Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nokia Admits Decrypting User Data Claiming It Isn't Looking

Posted by Unknown on from the we-won't-peek dept.

judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers." From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"

7 of 264 comments (clear)

  1. Listen... by rickatnight11 · · Score: 5, Funny

    Yes, we're opening your mail, but we're not LOOKING at it. We're just making sure you aren't wasting paper and ink.

  2. Re:How do they even do that? by kasperd · · Score: 5, Informative

    There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

    They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

    --

    Do you care about the security of your wireless mouse?
  3. Re:How do they even do that? by jeffmeden · · Score: 5, Insightful

    There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

    They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

    This is exactly what i was thinking/fearing. This is some scary shit, basically you ought to treat HTTPS on your Nokia device like HTTP, unless you really really trust that Nokia knows what they are doing and how to keep a secret. The striking thing is that users obviously have no idea they are handshaking with Nokia instead of their bank, doctor, etc. Are there at least alternate browsers available?

  4. Re:How? by Rich0 · · Score: 5, Informative

    Isn't that the whole point of HTTPS, to ensure that a man-in-the-middle attack (in this case, a probably benign proxy) is impossible?

    It is only impossible without the collusion of a trusted certificate authority. When was the last time you reviewed the list on your browser? Oh, and did YOU do anything to determine if any of those organizations were trustworthy.

    If you get a mobile device from your mobile provider, there is a pretty good chance that they stuck their own root CA in there somewhere. Maybe they just use it for SSL connections to their own websites/email/etc. But, trusted is trusted in the world of SSL which means they could just MITM every connection you make.

    Ditto for any PC you use at work. Chances are your employer has a trusted CA somewhere in there, which means they can MITM any SSL connection you make to any service on the web.

    If they didn't actually modify your browser you can probably spot this by pulling up the certificate info for your connection and noting who issued it.

    This is why I believe SSL offers a false sense of security. Moving to certificates distributed over DNSSEC would cut out the middlemen, and it would improve security. Only the domain registrar for google.com could tamper with their certificates, for example. That still isn't perfect, but it is better than any CA anywhere on the globe.

  5. Re:RIM isn't any better by thePowerOfGrayskull · · Score: 5, Informative

    If you're using BES, it's all encrypted - it goes through RIM's servers, but RIM can't read it.

    Hence the big kerfuffle about governments insisting on access to BES data, and RIM's refusal to give it -- they literally can't.

    Consumer email/BIS access is a different story. RIM does have access to that, and presumably government as well (similar to what any other provider gives).

  6. Re:Any browser publisher is the same way by Anonymous Coward · · Score: 5, Insightful

    Nothing stops the browser from transmitting information to a third-party server.

    =>

    You have to trust that the browser publisher knows what it is doing and how to keep a secret.

  7. Re:What? by Rockoon · · Score: 5, Insightful

    I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data."

    ..because they encrypt the users data on the device, and send it to their servers where it must be decrypted in order to know what it is and even where to send it.

    Would you rather they didnt encrypt the data and sent it over the air like that instead?

    You claim to know that this is slashdot, but dont seem to know to at least make an attempt to understand the technologies that you are talking about? Worthless blabber.

    Hint: the phone is not the endpoint of the browsing session - the phone is a remote terminal for a server that is the endpoint of the browsing session

    --
    "His name was James Damore."