Nokia Running A Man In The Middle Attack To Decrypt All Your Encrypted Traffic, But Promises Not To Peek
from the not-too-comforting dept
This is a bit crazy. After a security researcher pointed out that Nokia's Xpress Browser is basically running a giant man in the middle attack on any encrypted HTTPS data you transmit, the company played the whole situation down by saying, effectively, sure, that's what we do, but it's not like we look at anything. This is, to put it mildly, not comforting. Just the fact that they're running a man in the middle attack in the first place is immensely concerning. The reason they do it is that this is a proxy browser, similar to Opera, that tries to speed up browsing by proxying a lot of the content -- meaning that all of your surfing goes through their servers. In some cases, this can be much faster for mobile browsing. But, the right way to do such a thing is to only do the proxying on unencrypted traffic. With encrypted traffic, you're just asking for trouble.After sensing the backlash, Nokia pushed out an update of the browser that appears to remove the man-in-the-middle attack, even as it had tried to claim there was nothing wrong in the first place. However, the original researcher who discovered this, Gaurang K Pandya, updated his post to note that it's not all good news.
Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: browser proxy, encryption, https, man in the middle, security, xpress browser
Companies: nokia
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Really??
[ link to this | view in chronology ]
Opera has been doing this a long time.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
NOKIADERP
HTTPS is supposed to be end-to-end, but they basically put out a browser with not just known vulnerability, but a by-design vulnerability and foisted it on unsuspecting customers, giving them (the customers) a nice helping of potential liability.
I smell class action incoming.
[ link to this | view in chronology ]
Re: NOKIADERP
BONUS!!
[ link to this | view in chronology ]
Re: NOKIADERP
The same arguments work for HIPAA. NOKIA is not a health care provider and although they may have potential access, they do not eavesdrop or store the data. A close analogy would be talking to your doctor over the same phone in a voice conversation. Although NOKIA, ATT, or whatever telecom, has potential access to this conversation, they supposedly don't listen in or record such things without a warrant with the small exception of the NSA's nationwide warrantless eavesdropping program which will soon record everything.
I think we have reached a point though where the security practices of communication intermediaries need to be taken into account in such standards as HIPAA and PCI DSS.
[ link to this | view in chronology ]
Re: Re: NOKIADERP
HIPAA is a bit more complex since the user could very well be the doctor or other practitioner, hence a "covered entity".
Since Nokia decrypts https, and quite plausibly does not do this in a compliant data facility, this could constitute a violation. Since it is unlikely a covered entity user of Nokia phone has the proper contracts in place, e.g. Business Associate Agreement, the liability is probably the user's rather than Nokia's in this case, hence "giving them (the customers) a nice helping of potential liability."
[ link to this | view in chronology ]
Re: NOKIADERP
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
hack:
3 b. To gain access to (a computer file or network) illegally or without authorization
Unless Nokia are openly and actively informing ALL of their customers of what they are doing...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
https://www.eff.org/2011/october/amazon-fire%E2%80%99s-new-browser-puts-spotlight-priva cy-trade-offs
[ link to this | view in chronology ]
Re:
Mike didn't mention the main reasons that companies provide this proxy browsing for mobile devices, so I'll list the top three:
- When your phone traffic goes through a proxy, the proxy detects the kind of phone you have, and its resolution. It then scales down images so that a bunch of unviewable data isn't transmitted unnecessarily. Also, heavy content like flash can be edited out if the device can't display it. This makes the browsing experience faster, without sacrificing any quality. Network operators also like the lighter traffic.
- Some proxies can detect when your browser cannot display some content, and can reproduce the content in a way you CAN see it. Like taking a streaming video and turning it into a series of JPGs. This can add to the capabilities of your limited phone.
- going to one proxy server is supposedly easier to manage for your phone than going to dozens of different TCP/IP connections to all the different servers and ad servers that make up a web page.
If you remove the spying aspect...this can be a win win for network operators AND customers.
[ link to this | view in chronology ]
Or maybe it's ok for multinational corporations to perform these otherwise illegal actions. If done by a pleb, there would be repercussions for sure.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
lol
[ link to this | view in chronology ]
Glad.
[ link to this | view in chronology ]
soon moot?
It would have been nice if Nokia, and other smart phone makers, had been more upfront and explicitly pointed out the compromising effect on HTTPS of how they use their proxy servers. I can't say I'm surprised with their attitude of we don't actually eavesdrop so it's all OK. What is a little surprising is how they "fixed" this, supposedly in response to Pandya's blog. They now tunnel the HTTPS connection through an HTTP connection to the proxy. One does not need to use a proxy at all in this case though. Perhaps it was easier and quicker for them to still funnel all traffic to their proxy servers. I don't understand why Pandya notes that this is better but still "bad news" as the HTTPS traffic in this situation provides confidentiality.
This whole issue of compromising the confidentiality of HTTPS traffic should soon be moot as phones, smart phones in particular, incorporate more powerful processors. What is a bit scary is if law enforcement decides that such proxies should be required solely as an eavesdropping point for their purposes. I would be surprised, for any Nokia proxies in the U.S., if law enforcement didn't claim that CALEA required Nokia to store and allow access to compromised HTTPS traffic when a warrant or subpoena was served.
[ link to this | view in chronology ]
It's amazing how a company that leaded the mobile market not too long ago managed through multiple bad decisions to fall that low...
[ link to this | view in chronology ]
Well....
[ link to this | view in chronology ]