Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

Posted by Soulskill on from the you-can-trust-us dept.

An anonymous reader writes "On Wednesday, security professional Gaurang Pandya outlined how Nokia is hijacking Internet browsing traffic on some of its phones. As a result, the company technically has access to all your Internet content, including sensitive data that is sent over secure connections (HTTPS), such as banking credentials and pretty much any other usernames and passwords you use to login to services on the Internet. Last month, Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a proxy, instead of directly hitting the requested server. The connections are either redirected to Nokia/Ovi proxy servers if the Nokia browser is used, and to Opera proxy servers if the Opera Mini browser is used (both apps use the same User-Agent)."

7 of 200 comments (clear)

  1. So...um... by grasshoppa · · Score: 3, Insightful

    Are they actively trying to kill the company? I have to ask, because it really seems as if that's their goal.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:So...um... by Anonymous Coward · · Score: 5, Insightful

      The Opera and Silk (Amazon) browsers channel their data through to home servers to render most of the page there and is especially useful for situations with high bandwidth but low end CPU.

      This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.

      Non-story. Yawn.

  2. Many mobile browsers do this. by Kenja · · Score: 5, Insightful

    Is this different then the acceleration offered by Amazon on the Kindles or other browsers? I know that in Amazons case it can be turned off, but they use a proxy so that the can recompress images and run scripts off of the mobile device. I know of one or two third party browsers including Opera Mobile that do much the same thing.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Many mobile browsers do this. by Anonymous Coward · · Score: 5, Insightful

      They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.

    2. Re:Many mobile browsers do this. by Anonymous Coward · · Score: 5, Insightful

      If you open an SSL connection, I think most people assume that the protocol is working as intended, and ONLY the sender and the receiver have knowledge of the exchange. It *IS* an active MITM attack; they have done exactly what an attacker would do. Why the HELL should I trust Nokia's certificate? Do they run a CA using industry standard practices that assure the identity of the sites on the other side of the connection? No? Then get their freaking certificate OFF of my trust list!

  3. Re:httpS by Anonymous Coward · · Score: 2, Insightful

    It's their phone

    No. It was their phone. Then they sold it to someone else.

  4. My employer just started doing this also. by codewarren · · Score: 3, Insightful

    Doesn't this open them up to all kinds of legal problems? I mean if my bank account gets compromised after I use my nokia phone to check my balance, would I not have a pretty good cause for lawsuit?