastards.
  
  --
  Tom Swiss | the infamous tms | my blog
  You cannot wash away blood with blood
13. Re:Many mobile browsers do this. by RulerOf · 2013-01-09 09:39 · Score: 1
  
  To be fair, it's only insecure if they're lying about it.
  
  ....not that I'd care to put that much trust in my Browser vendor... Then again, I'm using Chrome. Hmmph.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
14. Re:Many mobile browsers do this. by Luckyo · 2013-01-09 09:42 · Score: 1
  
  It also didn't stop any of the serial killers or terrorists. I think you have much bigger worries then someone hacking your https connection if that is your measurement stick.
15. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 09:47 · Score: 0
  
  That's true but what's your point? We're not comparing white collar crime with violent crime here. Nokia has opened a giant virtual lobby of ATM machines and disabled the cameras on them all. If someone were to point a gun to my head and force me to make a withdrawal, they'd never see!
16. Re:Many mobile browsers do this. by ultranova · 2013-01-09 10:05 · Score: 1
  
  To be fair, it's only insecure if they're lying about it.
  
  It's insecure either way. Them actively lying about it makes them liars too, but even not lying is meaningless if the information is buried somewhere in an EULA bloated by legalese to the point where no non-lawyer can be expected to read or understand it.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
17. Re:Many mobile browsers do this. by bws111 · 2013-01-09 10:07 · Score: 1
  
  What good would that do? The traffic is still encrypted between the phone and the proxy, and the proxy and the 'real' destination.
18. Re:Many mobile browsers do this. by Luckyo · 2013-01-09 10:09 · Score: 1
  
  Opera has the same giant virtual lobby for about a decade. Holy shit, they must have caused the credit crunch!
19. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 10:15 · Score: 1
  
  Which is fair enough for HTTP where there's limited expectation of privacy, but for HTTPS you expect only yourself and the server to be able to see the conversation.
  I don't give a frack about the time it takes to access my online bank account while on the move, as long as I can do so securely. Which means no possibility of a Nokia insider gaining access to either my passwords or my current login session key and using it to clear out my account or selling it onto someone who will. They've already got a mobile-optimised version anyway so I don't need the proxy to tune it further.
20. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 10:26 · Score: 0
  
  But if anyone can do it, then it proves HTTPS is fundamentally insecure, and thus broken.
21. Re:Many mobile browsers do this. by ta_gueule · 2013-01-09 10:55 · Score: 1
  
  Seriously, data being tranfered to a proxy server is the least of your security concerns when you can't read the documentation that comes with your phone or can't read a feature list before buying it. This feature allows you to surf the internet on low bandwidth. There is no other option when you are on low bandwidth and people with low bandwidth and who know what a bandwidth and a proxy is expect it to be compressed via a proxy server. If you don't know how what is bandwidth or proxy, then you should ask your local techie or the man who sold you the phone.
22. Re:Many mobile browsers do this. by stooo · 2013-01-09 11:03 · Score: 2
  
  >> This "security researcher" mentioned must be completely clueless if he didn't know that...
  Often security breaches are waiting wide open for someone to exploit them. This is the case here.
  Often security people point it out.
  Often clueless people say "it has been broken since years, don't worry"
  
  --
  aaaaaaa
23. Re:Many mobile browsers do this. by Ksevio · 2013-01-09 11:15 · Score: 1
  
  Opera Mini is the one that loads data on a server and sends the simplified page to the device. Opera Mobile is the fully functional browser for mobile devices
24. Re:Many mobile browsers do this. by DarwinSurvivor · 2013-01-09 12:08 · Score: 1
  
  If they are rendering content for you, they need the unencrypted traffic, so obviously there is some point on the line where A) The traffic is unencrypted or B) The traffic is encrypted with a certificate owned by the proxy (and thus sniffable).
25. Re:Many mobile browsers do this. by Dahamma · 2013-01-09 12:41 · Score: 1
  
  HTTP and HTTPS are just protocols to retrieve data. Usually the same HTML data. It's about time, it's about capability. The tiny crappy phones (or really most phones with browsers more than 6-7 years ago) just couldn't render the average web site at ALL, let alone slowly.
  The point is this is NOT an insidious secret plot, this is a well established mechanism more than a decade old. The linked article did a bunch of useless work to "discover" something anyone who cared already knew.
26. Re:Many mobile browsers do this. by Dahamma · 2013-01-09 12:49 · Score: 1
  
  He didn't point out anything anyone in the industry didn't already know. This was an intentional implementation more than a decade old, not some obscure security hole. Go look up "mobile web proxy", "mobile proxy browser", etc. (has also been used for many years on old set-top boxes).
  And Nokia's TOS says they don't collect any information. You could choose not to believe that, but if you don't believe any TOS from any company who's services you use, you don't need a web browser anyway.
  Where is the exploit here again?
27. Re:Many mobile browsers do this. by loufoque · 2013-01-09 12:58 · Score: 1
  
  But you're not opening a SSL connection, the Nokia server does, then sends back the result to you.
28. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 13:11 · Score: 0
  
  It may not technically be a MITM situation (attack or not), but it is most definitely worrying. If I log into my bank's website, and my browser indicates the connection is secured (with a lock or whatever), then I expect I just sent my login credentials to my bank, and no one else, not even Nokia's or Opera's website rendering farm. I can see how for slow connections or devices there can be a benefit here, but this needs to be optional and clearly indicated to the user that this is what's happening.
29. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 13:24 · Score: 0
  
  Yes, also exactly why I always send sensitive data in plaintext, because prison will stop the criminals.
30. Re:Many mobile browsers do this. by bws111 · 2013-01-09 14:26 · Score: 1
  
  Yes, but now you've moved from 'anyone with wireshark' to 'anyone with wireshark and access to the private key'. That is surely a much, much smaller group of people.
31. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 15:08 · Score: 0
  
  No one is excusing what Opera has done, but at least they were a little more transparent. That's why I've never used their browser.
32. Re:Many mobile browsers do this. by blackwizard · 2013-01-09 15:11 · Score: 1
  
  Not necessarily. That depends on the network topology and their server setup. The data might be going over an Ethernet connection in the clear at some point. And you wouldn't necessarily need direct access to the private key, either, depending on the setup (though if it was as secure as it could be, you'd need access to the machine the proxy is running on). No one is saying you can waltz into any Nokia office with your laptop and open up Wireshark. It'd have to be an inside job. And it's likely that the insider would get away with it, if they were careful.
33. Re:Many mobile browsers do this. by maxwell+demon · 2013-01-09 20:19 · Score: 1
  
  No protocol can protect from someone having control of the end point.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
34. Re:Many mobile browsers do this. by gl4ss · 2013-01-09 20:24 · Score: 1
  
  They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.
  the browser can't work without it in case of opera mini. it's not an acceleration feature - it's a feature how they managed to do such a fine browser in J2ME in the first place!
  
  --
  world was created 5 seconds before this post as it is.
35. Re:Many mobile browsers do this. by Luckyo · 2013-01-09 21:23 · Score: 1
  
  Whoosh.
36. Re:Many mobile browsers do this. by L4t3r4lu5 · 2013-01-09 21:26 · Score: 1
  
  So I guess there is no crime being committed, anywhere, by anyone, which is punishable by a prison sentence?
  
  It's a cost / benefit question. Is the benefit of hundreds of thousands of bank login details to sell worth the risk of prison? If yes, proceed to Go. If not, sit on your hands. For some people, the benefits only need to be slight.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
37. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 21:26 · Score: 0
  
  Which is called .... ding ding ding .. ssl Stripping. I wrote an ssl stripper in the advanced internet security course at the Vienna University of Technology, which does more or less exactly that. Traffic goes throgh a proxy, the proxy connects to the website, removes all https links from the received html page, internally stores all https links found, serves the page stripped of all https links, and if requests are made to "http" links which are https links in reality, the proxy server connects to the original server via https etc etc (left out some crucial details for brevity). Classic picture-book ssl stripping.
38. Re:Many mobile browsers do this. by coinreturn · 2013-01-10 01:56 · Score: 1
  
  They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.
  No, it's not a MITM attack. From the sound of it, that's exactly how the browser was always intended to work. I haven't used the Nokia browser, but the Opera Mini "browser" isn't actually a browser properly speaking, it downloads everything onto Opera's servers, renders it, compresses it to an image file, and sends it to the phone (reduces bandwidth and CPU costs). It does this to HTTPS and HTTP connections alike (couldn't use HTTPS without it at all). I'm guessing that is exactly what the Nokia browser is doing too. There's no legal trouble with doing that, at least if they aren't recording the data (Opera doesn't, I'd assume Nokia doesn't either). FFS, Wikipedia lists the damned browser as a proxy-based one, as does Nokia's website. It's like being surprised your browser can see the passwords you type into a website. Can't be an "attack'" if they publicly inform you that's how the thing works.
  And yet, if this were Apple doing it, the flames of hate would be enormous.
39. Re:Many mobile browsers do this. by FuzzyDaddy · 2013-01-10 03:47 · Score: 1
  
  This is an important point. While I think what Nokia is doing is wrong, I have so little trust in the security of my phone that I would never dream of doing online banking or anything that sensitive on it. Especially with the various apps I've put on the phone.
  
  --
  It's not wasting time, I'm educating myself.
40. Re:Many mobile browsers do this. by Archenoth · 2013-01-10 06:59 · Score: 1
  
  From the Opera's Policy:
  
  Privacy in Opera Turbo
  When Opera Turbo is enabled, the service will compress network traffic, thereby increasing download speed and reducing data volume. The service requests normal Web content through an Opera Software proxy server. Opera Turbo will exclude Web pages located on an intranet or by using secure connections (HTTPS). Opera collects IP addresses, usage patterns, and the point in time at which the service is used for the purpose debugging, maintenance, optimization of the service, or maintaining the customer relationship. Analysis of service usage is conducted by aggregating data, anonymizing individual identities.
  It doesn't touch HTTPS traffic.
  
  --
  The arch foe.
41. Re:Many mobile browsers do this. by sdsucks · 2013-01-10 08:23 · Score: 1
  
  You do realize most malware works the way it is intended to right? That doesn't mean it's what the end user wants, or is aware is happening.
  This is simple - breaking SSL is wrong. There is no need to complicate it any further than that.
42. Re:Many mobile browsers do this. by sdsucks · 2013-01-10 08:31 · Score: 1
  
  They shouldn't be doing it for HTTPS traffic, though.
  Exactly.
43. Re:Many mobile browsers do this. by hkmwbz · 2013-01-11 14:25 · Score: 1
  
  It isn't broken. It's by design. Running the browser engine on a server is the only way old crappy phones can even run a browser.
  
  --
  Clever signature text goes here.
44. Re:Many mobile browsers do this. by hkmwbz · 2013-01-11 14:27 · Score: 1
  
  Presumably they have data access rules, so that only authorized personnel have access to the servers performing the compression.
  
  --
  Clever signature text goes here.
45. Re:Many mobile browsers do this. by hkmwbz · 2013-01-11 14:31 · Score: 1
  
  Did you actually look up what Opera is saying about it? Here you go.
  Sample quote:
  
  If you do not trust Opera Software, make sure you do not use Opera Mini to enter any kind of sensitive information.
  
  --
  Clever signature text goes here.
46. Re:Many mobile browsers do this. by hkmwbz · 2013-01-11 14:33 · Score: 1
  
  Maybe you should read up on what Opera is actually saying before jumping to conclusions.
  Sample quotes:
  
  If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile.
  
  If you do not trust Opera Software, make sure you do not use Opera Mini to enter any kind of sensitive information.
  
  --
  Clever signature text goes here.
Quick note by Anonymous Coward · 2013-01-09 07:53 · Score: 4, Informative

Note before anyone says anything: this isn't related to Windows Phone or Microsoft.
1. Re:Quick note by hawguy · 2013-01-09 07:55 · Score: 4, Funny
  
  Note before anyone says anything: this isn't related to Windows Phone or Microsoft.
  Obviously, Microsoft is behind this to push users to Windows Phone.
2. Re:Quick note by OffaMyLawn · 2013-01-09 08:14 · Score: 1
  
  But don't the Windows Phone models sold on Verizon have that Data Sense or whatever it is which pretty much does......exactly this to compress data usage?
3. Re:Quick note by Wamoc · 2013-01-09 08:29 · Score: 2
  
  Data sense is to track how much you have used and limit some services when you are low on remaining data for the month. It does not look at the content of the data, just the amount and which app initiated it.
4. Re:Quick note by quenda · 2013-01-09 12:52 · Score: 1
  
  Nor is it anything to do with Nokia Maps/Navigation directing cars away from congested roads.
  That would be interesting, They really should fix TFH.
5. Re:Quick note by gl4ss · 2013-01-09 20:25 · Score: 1
  
  well yeah the wp browser doesn't support offloaded compression which is what this is used for..
  
  --
  world was created 5 seconds before this post as it is.
httpS by etash · 2013-01-09 07:54 · Score: 0

well if there is an S in the end, even if they use a proxy, they are not able to read the sensitive, or any data that is. However i doubt they would be dumb enough to even want to do such a thing, it must be something more innocent ( for speeding up reasons? )
1. Re:httpS by etash · 2013-01-09 07:58 · Score: 2
  
  well if i had RTFA-d I would have realized that they are indeed performing a real MITM, as https can't be really proxied without a MITM. my first post is kind of dumb, but i still don't think they are doing it for sniffing our details.
2. Re:httpS by feld · 2013-01-09 08:00 · Score: 1
  
  Why can't they redirect https? It's their phone -- they can bake into the firmware to ignore bad certificates from their own proxy servers.
3. Re:httpS by Above · 2013-01-09 08:02 · Score: 5, Informative
  
  Actually it may not be that simple without verifying the certificates.
  Many corporations for instance use products that look inside SSL streams (typically IM's) for sensitive data. The way they do this is to install a cert signed by the company on the proxy, and set the company's CA cert on your computer to always trust. Your machine makes a connection which is grabbed by the proxy, the proxy presents the valid corporate certificate. It then makes a connection off to the real service using SSL as well. Your basic man in the middle attack.
  For clients that don't show the cert (like many IM clients) there's no way to know, and on those that do the user would have to check. If they are trained to just look for the padlock it appears all is well.
  I can't tell if Nokia is doing something like that or not, but if you work at a big corporation you might want to check the cert fingerprints for say your bank and compare them to an access from home. I've been told the newer products can generate a cert per site on the fly, making the fake certs look correct (right company name and all of that). If your company is going to that length to spy on you, perhaps it's time to rethink your employer...
4. Re:httpS by jandar · 2013-01-09 08:02 · Score: 5, Informative
  
  Nokia has certificates pre-installed to make a man-in-the-middle attack. From the article:
  
  From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse.
  So this is the worst privacy nightmare.
5. Re:httpS by Anonymous Coward · 2013-01-09 08:03 · Score: 0
  
  RTFA, they hijack certificate queries, plus it is all about nokia phones which come with the necessary certs to perform a MITM attack without alert prompts. They get your full plaintext.
6. Re:httpS by Anonymous Coward · 2013-01-09 08:05 · Score: 2, Insightful
  
  It's their phone
  No. It was their phone. Then they sold it to someone else.
7. Re:httpS by timeOday · 2013-01-09 08:08 · Score: 3, Informative
  
  Nokia isn't "in the middle," they are the endpoint you are accessing. If that is compromised all bets are off. (Just like how https won't guard against a key logger installed in your keyboard).
8. Re:httpS by vlm · 2013-01-09 08:25 · Score: 0
  
  It's their phone
  No. It was their phone. Then they sold it to someone else.
  LOL you probably think the government is "your government" or the real estate you rent from the state is "your property" too.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
9. Re:httpS by Anonymous Coward · 2013-01-09 08:25 · Score: 0
  
  Well, The thing is they are going to that length, but Only because I'm the one made it possible, so maybe its time for them to rethink my salary? Or should I be expecting exile to Soviet Russia?
10. Re:httpS by Anonymous Coward · 2013-01-09 08:47 · Score: 0
  
  Really? The Americans are passing laws to ensure that even overseas customers are treated to the same degree of surveillance as a genuine American and Nokia's browser settings are your "worst privacy nightmare?"
  Facebook. There, now you have a _SECOND_ antichrist to deal with.
11. Re:httpS by Anonymous Coward · 2013-01-09 08:48 · Score: 0
  
  Sigh... Are you brown too by the chance?
12. Re:httpS by Baloroth · 2013-01-09 08:48 · Score: 1
  
  Nokia has certificates pre-installed to make a man-in-the-middle attack. From the article:
  You completely misunderstand how the browser in question works. The whole point of the browser is that it doesn't connect to websites directly. Hell, it probably can't (most likely doesn't have a full rendering engine included). It connects to Nokia's servers, which fetch the page, do some pre-rendering, then sends it to the phone itself. Opera Mini works the same way, and has for probably nearly a decade now. It's called a "proxy browser". Nokia's website specifically says that's how they work. Whether it is a privacy nightmare depends on whether you believe Nokia when they say they don't store the information (well, I assume they say that, I know Opera does). It's not an "attack" any more than your router is "attacking" your traffic by directing packets through itself.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
13. Re:httpS by CanHasDIY · 2013-01-09 08:49 · Score: 1
  
  It's their phone
  No. It was their phone. Then they sold it to someone else.
  HA!
  
  I take it you've never actually read a EULA or ToS?
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
14. Re:httpS by hawguy · 2013-01-09 09:04 · Score: 1
  
  well if i had RTFA-d I would have realized that they are indeed performing a real MITM, as https can't be really proxied without a MITM. my first post is kind of dumb, but i still don't think they are doing it for sniffing our details.
  Even if you trust Nokia to not steal your private data, do you trust their network security enough to believe that someone else isn't stealing it? Everything you normally think of as private and sensitive is available through their proxy servers... seems like an awfully attractive target for thieves - why steal your credit card number when they can steal your online banking password and transfer all of your cash to themselves?
15. Re:httpS by Anonymous Coward · 2013-01-09 09:11 · Score: 0
  
  mod parent up.
  See for example
16. Re:httpS by Anonymous Coward · 2013-01-09 09:14 · Score: 0
  
  The whole point of the browser is that it doesn't connect to websites directly.
  The whole point of SSL is that it connects only to the server you requested, and encrypts the data so only that server can see it. Do you really think that Joe Sixpack has read Nokia's website before he logs into his bank?
  Seems like just another nail in Nokia's coffin...
17. Re:httpS by fatphil · 2013-01-09 09:18 · Score: 4, Funny
  
  They are the middle and the endpoint. Without any proxying, you only have to trust their client on your terminal. With the proxy, you also have to trust their proxy on their server.
  
  Fortunately, no servers have ever been hacked, and nobody's ever written an insecure proxy, so that worry can be dismissed.
  
  --
  Also FatPhil on SoylentNews, id 863
18. Re:httpS by Anonymous Coward · 2013-01-09 09:18 · Score: 0
  
  Wow, that's a pretty big whoosh for missing what's going on here.
  Especially given the GP.
19. Re:httpS by Anonymous Coward · 2013-01-09 09:38 · Score: 0
  
  Eh?
  There's 3 parties here: me, the website I'm visiting, and the phone manufacturer.
  I can be the end-point and start-point - as can the website. At what part does the phone manufacturer have to have anything to do with that?
  *Disclaimer - I know (roughly) how Opera etc. work and therefore why this is a non-story really - but the suggestion that Nokia is the end point is bloody stupid and had to be countered.
20. Re:httpS by bws111 · 2013-01-09 10:19 · Score: 1
  
  If you don't trust Nokia to handle this 'remote display' correctly, why do you trust them at all? How do know know they don't have keyloggers on your phone, or any other nerfarious things that could be done?
21. Re:httpS by Kjella · 2013-01-09 10:28 · Score: 1
  
  The whole point of SSL is that it connects only to the server you requested, and encrypts the data so only that server can see it. Do you really think that Joe Sixpack has read Nokia's website before he logs into his bank? Seems like just another nail in Nokia's coffin...
  Not really, nor do I expect him to read this story, nor understand it, nor care. The make or break for Nokia isn't going to be this, it's Win8. In two weeks they're publishing their Q4 figures and we'll know.
  
  --
  Live today, because you never know what tomorrow brings
22. Re:httpS by Anonymous Coward · 2013-01-09 10:32 · Score: 0
  
  Both points of view are correct. The browser effectively straddles the phone and the proxy. While it is a well-meaning optimization and enabling strategy, it does open a can of worms wrt end-to-end privacy. It does make it easy for Nokia employees and government officials to eavesdrop on HTTPS traffic.
  I have worked with companies that deal with sensitive information like that. Mostly, the system administrators don't even have company guidelines to follow. It is pretty safe to assume that abuse is rampant.
23. Re:httpS by vux984 · 2013-01-09 10:33 · Score: 1
  
  The whole point of SSL is that it connects only to the server you requested, and encrypts the data so only that server can see it.
  Not if you are using remote desktop. Then everything you do is sent via the RDP protocol to the browser on the terminal server, and then from there it is sent to the remote server.
  These phone mini "proxy" browsers are really not much different than using a "published application" from a terminal server.
  Do you really think that Joe Sixpack has read Nokia's website before he logs into his bank?
  How many people do you think have used a terminal or other remote session to access an ssl site without really thinking that everything was effectively being proxied through the company terminal servers, and that all their credentials and personal data and anything else that crossed the browser screen could easily be captured and logged by the company?
24. Re:httpS by Anonymous Coward · 2013-01-09 10:36 · Score: 4, Informative
  
  No he hasn't. You've completely misunderstood.
  1) It's still a HTTPS connection, which means the browser still needs a valid certificate for the domain it is connecting to.
  2) There is no way the proxy can do any prerendering unless it can actually decrypt the stream.
  This means the proxy has to run two separate HTTPS connections phone->proxy and proxy->server. The proxy doesn't have the SSL certificate installed for the real website - so it has to generate its own one for the domain on-the-fly so that the phone doesn't display an error about invalid certificates. The ONLY way that can be done is for Nokia to have created their own Certificate Authority to sign these on-the-fly certificates and ships these phones with this certificate installed by default.
  a) You become entirely reliant that the proxy correctly checks the SSL certificate of the web server your're connecting it
  b) It will be unable to verify any certificates signed any unknown CAs including ones you have created yourself for personal or corporate use
  c) If their CA private key is cracked/leaked all your phone HTTPS sessions are insecure (and it will be accessible to at least all Nokia sysadmins working on the proxy servers)
  d) Since the stream gets decrypted and reencrypted on the proxy as it prerenders, it is trivial to spy on or modify sessions there. It's completely different from a router forwarding encrypted packets without being able to look inside them.
  c & d mean you become extremely vulnerable to insider jobs or hackers attacking the proxies.
  This is exactly a man-in-the-middle attack, albeit a 'trusted' and 'innocent' one. But by deliberately engineering such a system gives you a single point that you can attack to break every encrypted sessions for all Nokia phones!
  Real CAs have a lot of security systems in place to make sure the CA private key never gets leaked, since if it is the entire CA is broken and would need to be revoked and all certificates reissued. That means dedicated signing servers accessible by a elite select trusted few, and all other interfaces submitting CSRs and getting the CRT but never getting access to the signing key. That's simply not possible on this kind of proxy system, since every proxy server needs the private key installed and readable by the proxy software at all times. The sheer load means it wouldn't be possible to have a small group of servers signing every request, so you end up having to put a lot of trust in servers directly connected to the 'net.
  Whether they cache by default is irrelevant. Just because their system doesn't do it by design doesn't mean a hacker/insider couldn't modify it to do so. Plus if they have copied the server's private keys from the proxy then they only need to capture the HTTPS session to the phone on any network it passes through and will be able to decrypt it after-the-fact.
25. Re:httpS by alexibu · 2013-01-09 11:05 · Score: 1
  
  Security researchers would have an opportunity to detect the data coming out of a key logger etc. There is no opportunity to detect the nefarious things if they are all on nokias servers.
26. Re:httpS by epyT-R · 2013-01-09 12:18 · Score: 1
  
  software that does not use the OS cert store or SSL lib should still be immune to this. Someone would have to set the software to trust the proxy cert. If not, there's no way for the proxy to decrypt the payload. The solution is to use a real browser that doesn't use nokia's openssl/gnutls.
27. Re:httpS by pod · 2013-01-09 18:55 · Score: 1
  
  Whether they cache by default is irrelevant. Just because their system doesn't do it by design doesn't mean a hacker/insider couldn't modify it to do so.
  Except they almost certainly log the access information (URL, date, etc), and cache the rendered images, at least _sometimes_, you know, for debugging purposes.
  This is tailor made for a man in the middle attack. An insider can spy on any user at will, and most likely without leaving a trace.
  
  --
  "Hot lesbian witches! It's fucking genius!"
28. Re:httpS by Anonymous Coward · 2013-01-09 21:07 · Score: 0
  
  They *could* be using a distinct intermediate CA for signing on each proxy node, complete with an attached HSM to protect the private key meaning that even if the private key were to be compromised it's only a single inter which would need revocation, not the entire CA. Alternatively they might have a cluster of networked HSMs on a high performance back-end network to perform signing. It's ALWAYS best practice to keep your root CA locked away, offline, preferably with the key material split over several smart cards in a 2 of 3, or 3 of 5 parity fashion. Your issuing CA should be an intermediary whose compromise doesn't blow the whole game.
  
  But I doubt it Nokia are doing anything as prudent as that. Meh.
29. Re:httpS by fatphil · 2013-01-09 21:44 · Score: 1
  
  Sheesh, ignore the witty final comment - the above is informative, not funny.
  
  --
  Also FatPhil on SoylentNews, id 863
30. Re:httpS by Anonymous Coward · 2013-01-10 05:42 · Score: 0
  
  That's simply not possible on this kind of proxy system, since every proxy server needs the private key installed and readable by the proxy software at all times. The sheer load means it wouldn't be possible to have a small group of servers signing every request, so you end up having to put a lot of trust in servers directly connected to the 'net.
  If this was designed reasonably (and I have no idea if it was), it seems like they should use a "Nokia Root CA" that's trusted by the mobile devices. That would be kept share-split, air-gapped, in hardware tokens, whatever. It would then sign separate certs that would be installed on the proxies. So they'd still have the ability to revoke those certs, just as any CA can revoke a bogus "microsoft.com" cert they issued.
  They may want another layer of indirection in there for operational reasons, but that doesn't change the point. It also doesn't matter if the proxies are acting as endpoints for both sides--where the browser knows it's talking to a proxy and no spoofing is necessary--or as a MITM proxy generating certs for "google.com", etc. All that changes there is whether the certs for the proxy servers need to allow signing more certs or not.
  
  Plus if they have copied the server's private keys from the proxy then they only need to capture the HTTPS session to the phone on any network it passes through and will be able to decrypt it after-the-fact.
  This varies depending on the cipher used. This property is called Perfect Forward Secrecy and you find it in the DH cipher suites. The Wikipedia article suggests it's not deployed much in practice, and I'd bet the odds are lower on a mobile device (because it has a slower CPU).
Opera Mini is supposed to be proxied by Anonymous Coward · 2013-01-09 07:55 · Score: 5, Informative

The whole point of Opera Mini is to use Opera's proxies to reduce the load on the phone so complaining about that would be stupid (their other browser, Opera Mobile, is the one that doesn't use proxies). Is Nokia's browser expected to do the same as Opera Mini? (that they use the same user agent may imply so)
1. Re:Opera Mini is supposed to be proxied by MrWeelson · 2013-01-09 07:59 · Score: 5, Informative
  
  Exactly!
  From http://www.opera.com/mobile/specs/
  "Opera Mini always uses Opera’s advanced server compression technology to compress web content before it gets to a device. The rendering engine is on Opera’s server."
  On the Nokia website it states outright that "Compressed pages mean lower data charges" http://www.nokia.com/gb-en/products/phone/302/
2. Re:Opera Mini is supposed to be proxied by Anonymous Coward · 2013-01-09 09:05 · Score: 0
  
  Opera Mobile, when Turbo is enabled, will also make use of that proxy in a limited degree. This to reduce the data amounts transferred via various means, including recompression of images using WebP. The same service can be enabled on the Opera desktop browser. btw.
  ovo -Hoot
3. Re:Opera Mini is supposed to be proxied by Anonymous Coward · 2013-01-09 09:57 · Score: 0
  
  That would be a feature of the phone that could be utilized by your ISP, not by Opera. Why the fuck should your browser vendor or phone manufacturer be providing that service? Particularly, why do they include a non uninstallable intermediate certificate that allows Opera or Nokia to redirect all your traffic, non-encrypted and encrypted to their servers, and not your ISP? Can you opt-out? No. Then it's spyware, plain and simple.
4. Re:Opera Mini is supposed to be proxied by jez9999 · 2013-01-09 09:58 · Score: 1
  
  Except that my mobile phone plan includes all-you-can-eat data. :-) What do you have to say about that, Nokia?
  
  --
  == Jez ==
  Do you miss Firefox? Try Pale Moon.
5. Re:Opera Mini is supposed to be proxied by Lehk228 · 2013-01-09 10:09 · Score: 1
  
  if it's like blackberry's compression it also means more responsive web access when in an area with a weak signal (my job has weak to no cell reception in many places for all carriers, including near my desk, i can still use my Bold 9700 on the web, my co workers with blackberry phones can still use the web, the ones with androids and iphones often cannot
  
  --
  Snowden and Manning are heroes.
6. Re:Opera Mini is supposed to be proxied by Anonymous Coward · 2013-01-09 13:28 · Score: 0
  
  On the Nokia website it states outright "all encrypted https data is decrypted and passed through our servers without any notification to the user"?
  Oh, wait they're selling the advantages not mentioning the security implications.
7. Re:Opera Mini is supposed to be proxied by gl4ss · 2013-01-09 20:35 · Score: 1
  
  Except that my mobile phone plan includes all-you-can-eat data. :-) What do you have to say about that, Nokia?
  wtf are you doing with a 3rd world phone then?
  
  --
  world was created 5 seconds before this post as it is.
8. Re:Opera Mini is supposed to be proxied by maxwell+demon · 2013-01-09 20:37 · Score: 1
  
  You know something has gone wrong with the web when prerendering reduces the amount of data transmitted.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
9. Re:Opera Mini is supposed to be proxied by sdsucks · 2013-01-10 08:18 · Score: 1
  
  Sure, but the real problem is that they are not explicitly telling the end user that this includes SSL traffic.
  After the ecommerce industry spent the last 15 years trying to tell everyone to trust SSl, perhaps it would be a good idea to notify users when your application is BREAKING THAT TRUST (which is exactly what is happening here).
10. Re:Opera Mini is supposed to be proxied by hkmwbz · 2013-01-11 14:23 · Score: 1
  
  You do realize that it's impossible for Opera Mini to work without a proxy, and the only reason it works on dumbphones is that the rendering engine is on a server? Spyware? No, just a thin client on the phone which lets even old and crappy phones show modern web pages
  
  --
  Clever signature text goes here.
11. Re:Opera Mini is supposed to be proxied by hkmwbz · 2013-01-11 14:37 · Score: 1
  
  Nokia would probably say that mobile networks are often slow and crappy. Even with an unlimited data plan, you'll get much faster speeds by using a compression proxy.
  
  --
  Clever signature text goes here.
Opera's proxy is known. by Anonymous Coward · 2013-01-09 07:56 · Score: 1

It's a feature. You can enable it, or not.
1. Re:Opera's proxy is known. by Anonymous Coward · 2013-01-09 08:00 · Score: 1
  
  Not technically correct.
  The Opera Mini browser requires the use of the proxy. You can install Opera to avoid this, but it's not a simple toggle in the settings menu.
2. Re:Opera's proxy is known. by ericloewe · 2013-01-09 08:39 · Score: 1
  
  I'm relatively sure Nokia's browser has the same feature, as they announced (if I'm not imagining it) some time ago.
  Nothing to see here, move along...
3. Re:Opera's proxy is known. by gl4ss · 2013-01-09 21:08 · Score: 1
  
  the full mobile opera allows use of the accelerator as a simple toggle, desktop version as well.
  also you can get around some regional blocks with it !
  opera mini is j2me and requires the proxy to function.
  
  --
  world was created 5 seconds before this post as it is.
Interesting SSL behavior by mveloso · 2013-01-09 07:57 · Score: 2

Nokia also seems to have allowed MTM attacks using its own cert - the Nokia proxy is returning a nokia cert, which is trusted by the OS. Plus they're suppressing hostname checks on Nokia certs as well. You'd think they would have just sprung for a wildcard cert.
1. Re:Interesting SSL behavior by Kalriath · 2013-01-09 08:00 · Score: 1
  
  No, because the wildcard character may only be in the leftmost part of the CN component of the certificate. A certificate issued to "*" would be completely invalid for all purposes.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
2. Re:Interesting SSL behavior by feld · 2013-01-09 08:01 · Score: 1
  
  you can't buy a wildcard cert that is wildcard for everything
3. Re:Interesting SSL behavior by mveloso · 2013-01-09 08:09 · Score: 1
  
  You can buy a wildcard for *. browser.ovi.com, which was the point of my comment. They're suppressing hostname checking on their own domain, not on the internet. RTFA.
4. Re:Interesting SSL behavior by tepples · 2013-01-09 08:22 · Score: 2
  
  You can if you have your root certificate installed in your end users' devices, and your proxy generates a new certificate for each hostname that is accessed.
5. Re:Interesting SSL behavior by Anonymous Coward · 2013-01-09 08:24 · Score: 0
  
  Yes, but it's up to the client to validate the CN of the certificate against the resource accessed. If you wrote the client all bets are off.
  I could write a browser that always says that the connection is 100% secure if the server certificate is for MAN.IN.THE.MIDDLE.nokia.com. In fact, I could write a browser, that when it connects through HTTPS and gets my MITM certificate downloads the correct certificate and shows that one to the user but uses the MITM cert instead.
  It's a bit like telling Alfred to dial up the number for your bank and having him just hand you a handset. You ask him who he dialed and he'll tell you it was your bank when really it's his eastern European crime partners who are now emptying your bank account into theirs.
6. Re:Interesting SSL behavior by Anonymous Coward · 2013-01-09 10:59 · Score: 0
  
  They're not suppressing hostname checks - if you actually examine the certificate yourself, you'll see there are SubjectAlternativeName fields for "cloud1.browser.ovi.com" through to "cloud13.browser.ovi.com".
7. Re:Interesting SSL behavior by Kalriath · 2013-01-09 14:13 · Score: 1
  
  Actually, I just checked and TFA is completely wrong. The certificate issued to cloud1.browser.ovi.com has subject alternate names for cloud1 - cloud13. Which means it is perfectly valid, and there is no dodgyness occurring at all.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
ISPs can do the same thing. by 140Mandak262Jamuna · 2013-01-09 07:58 · Score: 2

Technically all ISPs can do it. Right? Or am I wrong, and what Nokia does is far more sinister than what a plain vanilla ISP can do to home internet connection?

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:ISPs can do the same thing. by Anonymous Coward · 2013-01-09 08:04 · Score: 5, Informative
  
  Wrong. It requires the ISP to plant a certificate on your system that is used to perform the MITM attack. Never install software from your ISP is my motto.
  AC
2. Re:ISPs can do the same thing. by jeti · 2013-01-09 08:08 · Score: 1
  
  No. You would have to run a browser that accepts the certificate of the ISP for any domain as well.
3. Re:ISPs can do the same thing. by Rob+Riggs · 2013-01-09 08:15 · Score: 1
  
  Anyone that provides the hardware and software from which you access the web can do this. My work does it. Your local library can do it. The internet access kiosks can do it. Any device manufacturer can do it. Those cheap Android computers-on-a-stick can do it. Your TV can do it. It's a real problem because people trust the devices they use. If you cannot trust the device, you are royally screwed.
  
  --
  the growth in cynicism and rebellion has not been without cause
This isn't exactly a secret by CockMonster · 2013-01-09 07:59 · Score: 4, Informative

Asha phones are intended for developing countries where bandwidth can be limited and expensive They talk about it here http://www.developer.nokia.com/Develop/Series_40/Nokia_Browser_for_Series_40/
1. Re:This isn't exactly a secret by sdsucks · 2013-01-10 08:11 · Score: 1
  
  It doesn't matter if it's a secret - the user must be explicitly and repeatedly informed this is happening for SSL connections.
  THE LINK YOU GAVE POSTED DOES NOT EVEN MENTION SSL. BIG DIFFERENCE, NO?
https tunneling by Anonymous Coward · 2013-01-09 08:00 · Score: 0

Proxies which handle https do not decrypt the traffic, they simple tunnel it. And proxies, even transparent ones, don't hijack anything. What if Nokia's proxy was transparent - would a "security professional" complain then? Sounds more like a case of "manic paranoiac" than "security professional".
News? by Anonymous Coward · 2013-01-09 08:01 · Score: 1

Opera mini and similar J2ME browsers for underpowered phones have always worked like that.
And the 'cloud' browser from Amazon works like that too.
It's admittedly not great and you have to hope that the Opera, Nokia or Amazon guys know what they are doing...
But usually when you are using a computer to access your bank, you have to trust quite a number of people:
- all the Certificate Authorities in the world as any of them could issue a fake certificate that looks like your bank and you likely would not notice
- the browser developers and they are pushing updates all the time so you could get a fake update today to hack you, another one to mask the hack tomorrow.
- the OS developers
- the driver developers as most drivers have some privileged access
- the bank's IT guys
- the bank's service providers and hosting company
Finally, if you use your work computer to access your bank you have to add your IT team and they might have a proxy that opens your SSL traffic (they just need to add their CA to your browser and they can intercept everything and make it look like it's normal...)
If ever ... by briancox2 · 2013-01-09 08:02 · Score: 1

If ever there was a case for Free Software on mobile devices, this is it. Thank God Ubuntu, Android and Tezin exist to disrupt the ole Microsoft/IBM/Apple oligarchy!

--
We should learn what we need to know about issues, before we decide what we need to feel about them.
1. Re:If ever ... by aztracker1 · 2013-01-09 09:09 · Score: 1
  
  You don't think this is possible on Android, etc? Any vendor can modify the distributed OS to do something similar with the default browser.. and even at the OS level. Doesn't the OS controls DNS and certificate services in mobile...
  
  --
  Michael J. Ryan - tracker1.info
2. Re:If ever ... by briancox2 · 2013-01-09 11:50 · Score: 1
  
  But isn't it always possible (once rooted) to wipe the OS on an Android phone and put a cleaner freer version of Android on it? I may be mistaken but I thought it was usually possible. I always have. And I've never heard of that being possible on a Windows phone.
  
  --
  We should learn what we need to know about issues, before we decide what we need to feel about them.
Similar to BIS? by Anonymous Coward · 2013-01-09 08:03 · Score: 1

It seems like when using my BlackBerry connected to BIS (AT&T) it has certificates installed for my wireless provider and content is going through their servers. My understanding was that the BIS was doing some translations to make the content suitable for the BlackBerry browser, but I imagine they could intercept anything and I wouldn't have been alerted about it.
I always wondered why BlackBerry was considered so secure given this...
Yep, checking the phone now, there they are in the cert list:
us.cingular.midp20.FullTrust
us.cingular.midp20.SemiTrust
us.cingular.midp20.Trusted3rd
If I distrust them I get untrusted cert warnings trying to visit google.com using https. If I trust them again, everything works smoothly.
1. Re:Similar to BIS? by tlhIngan · 2013-01-09 11:27 · Score: 1
  
  It seems like when using my BlackBerry connected to BIS (AT&T) it has certificates installed for my wireless provider and content is going through their servers. My understanding was that the BIS was doing some translations to make the content suitable for the BlackBerry browser, but I imagine they could intercept anything and I wouldn't have been alerted about it.
  I always wondered why BlackBerry was considered so secure given this...
  Because the security is not in BIS. But B*E*S. For BES, the BlackBerry establishes a unique keypair that only the BES server (located in your company datacenter) and your phone knows. All communications take place through BES, so the link between BES, the internet, RIM, the WWAN and your phone are encrypted with keys that only the two know and neither RIM nor your carrier can decrypt the data. It only hits the clear inside the company.
  For BIS, the situation is different since most protocols are unencrypted and you'll be talking to the "public" equivalent of BES, or BIS, which is run by your carrier. Hence you needing those certificates so your carrier's BIS server can handle the traffic.
My employer just started doing this also. by codewarren · 2013-01-09 08:07 · Score: 3, Insightful

Doesn't this open them up to all kinds of legal problems? I mean if my bank account gets compromised after I use my nokia phone to check my balance, would I not have a pretty good cause for lawsuit?
1. Re:My employer just started doing this also. by Anonymous Coward · 2013-01-09 08:14 · Score: 0
  
  Yes
2. Re:My employer just started doing this also. by geek · 2013-01-09 08:30 · Score: 0
  
  Its a flagrant HIPPA violation. If you were to check your medical records online and your employer has the ability to see them, they are in big trouble.
3. Re:My employer just started doing this also. by codewarren · 2013-01-09 08:50 · Score: 2
  
  I have username envy.
  That is a fascinating idea, but according to this story about who HIPAA applies to, employers are rarely subject to HIPAA except under some specific circumstances.
4. Re:My employer just started doing this also. by geek · 2013-01-09 11:40 · Score: 0
  
  Articles are one thing. I work with it every day. My boss even has a little slide chart that the HIPPA folks gave him showing us what we can and can't do. We went over this exact issue just a couple months ago while deploying Zenprise and we nixed it based on HIPPA.
5. Re:My employer just started doing this also. by DragonWriter · 2013-01-09 11:41 · Score: 1
  
  Its a flagrant HIPPA violation.
  You mean HIPAA? Please point to the provision violated.
  
  If you were to check your medical records online and your employer has the ability to see them, they are in big trouble.
  
  If your employer knowingly obtains your medical records, they are in big trouble under 42 USC 1320d-6. If they are able to see them through someone else's choice of sending them over a channel exposed to the employer, I don't see any provision of HIPAA that would apply to them.
6. Re:My employer just started doing this also. by fivizzano · 2013-01-10 14:40 · Score: 1
  
  For HTTPS traffic regarding explicitly "private communications" under current law it is illegal, and certainly banks or any company transmitting reserved information will react badly. Nokia is taking full legal responsibility for acting willfully and WITHOUT explicit customer's consent /disclosure of their actions ... translated I smell COLOSSAL lawsuit areas here....
Traffic is *supposed to* be proxied. by zyzko · 2013-01-09 08:11 · Score: 4, Informative

For heavens sake - the point of these featurephone browsers (Opera Mini has been doing this since dawn of time) is that they use proxy to reduce data transferred and/or reformat the sites to better use lower resolution. Instead of a lot screenshots to prove that he is a very l33t h4x0r he could have just opened the friendly page showing how the browser works.
The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.
1. Re:Traffic is *supposed to* be proxied. by RearNakedChoke · 2013-01-09 08:23 · Score: 1
  
  For heaven's sake, RTFA. They ARE using MITM.
2. Re:Traffic is *supposed to* be proxied. by Derek+Pomery · 2013-01-09 08:27 · Score: 2
  
  You don't need client side certificates to be sure in a normal situation that your traffic isn't being hijacked by the ISP.
  You only need confidence that the CAs aren't issuing certs for the site you are connecting to, which is why when TURKTRUST issued a cert for google it was Big Deal.
  In this case, they are using preinstalled certs on the local browsers to perform MITM when connecting to supposedly secure sites, such as your bank.
  Some workplaces do this sort of cert preinstallation to allow snooping on SSL traffic passing through their proxies. Obviously same solution as with Nokia. If you don't like your private information passing in the clear through some random server controlled by your ISP or employer, quit.
  
  --
  -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
3. Re:Traffic is *supposed to* be proxied. by miroku000 · 2013-01-09 08:34 · Score: 5, Informative
  
  The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.
  This is *not* how SSL is supposed to work. Any certificate authority that is forging certificates for other people's web servers is not one that should be trusted. Essentially, Nokia is lying to the web browser and saying that they are actually Amazon.com or whoever you are making a secure connection with. By fraudulently representing that they are Amazon.com or whoever, they are intercepting your passwords to these sites. Client side certificates would not help in this case because the client is controlled by Nokia. So, they would have a copy of your client side certificates as well.
4. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 08:36 · Score: 0
  
  Opera Mini and Opera Mobile do this since the day one for Christs sake!
  Is there any end-to-end security between my handset and — for example — paypal.com or my bank?
  Opera Mini uses a transcoder server to translate HTML/CSS/JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation, the Opera Mini server needs to have access to the unencrypted version of the webpage. Therefore no end-to-end encryption between the client and the remote web server is possible.
  If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile.
  http://www.opera.com/mobile/help/faq/#security
5. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 08:38 · Score: 0
  
  The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.
  Nonsense. You don't have to verify both ends of the connection, because you are one of the ends. Client-side certificates are so that the server can verify you.
  Having a rogue CA certificate from Nokia on your 'phone to circumvent the verification, is most certainly not how TLS is supposed to work.
6. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 08:39 · Score: 0
  
  You don't need client side certificates to be sure in a normal situation that your traffic isn't being hijacked by the ISP.
  You need the CA certificates, which are client-side certificates. Those must be preinstalled if you desire to trust any connection at all.
7. Re:Traffic is *supposed to* be proxied. by Derek+Pomery · 2013-01-09 08:42 · Score: 1
  
  That seemed so obvious that I interpreted him as referring to:
  http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Client-authenticated_TLS_handshake
  
  --
  -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
8. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 08:52 · Score: 0
  
  Did you even read his comment or was the whining like a little bitch about "RTFA" just a Slashdot reflex?
  
  The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate
9. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 09:00 · Score: 0
  
  But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.
  Uh, no, that's not how SSL is supposed to work... proxies are supposed to pass the encrypted packet unopened so that the server/client authentication is being done directly between the real server and real client.
  Putting a MITM for HTTPS proxying also serves no real purpose for most sites, and by concept HTTPS traffic is usually items that are unique to an individual, so there is no use adding them to a common cache. So it doesn't help reduce bandwidth, which is a legitimate use of a proxy. As for 'reshaping' the data... see #4 below...
  So there are a couple huge possibilities from doing this... all bad:
  1- Obvious one: Nokia has access to all your personal info
  2- User has no way to verify that the actual site being connected to is correct, they are now trusting that the proxy is validating the server certificate. What happens when you visit an HTTPS site on a Nokia phone which has an invalid cert????
  3- Nokia's browser obviously isn't presenting to you that the certificate you are being presented isn't for the site you are visiting. (https://www.google.com returns a certificate from cloud1.browser.ovi.com). What happens when the -actual- server being visited is a spoof server and presents the proxy with "www.malware.com" as a certificate?? Is that passed? (similar to the above I admit, but this part of the problem now makes SSL sites more vulnerable to a DNS hijack)
  4- If the proxy is reducing data by modifying the returned page, they are disturbing the integrity of the supposedly secured document, maybe not an issue with a logo JPG, but is a dangerous slope. Digitally signed documents are considered legally valid.
  5- Legally, Nokia is now assuming all responsibility for the integrity of ALL data being presented via SSL, who knows what kind of lawsuits some team of lawyers will come up with. If their servers get fooled and present malware, the user is perfectly legit to hold Nokia responsible for providing bad data.
  All modern (desktop) browsers give the user the opportunity to manually inspect the certificate of their SSL connections, obviously the Nokia browser does not. (Edit... looks like Safari on the iPhone doesn't either, it only present a "lock" icon, which is annoying)
10. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 09:04 · Score: 0
  
  This should be the top comment.
11. Re:Traffic is *supposed to* be proxied. by Derek+Pomery · 2013-01-09 09:07 · Score: 1
  
  Indeed, that iPhone behaviour was very irritating to me when I was travelling, and borrowed my SO's 1st gen iphone to connect to my home server to check e-mail. There was no way whatsoever to inspect the certificate, so I just had to hope the people running the network weren't evil.
  Now I have an Android phone of my own, and can just run Firefox on it (love the Sync feature - saves so much time on moving browsing session from computer to phone, and when entering passwords).
  
  --
  -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
12. Re:Traffic is *supposed to* be proxied. by rwyoder · 2013-01-09 09:18 · Score: 1
  
  For heavens sake - the point of these featurephone browsers (Opera Mini has been doing this since dawn of time) is that they use proxy to reduce data transferred and/or reformat the sites to better use lower resolution. Instead of a lot screenshots to prove that he is a very l33t h4x0r he could have just opened the friendly page showing how the browser works.
  The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.
  Wrong!!! This is a MITM attack. SSL is *not* supposed to be hacked between client and server. There is supposed to be an encrypted, unbroken path between the two, else there is *no* security.
13. Re:Traffic is *supposed to* be proxied. by Lehk228 · 2013-01-09 10:12 · Score: 1
  
  the nokia browser lives on both the phone and the proxy server, this is an advertised feature. it is not controversial for them to reencrypt the page on the way to your phone so that they are not weakening your security between phone and server
  
  --
  Snowden and Manning are heroes.
14. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 10:41 · Score: 0
  
  For heavens sake [that's] how the browser works.
  For heaven's sake, maybe it shouldn't work like that. The problem is very real -- sensitive data is accessible in plaintext to the MitM. It is understandable why this clever trick was used but it doesn't automatically make it acceptable.
15. Re:Traffic is *supposed to* be proxied. by Anonymous Coward · 2013-01-09 11:04 · Score: 0
  
  Agreed, but maybe the client is the thing in your hand plus the proxy at Nokia that makes it perform well.
  As long as they say up front that you are getting X in exchange for less security, then it's buyer's choice as to which handset to get.
  At work, the IT folks do this all the time so they can scan for attacks inside HTTPS wrappers.
  I'm not sure if in this case X = in that I have to trust the IT folks, but not the bad guys at the other end of the HTTPS connection on a strange web site.
16. Re:Traffic is *supposed to* be proxied. by peppepz · 2013-01-09 18:51 · Score: 1
  
  6 - This is not "https proxying" at all, but you are at one end of a "remote desktop" session between your phone, which does not have html rendering capabilities, and the remote machine at Nokia that does the rendering, which obviously would not have any chance of doing its job if it hadn't access to the unencrypted data.
17. Re:Traffic is *supposed to* be proxied. by sdsucks · 2013-01-10 08:28 · Score: 1
  
  Exactly.
  This break the trust in SSL (yes, SSL is already full of flaws, but it doesn't help anything to intentionally break it further).
Do any of the other manufacturers do this? by ohnocitizen · 2013-01-09 08:13 · Score: 1

Nokia is now the devil we know. Is anyone else pulling a similar stunt?
1. Re:Do any of the other manufacturers do this? by Anonymous Coward · 2013-01-09 08:20 · Score: 0
  
  Traffic compression for developing countries! Who the hell do they think they are?
2. Re:Do any of the other manufacturers do this? by Anonymous Coward · 2013-01-09 08:30 · Score: 0
  
  T-Mobile.
  Not a manufacturer, and they don't seem to have installed certs, but ANY https site I go to through T-Mo has an invalid cert.
  And don't get me started about trying to use them for technical docs/images...that all get recompressed with really crappy jpg quality settings.
3. Re:Do any of the other manufacturers do this? by fredprado · 2013-01-09 08:31 · Score: 1
  
  Proxies, yes. MITM, not that I know.
4. Re:Do any of the other manufacturers do this? by Anonymous Coward · 2013-01-09 08:42 · Score: 0
  
  In November 2012, the consumer base of the Opera Mini and Opera Mobile browsers increased in unique users. In all, more than 215 million people used Opera Mini or Opera Mobile in November. The Opera Mini servers (which do not process pages from Opera Mobile browsers) served more than 130 billion pages and compressed over 11 petabytes of data for Opera Mini users. More than 31% of the total users of Opera Mini and Opera Mobile are using smartphones to browse the web. Compared to November 2011, the total number of Opera Mini and Opera Mobile users grew more than 92% year over year.
  In November 2012, there were over 215 million Opera Mini and Opera Mobile users. Out of this number, more than 20 million were Opera Mobile users, and the rest were Opera Mini users. Compared to November 2011, Opera Mini and Opera Mobile combined grew more than 29% year over year.
  Opera Mini users viewed over 130 billion pages in November 2012. Since November 2011, page views have increased by more than 47%.
  In November 2012, Opera Mini users generated over 2.4 billion MB of data for operators worldwide. Data in the Opera Mini browser is compressed by up to 90%. If this data were uncompressed, Opera Mini users would have viewed over 11 petabytes of data in November. Since November 2011, data traffic has risen by more than 72%.
5. Re:Do any of the other manufacturers do this? by aztracker1 · 2013-01-09 09:17 · Score: 1
  
  Wild.. haven't seen this myself, running a stock Nexus 4 bought directly from Google though...
  
  --
  Michael J. Ryan - tracker1.info
6. Re:Do any of the other manufacturers do this? by Anonymous Coward · 2013-01-09 09:41 · Score: 0
  
  Wild.. haven't seen this myself, running a stock Nexus 4 bought directly from Google though...
  Uhm.. This is a feature of certain browsers, to save bandwith and increase speed on slow connections. Opera Mini certainly will do this on Google Android phones too.
Isn't PKCS supposed precisely to counter MITM? by Anonymous Coward · 2013-01-09 08:22 · Score: 0

I was under the impression that PKCS where precisely conceived such that it was possible to establish a secure connection between two parties which didn't exchange in advance any information?
How does TLS / SSL work? Isn't it a PKCS?
Lastly: what is the point of TLS / SSL if anyone can exploit the very thing TLS / SSL tries to solve!?
Yup. by Andy+Prough · 2013-01-09 08:29 · Score: 5, Informative

Anyone who didn't realize Opera Mini was rerouting data for compression on their servers just didn't look into it before downloading and using it. It's a "feature" - supposed to get you faster browsing. Worked pretty well for me when I had it on a 3G Blackberry.
1. Re:Yup. by Anonymous Coward · 2013-01-09 09:11 · Score: 0
  
  So, if it's the default browser, should they look into it too? And the source code? And the OS code?
  Anything else?
  Unless this warns you up front, this is fundamentally wrong.
2. Re:Yup. by Andy+Prough · 2013-01-09 09:31 · Score: 1
  
  Kindle Fire does it in its default browser. You aren't so much "warned" as they push it as a "feature", I suppose.
3. Re:Yup. by gl4ss · 2013-01-09 20:23 · Score: 1
  
  opera mini warned you front up, if you cared. with opera mini it was the entire point of the whole application that rendering was dumped to operas servers(it translates it to a stripped form of properiaty html like code).
  the new nokia browsers entire selling point why it's better than the old was the transcoding servers as well. old news and a non-story. in some countries you might prefer this too...
  http://en.wikipedia.org/wiki/Nokia_Asha_311 Web: Nokia (proxy) Browser for Series 40.
  
  --
  world was created 5 seconds before this post as it is.
So, check your certificates by PPH · 2013-01-09 08:29 · Score: 1

Make sure that the certificate fingerprints agree with those obtained through some alternate channel (another browser on another system through a different ISP, etc.).
If they agree, this is all a non issue. Its not likely that a certificate replaced by a MITM attack would generate the same hash as the original.

--
Have gnu, will travel.
1. Re:So, check your certificates by Anonymous Coward · 2013-01-09 10:19 · Score: 0
  
  Unless you wrote your own browser, it doesn't matter what the certificates says. The browser can chose to ignore them.
2. Re:So, check your certificates by Anonymous Coward · 2013-01-09 10:31 · Score: 0
  
  this was the biggest issue i always had with SSL based VPN's... ikeV2 to the rescue
This does not show a man in the middle attack by Anonymous Coward · 2013-01-09 08:30 · Score: 0

There's nothing here that shows a man in the middle attack. The author needs to show at least the following:
* The phone recieved a fake certificate that appears to be from google but is not. That can be done by comparing the fingerprint of the cert received by the phone with the fingerprint from a known good google certificate.
* The phone trusts the fake certificate because the fake is signed by a fake root certificate pre-installed on the phone.
All the blog post shows is the phone made an https connection to a proxy server and received a valid certificate for that proxy server (NOT a fake google certificate).
ALL YOR BEFUNKIN ARR GEBIGIN TO WUS !! by Anonymous Coward · 2013-01-09 09:00 · Score: 0

So say the Finns !!
Not MITM by Anonymous Coward · 2013-01-09 09:08 · Score: 0

It is well documented (e.g. http://www.developer.nokia.com/Develop/Series_40/Nokia_Browser_for_Series_40/ speaks of a client, not a browser) that the browser on those phones is basically a UI talking to a rendering engine running in the cloud. All the traces found in the article are showing the proprietary protocol spoken between the browser UI running on the phone and the rendering engine running on Nokia servers and the DNS lookup the UI does to find its server in the cloud. Actually I am positively surprised that this proprietary protocol is encrypted;-)
So _technically_ this is not a man-in-the-middle scenario at all: There is nobody between the rendering engine run by the user and the site that rendering engine connects to. Practically Nokia could log everything you do. But quite frankly anybody that controls your hardware and software can do the same.
So what is the fuss all about?
it's a fund-raiser! by swschrad · 2013-01-09 09:10 · Score: 1

well, most folks around the courthouse steps call it a hack, but, hey, whatever.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
No secret by Anonymous Coward · 2013-01-09 09:26 · Score: 0

How can this possibly be a surprise when Nokia widely advertise their "Nokia Express Browser" as explicitly doing just this?
Breaking News by viperidaenz · 2013-01-09 09:52 · Score: 2

"Security Professional" (read: unemployed blogger) discovers that mobile browsers do what they say they do in the terms of use.
A redundant piece of tabloid journalism by hydrofix · 2013-01-09 10:48 · Score: 2

This is an age-old technology, where a proxy server is used to compresses some of the mobile web page content (such as images) to accelerate the browsing experience on slow networks. In Opera Mobile the feature is called "Turbo browsing", and can be trivially disabled from the settings menu.
News at 10 o'clock.
1. Re:A redundant piece of tabloid journalism by sdsucks · 2013-01-10 08:00 · Score: 1
  
  No shit.
  Doing it to SSL traffic without explicitly ensuring the user is aware that it is happening (and each time it happens)? Stupid, and wrong.
  Now, if you do a survey of Nokia phone users and find that > 90% of them were aware this was happening then maybe it is ok. But it sounds like that number is closer to zero.
I take it you think they are valid? by Anonymous Coward · 2013-01-09 11:50 · Score: 0

You don't need a license to USE software. Copyright doesn't control USE of a program.
A ToS is also irrelevant because unless you're using their service (Do they actually run their own mobile phone network?), there is no service to agree to terms with.
And if you ARE signed up for Nokia Mobile Phone, then you can leave and the ToS (and phone) are no longer controlled by those service agreements.
Really, all you're going to do is make people NOT BUY them at all.
it is controversial. by Anonymous Coward · 2013-01-09 11:56 · Score: 0

I connect to my Bank.
HTTPS connection.
NOBDOY ELSE is supposed to be listening in.
But Nokia is sitting there, taking MY PASSWORD when they have taken from my connection to them, and used that to log in AS ME.
They are now PRETENDING to be me.
What do they call that if I were to do that to, say, the Nokia company?
Oh, that's right: hacking.
1. Re:it is controversial. by Anonymous Coward · 2013-01-09 13:39 · Score: 0
  
  derp all you want, your failure to understand the architecture of nokia's mobile browser isn't their problem
2. Re:it is controversial. by Anonymous Coward · 2013-01-09 17:27 · Score: 0
  
  On a low-end feature phone you don't even have a full browser capable of connecting to your bank. Your choice is either not to use your bank site from your low-end phone at all, or to use the proxy-based browser. That's how it has been ever since there have been browsers on feature phones.
Um, Yeah, a big UMM back at ya by __aablib8664 · 2013-01-09 13:03 · Score: 2

If you _re-read_ his post, he is only showing evidence, and claims that Nokia NOT OPERA is a MITM. use of the word "attack" obviously doesnt apply. But it is -extremely clear that Nokia is intercepting and repackaging https traffic. Opera is not, and their privacy policy clearly states that Opera passes HTTPS untouched and only boosts -normal HTTP traffic-

I may be left wondering why you have no concern that a secure https connection you expect to a website is infact, not to that website, but is decrypted -atleast!- once, before being reencrypted to the site you expected. If you are fine with that I wonder what kind of security professional YOU may claim to be.....
The smarter the tool, by Anonymous Coward · 2013-01-09 13:59 · Score: 0

the dumber the user.
disable this behavior by perryizgr8 · 2013-01-09 14:39 · Score: 1

to disable this behavior and use the uncompressed browser, hold down the '0' key. the browser instance launched like this will not be compressing any data because it connects directly to websites. but its obviously quite inferior to the standard browser.

--
Wealth is the gift that keeps on giving.
That's the _point_ of these browsers by Mirar · 2013-01-09 20:10 · Score: 1

I thought the _whole point_ of some or all of these browsers - like Opera Mini - was that they went through the browsers proxy, minimizing the traffic to the phone.
This isn't security research, it's reading the brochure of the product you are using.
(What I would like to know is why every time I set up a new phone or pad to use 3g, I get a proxy setting forced on me in the _network_ setup...)
actually.. by Anonymous Coward · 2013-01-09 21:00 · Score: 0

If you sniff the phone traffic, its going to a proxy address that returns a VERISIGN issued certificate. Its NOT a Nokia issued/signed CA, bust a standard Verisign one, specific to the service - so it has all the same "protections" that a regular bank issued one does. Its also obviously encrypted when it communicates with your bank, Facebook, google, etc as well, and the service checks revoked certs as well (try accessing a revoked thawte cert from awhile back to test). Pure FUD. They probably didn't spring for a wildcard, so that they could control what hostnames are being used to control what hostnames are being used to access the service.
xpress browser on windows phone does this too by Anonymous Coward · 2013-01-09 21:08 · Score: 0

The Nokia Xpress browser for windows phone/Lumias do this too by the way. IE doesn't.
The Servers Become Targets by sociocapitalist · 2013-01-09 22:47 · Score: 1

Even if you were to accept and trust Nokia (and Opera, etc) and the people working for them to intercept and re-encrypt your supposedly secure traffic without keeping any sensitive information, their servers become targets for anyone who might want to get such information.
The more people sending sensitive information through the servers, the more interesting the servers become to 'the bad guys'.
When they're interesting enough, they will be compromised.

--
blindly antisocialist = antisocial
1. Re:The Servers Become Targets by sdsucks · 2013-01-10 08:14 · Score: 1
  
  Yeah, and this traffic would be interesting enough that they almost certainly *are* compromised already. (Even if that "compromise" is a local-to-datacenter government legally requesting access.)
2. Re:The Servers Become Targets by sdsucks · 2013-01-10 08:27 · Score: 1
  
  Right - and remember that in most countries around the world these days (including the US), the government can and does happily and legally walk into datacenters and install sniffers. So it's not only the criminal aspect to worry about.
  Picture a user in China for example trying to post comments critical of the CPC not being aware of this... but thinking they are okay because of SSL. Just one example of an almost infinite amount of potential issues with doing this.
  Amazing that so many people here on a "nerd" website think this behaviour is fine.
List of affected phones? by Anonymous Coward · 2013-01-10 02:40 · Score: 0

Please can somebody post a list of affected phones, so I can warn my users? Thanks! :o)
OK for HTTP. HTTPS? No way. by sdsucks · 2013-01-10 07:51 · Score: 1

I don't use any of the browsers that purportedly do this, so I do not know how well the applications indicate to the user that they are completely breaking SSL. But, this is something that should not be done without massive, explicit, and repeated warnings (FOR EACH SSL REQUEST!) to the user.
As flawed as SSL and PKI may be, users have been trained to trust them. WTF is this shit? Lunacy.
Who cares if you want to call it a MITM attack or not...
DO NOT TOUCH SSL TRAFFIC WITHOUT ENSURING THE CURRENT USER KNOWS EXACTLY WHAT IS GOING ON.