Even if you believe Nokia, it's still decrypted traffic for any government/police/advertising agency to potentially tap.
Nokia decrypts browser traffic, assures public not to worry
Just as Nokia announces numbers that look like it may avoid irrelevance, the mobile supplier has become embroiled in a privacy row centered on the behavior of its browsers. The brouhaha hit the wires when Unisys Global Services India security architect Gaurang Pandya wrote up his investigations into the behavior of his Nokia …
-
-
-
-
Friday 11th January 2013 15:27 GMT Anonymous Coward
Re: Not reall
"any agency that is able to lean on Nokia enough"
My concern here is that Nokia aren't exactly secure and rolling in cash. I should imagine that an ad-agency waving fat envelopes might be quite tempting to Nokia's management. And that's in addition to all the gov/police/spy agencies queueing up.
-
-
-
-
Friday 11th January 2013 08:23 GMT JetSetJim
Re: none of the traffic is visible to any of its staff
As noted in the article, loads of companies seem to do it. My wife's iPhone seems to try and connect via Apple servers even on WiFi at times. I've not tested what happens with HTTPS stuff but if they did the same thing happened I wouldn't be surprised.
All that means is that law enforcement now have the choice of going to device vendor or operator for getting decrypts.
I'm not happy about it either, but not sure how to get the relevant certificates off the phone to prevent it
-
-
Friday 11th January 2013 08:36 GMT Charles 9
Re: so somebody can watch every detail of your internet banking transactions?
Sure, but if your bandwidth is so limited you have to call on a man in the middle to compress your web traffic, you have a trust issue. You can't really compress encrypted traffic and Mini browsers usually don't have a lot of horsepower or memory space to handle full-on webpages (that's why Mini browsers are chosen--to not chug the phones on which they run). So the only way the proxy server can optimize the traffic is to have access to the cleartext. So you're in a dilemma. The only ways to restore the trust chain are to (1) establish your own web optimization proxy, or (2) eschew proxies. For some people, neither option is viable (not enough resources for a full-on mobile browser, no resources for a self-owned proxy).
-
Friday 11th January 2013 11:20 GMT Benchops
Re: so somebody can watch every detail of your internet banking transactions?
With internet banking on phones, it's not (lack of) bandwidth that's the reason people use compression, it's because it's Just There. People (rightly) want to use internet banking on their phone for convenience.
Nokia's present statement is pointless. If I'm using a direct encrypted to my bank then the problems will occur either at my end (my fault) or their end (the bank's fault). If there's a hack at Nokia then who is liable for money lost as a result?
-
-
-
Friday 11th January 2013 09:54 GMT dephormation.org.uk
Honeypot
Apart from the obvious privacy/security/integrity concerns about encrypted (or for that matter unencrypted) traffic being passed through a third party proxy...
... it establishes Nokia as a huge honeypot of passwords, banking, and commercial data that is acutely vulnerable.
Glad I'm not responsible for their network security.
-
Friday 11th January 2013 11:27 GMT Anonymous Coward
Isn't this just a proxy server? Rather than a Man In The Middle attack?
This is no different to you browsing the web behind the corporate proxy server in your office. The phone is configured to use their proxy server, so it does. All the gibbering about DNS and what certificates are in packet captures just suggests the guy doesn't really get what proxy servers do.
Can't the user just install a different browser?
-
Friday 11th January 2013 13:39 GMT Graham Cobb
Normal proxy servers (as deployed in most offices), only proxy unencrypted (http:) traffic. Encrypted (https:) traffic is normally passed straight through the proxy. This is the way SSL (http encyption) was designed to work: it is end-to-end, between the browser and the server, and nothing in the middle can see the traffic (unless they have GCHQ-style equipment to do codebreaking).
Man-in-the-middle attacks in proxy servers are becoming more common and are quite easy (play with mitmproxy if you want to see how easy it is). However, the browser can, in principle, detect that it is happening: the certificate it receives is from the proxy, not from the server. But the browser won't complain to the user if the browser has been told to trust those spurious certificates. Some (but not many yet) businesses now configure corporate PCs to trust certificates from their own proxies, so that they can do MITM monitoring of HTTPS in their proxy. It is rumoured that some governments have forced either browser vendors or major certificate authorities to co-operate so that they can do MITM monitoring for law enforcement. This article alleges that Nokia have pre-configured the browser on this phone model to accept certificates from their proxy so they can do MITM "optimisation".
So, this is very different from the way a normal proxy works. And it is a really bad idea. Although many device vendors and network operators impose a proxy on their users, I am not aware of anyone else who has been accused of using a MITM attack on encrypted traffic.
I don't think anyone thinks Nokia is doing this to steal passwords or break into bank accounts. It is a misguided attempt to improve the browsing experience for their users. But it is still an incredibly bad idea to look into traffic the user has asked to be secure. Far better to let https: sites be "unoptimised" even if it means they work less well on the phone.
-
Monday 14th January 2013 13:43 GMT Anonymous Coward
"Normal proxy servers (as deployed in most offices), only proxy unencrypted (http:) traffic. Encrypted (https:) traffic is normally passed straight through the proxy."
Clearly you work in entirely different environments to me. Every Enterprise proxy server I've worked on in the last few years has been able to decrypt and inspect HTTPs traffic. These include Bluecoats, McAfee Web Gateways, Webwashers etc ...
I know how to configure a proxy server to proxy HTTPs. What I'm saying is that IS how corporates set them up.
So my point remains the same - Isn't this just a proxy server? Isn't this just the same as the proxy server in your office, if they choose to configure it that way?
And the answer is yes.
-
-
Friday 11th January 2013 12:41 GMT Anonymous Coward
Boffin needed...
Genuine question which I am sure a Reg reader can explain well: Nokia are hardware makers. Why is the browser of their phone directing web traffic to their servers at all? Isnt this a configuration between the phone owner/user and his service provider, which is presumably not Nokia?
If this seems like a dumb question to you, then you are probably the right person to answer it, thanks :)
-
Friday 11th January 2013 13:49 GMT xerocred
Re: Boffin needed...
If they can (man in the middlw) compress the data and make 10MB look like 1 MB then it will look like their phone downloads 10x faster than anyone else's. Maybe everyone else is already at it, so they have to so as not to look 10x slower...
The fact that your secret banking/terror hit list/naughty pics data can now be seen in clear somewhere along the line is very worrying and demonstrates how broken Nokia are.
At least they could have given people the fucking options:
1. slow and private
2. maybe faster and compromised security
-
Friday 11th January 2013 13:51 GMT Graham Cobb
Re: Boffin needed...
This is a cheap phone with a slow processor, not much memory and on a slow network. Modern web sites take a lot of processing power, memory and bandwidth. So Nokia are pushing the problem off to their server, which accesses the site and simplifies/optimises it to make it easier for the phone browser to display. It is a bit like they are splitting the browser between the phone handset and their servers.
The idea, of course, is that it keeps the phone cost down while making it more attractive to punters than the phones from cheap chinese knock-off manufacturers.
-
-
-
Friday 11th January 2013 15:15 GMT Graham Cobb
Re: So just like Opera Mini then?
Yes. And I don't like it there either.
But at least Opera Mini is optional and is open about its approach. It's FAQ page explans how it works and that for end-to-end ecyption you should use Opera Mobile instead. It even says "If you do not trust Opera Software, make sure you do not use Opera Mini to enter any kind of sensitive information."
Nokia is being considerably less open about what is going on but I don't believe they are actually using an Opera Mini approach (with a rendering engine in the proxy). I think the phone is more powerful than the "featurephone with MIDP" targetted by Opera Mini and I suspect Nokia are just doing things like compression. In that case I don't see how they justify the intrusion into SSL. In any case, they need to be open about what is going on and make sure that there is a way for people to turn it off (or download an alternative browser). Where is Nokia's equivalent of http://www.opera.com/mobile/help/faq/?
-
-
Friday 11th January 2013 18:13 GMT ilmari
This is nothing new
On Nokia's page describing Xpress Browser, even before recent media coverage, was a full screen picture with boxes and arrows showing data goes through Nokia, gets modified and optimized, and sent back to user.
As for "lawful intercept" capabilities, all you need is Verisign or other authority trusted by the suspects' browsers sign ssl certificates on the fly (or indeed lend you a signing key), take that capability to isp and have them redirect traffic through your own systems. SSL is totally inadequate for authenticating the source and destination, when the system of doing that relies on entities techincally capable of lying, and compellable to do so by people with big guns and the right to bear taxes.