Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

← Back to Stories (view on slashdot.org)

Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

Posted by Soulskill on Wednesday January 9, 2013 @07:50AM from the you-can-trust-us dept.

An anonymous reader writes "On Wednesday, security professional Gaurang Pandya outlined how Nokia is hijacking Internet browsing traffic on some of its phones. As a result, the company technically has access to all your Internet content, including sensitive data that is sent over secure connections (HTTPS), such as banking credentials and pretty much any other usernames and passwords you use to login to services on the Internet. Last month, Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a proxy, instead of directly hitting the requested server. The connections are either redirected to Nokia/Ovi proxy servers if the Nokia browser is used, and to Opera proxy servers if the Opera Mini browser is used (both apps use the same User-Agent)."

4 of 200 comments (clear)

Min score:

Reason:

Sort:

Many mobile browsers do this. by Kenja · 2013-01-09 07:53 · Score: 5, Insightful

Is this different then the acceleration offered by Amazon on the Kindles or other browsers? I know that in Amazons case it can be turned off, but they use a proxy so that the can recompress images and run scripts off of the mobile device. I know of one or two third party browsers including Opera Mobile that do much the same thing.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 08:20 · Score: 5, Insightful
  
  They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.
2. Re:Many mobile browsers do this. by Anonymous Coward · 2013-01-09 09:02 · Score: 5, Insightful
  
  If you open an SSL connection, I think most people assume that the protocol is working as intended, and ONLY the sender and the receiver have knowledge of the exchange. It *IS* an active MITM attack; they have done exactly what an attacker would do. Why the HELL should I trust Nokia's certificate? Do they run a CA using industry standard practices that assure the identity of the sites on the other side of the connection? No? Then get their freaking certificate OFF of my trust list!
Re:So...um... by Anonymous Coward · 2013-01-09 07:57 · Score: 5, Insightful

The Opera and Silk (Amazon) browsers channel their data through to home servers to render most of the page there and is especially useful for situations with high bandwidth but low end CPU.
This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.
Non-story. Yawn.