Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nokia Admits Decrypting User Data Claiming It Isn't Looking

Posted by Unknown on from the we-won't-peek dept.

judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers." From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"

3 of 264 comments (clear)

  1. Re:How do they even do that? by jeffmeden · · Score: 5, Insightful

    There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

    They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

    This is exactly what i was thinking/fearing. This is some scary shit, basically you ought to treat HTTPS on your Nokia device like HTTP, unless you really really trust that Nokia knows what they are doing and how to keep a secret. The striking thing is that users obviously have no idea they are handshaking with Nokia instead of their bank, doctor, etc. Are there at least alternate browsers available?

  2. Re:Any browser publisher is the same way by Anonymous Coward · · Score: 5, Insightful

    Nothing stops the browser from transmitting information to a third-party server.

    =>

    You have to trust that the browser publisher knows what it is doing and how to keep a secret.

  3. Re:What? by Rockoon · · Score: 5, Insightful

    I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data."

    ..because they encrypt the users data on the device, and send it to their servers where it must be decrypted in order to know what it is and even where to send it.

    Would you rather they didnt encrypt the data and sent it over the air like that instead?

    You claim to know that this is slashdot, but dont seem to know to at least make an attempt to understand the technologies that you are talking about? Worthless blabber.

    Hint: the phone is not the endpoint of the browsing session - the phone is a remote terminal for a server that is the endpoint of the browsing session

    --
    "His name was James Damore."