back to article Nokia decrypts browser traffic, assures public not to worry

Just as Nokia announces numbers that look like it may avoid irrelevance, the mobile supplier has become embroiled in a privacy row centered on the behavior of its browsers. The brouhaha hit the wires when Unisys Global Services India security architect Gaurang Pandya wrote up his investigations into the behavior of his Nokia …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Even if you believe Nokia, it's still decrypted traffic for any government/police/advertising agency to potentially tap.

    1. Chris Miller

      No, the traffic is still encrypted on both hops, it's just that the man-in-the-middle has access to the plain text without your being aware of it (and could theoretically be required to reveal it by government or police; although they'd be very silly if they stored it).

    2. xpusostomos

      Not reall

      I'm guessing the traffic is still encrypted, just with Nokia's key instead. Not good enough I know, but probably still unbreakable in the middle. Breakable if the authorities get a warrant for Nokia's servers though.

      1. Chris007
        FAIL

        Re: Not reall

        The use of this certificate most certainly allows Nokia to view the traffic as unencrypted and thus open to monitoring by any agency that is able to lean on Nokia enough.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not reall

          "any agency that is able to lean on Nokia enough"

          My concern here is that Nokia aren't exactly secure and rolling in cash. I should imagine that an ad-agency waving fat envelopes might be quite tempting to Nokia's management. And that's in addition to all the gov/police/spy agencies queueing up.

  2. Ryan 7
    Joke

    "Sales of 4.4 Lumia units"

    Awww, they didn't even manage to sell 5! (Having said that, I'm getting a 920 once the price has dropped a bit).

    1. Gerhard den Hollander

      Re: "Sales of 4.4 Lumia units"

      maybe the .4 was a rental that got returned after a bit under 5 months ?

  3. scrubber

    none of the traffic is visible to any of its staff

    Great, how about governments, advertisers, bots, etc. etc.?

    You deserve to go bust for this. RIP Nokia.

    1. ~mico
      Trollface

      Re: none of the traffic is visible to any of its staff

      The. Lamest. Excuse. Ever.*

      _____________

      * except the same excuse by Google about GMail contents

      1. Anonymous Coward
        Anonymous Coward

        Re: none of the traffic is visible to any of its staff

        but gmail is email and email has never been secure..... so who cares if googles servers parse the email your reading to display some adverts...

    2. Flocke Kroes Silver badge

      Re: none of the traffic is visible to any of its staff

      I assume that means many non-staff members have full access to the traffic but staff members have to use a text to speech converter.

    3. JetSetJim
      Unhappy

      Re: none of the traffic is visible to any of its staff

      As noted in the article, loads of companies seem to do it. My wife's iPhone seems to try and connect via Apple servers even on WiFi at times. I've not tested what happens with HTTPS stuff but if they did the same thing happened I wouldn't be surprised.

      All that means is that law enforcement now have the choice of going to device vendor or operator for getting decrypts.

      I'm not happy about it either, but not sure how to get the relevant certificates off the phone to prevent it

    4. Tom 35

      Re: none of the traffic is visible to any of its staff

      No staff, it's outsourced to contractors in India.

  4. Androgynous Crackwhore
    Childcatcher

    The shape of things to come

    Soon all ISPs will be required to do this. How else can your government protect you from all those terrorists and paedophiles?

  5. Anonymous Coward
    Anonymous Coward

    The SSL traffic is decrypted transparently ..

    "The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination." link

  6. De Facto
    Stop

    Caveat Emptor

    European Union flag-ship technology company just follows EU directives for spying on its citizens, in my opinion. You know, a lot of talking about protection of privacy, while actually doing the opposite. They should better keep silent about privacy when caught red-handed.

    1. gjw
      Happy

      Re: Caveat Emptor

      Care to share a link that points to those 'EU directives for spying on its citizens', or is it just your opinion?

  7. Adam Inistrator

    so somebody can watch every detail of your internet banking transactions?

    Should people be able to communicate in private? I think the answer is yes.

    1. Charles 9

      Re: so somebody can watch every detail of your internet banking transactions?

      Sure, but if your bandwidth is so limited you have to call on a man in the middle to compress your web traffic, you have a trust issue. You can't really compress encrypted traffic and Mini browsers usually don't have a lot of horsepower or memory space to handle full-on webpages (that's why Mini browsers are chosen--to not chug the phones on which they run). So the only way the proxy server can optimize the traffic is to have access to the cleartext. So you're in a dilemma. The only ways to restore the trust chain are to (1) establish your own web optimization proxy, or (2) eschew proxies. For some people, neither option is viable (not enough resources for a full-on mobile browser, no resources for a self-owned proxy).

      1. Benchops

        Re: so somebody can watch every detail of your internet banking transactions?

        With internet banking on phones, it's not (lack of) bandwidth that's the reason people use compression, it's because it's Just There. People (rightly) want to use internet banking on their phone for convenience.

        Nokia's present statement is pointless. If I'm using a direct encrypted to my bank then the problems will occur either at my end (my fault) or their end (the bank's fault). If there's a hack at Nokia then who is liable for money lost as a result?

  8. dephormation.org.uk
    Pirate

    Honeypot

    Apart from the obvious privacy/security/integrity concerns about encrypted (or for that matter unencrypted) traffic being passed through a third party proxy...

    ... it establishes Nokia as a huge honeypot of passwords, banking, and commercial data that is acutely vulnerable.

    Glad I'm not responsible for their network security.

  9. RyokuMas
    Mushroom

    I'm just waiting for the inevitable posts from the Linux/Android jihadist trolls crowing about how this proves that WinPhone OS is vulnerable...

    They know who they are.

    1. Arctic fox
      Headmaster

      "They know who they are" Given that all are at it..............

      .............whether one is talking about Redmond, Cupertino or Mountain View (and their associate hardware producers) I think that any of the fanbois from the various sects would do well to keep a low profile on this one.

  10. Anonymous Coward
    Anonymous Coward

    Isn't this just a proxy server? Rather than a Man In The Middle attack?

    This is no different to you browsing the web behind the corporate proxy server in your office. The phone is configured to use their proxy server, so it does. All the gibbering about DNS and what certificates are in packet captures just suggests the guy doesn't really get what proxy servers do.

    Can't the user just install a different browser?

    1. Graham Cobb Silver badge
      Big Brother

      Normal proxy servers (as deployed in most offices), only proxy unencrypted (http:) traffic. Encrypted (https:) traffic is normally passed straight through the proxy. This is the way SSL (http encyption) was designed to work: it is end-to-end, between the browser and the server, and nothing in the middle can see the traffic (unless they have GCHQ-style equipment to do codebreaking).

      Man-in-the-middle attacks in proxy servers are becoming more common and are quite easy (play with mitmproxy if you want to see how easy it is). However, the browser can, in principle, detect that it is happening: the certificate it receives is from the proxy, not from the server. But the browser won't complain to the user if the browser has been told to trust those spurious certificates. Some (but not many yet) businesses now configure corporate PCs to trust certificates from their own proxies, so that they can do MITM monitoring of HTTPS in their proxy. It is rumoured that some governments have forced either browser vendors or major certificate authorities to co-operate so that they can do MITM monitoring for law enforcement. This article alleges that Nokia have pre-configured the browser on this phone model to accept certificates from their proxy so they can do MITM "optimisation".

      So, this is very different from the way a normal proxy works. And it is a really bad idea. Although many device vendors and network operators impose a proxy on their users, I am not aware of anyone else who has been accused of using a MITM attack on encrypted traffic.

      I don't think anyone thinks Nokia is doing this to steal passwords or break into bank accounts. It is a misguided attempt to improve the browsing experience for their users. But it is still an incredibly bad idea to look into traffic the user has asked to be secure. Far better to let https: sites be "unoptimised" even if it means they work less well on the phone.

      1. Anonymous Coward
        Anonymous Coward

        The Wap Gap all over again

        http://sourcedaddy.com/networking/the-wap-gap.html

        Also check your enterprise - "SSL Inspection" using the same technique of installing a truester certificate is becoming a common feature of enterprise web proxies

      2. Anonymous Coward
        Anonymous Coward

        "Normal proxy servers (as deployed in most offices), only proxy unencrypted (http:) traffic. Encrypted (https:) traffic is normally passed straight through the proxy."

        Clearly you work in entirely different environments to me. Every Enterprise proxy server I've worked on in the last few years has been able to decrypt and inspect HTTPs traffic. These include Bluecoats, McAfee Web Gateways, Webwashers etc ...

        I know how to configure a proxy server to proxy HTTPs. What I'm saying is that IS how corporates set them up.

        So my point remains the same - Isn't this just a proxy server? Isn't this just the same as the proxy server in your office, if they choose to configure it that way?

        And the answer is yes.

  11. Anonymous Coward
    WTF?

    Boffin needed...

    Genuine question which I am sure a Reg reader can explain well: Nokia are hardware makers. Why is the browser of their phone directing web traffic to their servers at all? Isnt this a configuration between the phone owner/user and his service provider, which is presumably not Nokia?

    If this seems like a dumb question to you, then you are probably the right person to answer it, thanks :)

    1. xerocred

      Re: Boffin needed...

      If they can (man in the middlw) compress the data and make 10MB look like 1 MB then it will look like their phone downloads 10x faster than anyone else's. Maybe everyone else is already at it, so they have to so as not to look 10x slower...

      The fact that your secret banking/terror hit list/naughty pics data can now be seen in clear somewhere along the line is very worrying and demonstrates how broken Nokia are.

      At least they could have given people the fucking options:

      1. slow and private

      2. maybe faster and compromised security

    2. Graham Cobb Silver badge

      Re: Boffin needed...

      This is a cheap phone with a slow processor, not much memory and on a slow network. Modern web sites take a lot of processing power, memory and bandwidth. So Nokia are pushing the problem off to their server, which accesses the site and simplifies/optimises it to make it easier for the phone browser to display. It is a bit like they are splitting the browser between the phone handset and their servers.

      The idea, of course, is that it keeps the phone cost down while making it more attractive to punters than the phones from cheap chinese knock-off manufacturers.

  12. brain_flakes

    So just like Opera Mini then?

    This is exactly what Opera Mini does, not really avoidable if you want a half-decent browsing experience on ultra-low end "smartphones"

    1. Graham Cobb Silver badge

      Re: So just like Opera Mini then?

      Yes. And I don't like it there either.

      But at least Opera Mini is optional and is open about its approach. It's FAQ page explans how it works and that for end-to-end ecyption you should use Opera Mobile instead. It even says "If you do not trust Opera Software, make sure you do not use Opera Mini to enter any kind of sensitive information."

      Nokia is being considerably less open about what is going on but I don't believe they are actually using an Opera Mini approach (with a rendering engine in the proxy). I think the phone is more powerful than the "featurephone with MIDP" targetted by Opera Mini and I suspect Nokia are just doing things like compression. In that case I don't see how they justify the intrusion into SSL. In any case, they need to be open about what is going on and make sure that there is a way for people to turn it off (or download an alternative browser). Where is Nokia's equivalent of http://www.opera.com/mobile/help/faq/?

  13. ilmari

    This is nothing new

    On Nokia's page describing Xpress Browser, even before recent media coverage, was a full screen picture with boxes and arrows showing data goes through Nokia, gets modified and optimized, and sent back to user.

    As for "lawful intercept" capabilities, all you need is Verisign or other authority trusted by the suspects' browsers sign ssl certificates on the fly (or indeed lend you a signing key), take that capability to isp and have them redirect traffic through your own systems. SSL is totally inadequate for authenticating the source and destination, when the system of doing that relies on entities techincally capable of lying, and compellable to do so by people with big guns and the right to bear taxes.

This topic is closed for new posts.

Other stories you might like