Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

Soulskill posted about a year and a half ago | from the you-can-trust-us dept.

Security 200

An anonymous reader writes "On Wednesday, security professional Gaurang Pandya outlined how Nokia is hijacking Internet browsing traffic on some of its phones. As a result, the company technically has access to all your Internet content, including sensitive data that is sent over secure connections (HTTPS), such as banking credentials and pretty much any other usernames and passwords you use to login to services on the Internet. Last month, Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a proxy, instead of directly hitting the requested server. The connections are either redirected to Nokia/Ovi proxy servers if the Nokia browser is used, and to Opera proxy servers if the Opera Mini browser is used (both apps use the same User-Agent)."

cancel ×

200 comments

Sorry! There are no comments related to the filter you selected.

So...um... (3, Insightful)

grasshoppa (657393) | about a year and a half ago | (#42536129)

Are they actively trying to kill the company? I have to ask, because it really seems as if that's their goal.

Re:So...um... (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42536227)

The Opera and Silk (Amazon) browsers channel their data through to home servers to render most of the page there and is especially useful for situations with high bandwidth but low end CPU.

This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.

Non-story. Yawn.

Re:So...um... (5, Interesting)

AliasMarlowe (1042386) | about a year and a half ago | (#42536471)

Non-story. Yawn.

Indeed. Same behavior as any of several other smartphone browsers, and with no MITM attack over https.
But we're left wondering what sort of "security professional" this Gaurang Pandya might be.

Yup. (5, Informative)

Andy Prough (2730467) | about a year and a half ago | (#42536877)

Anyone who didn't realize Opera Mini was rerouting data for compression on their servers just didn't look into it before downloading and using it. It's a "feature" - supposed to get you faster browsing. Worked pretty well for me when I had it on a 3G Blackberry.

Re:Yup. (0)

Anonymous Coward | about a year and a half ago | (#42537639)

So, if it's the default browser, should they look into it too? And the source code? And the OS code?

Anything else?

Unless this warns you up front, this is fundamentally wrong.

Re:Yup. (1)

Andy Prough (2730467) | about a year and a half ago | (#42537947)

Kindle Fire does it in its default browser. You aren't so much "warned" as they push it as a "feature", I suppose.

Re:So...um... (0)

Anonymous Coward | about a year and a half ago | (#42537445)

This is what Blackberry did 10 years ago, and made their phone so successful.

Re:So...um... (1)

kelemvor4 (1980226) | about a year and a half ago | (#42537949)

This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.

Non-story. Yawn.

I don't think it's a non-story, I think it's awesome! Automatic transcoding of videos should be touted as a feature.

Re:So...um... (1)

Anonymous Coward | about a year and a half ago | (#42536285)

Devalue it enough for Microsoft to buy it.

Re:So...um... (0)

Anonymous Coward | about a year and a half ago | (#42536701)

Google has been spying on your web hits via Android's default DNS servers for years. Hasn't hurt their sales.

Re:So...um... (2)

grasshoppa (657393) | about a year and a half ago | (#42537153)

It's a question of liability; sniffing dns traffic is radically different than purposefully performing a MIM attack.

My bank account gets cleared out; Nokia is now a suspect.

Re:So...um... (0)

Anonymous Coward | about a year and a half ago | (#42537477)

Opera Turbo (as it is called, and can be turned of, and is turned off when on WiFi, by default) has this nasty habbit of compressing images by proxy, in order to er-... say... reduce your web browsing data consumption, by five times.

Next to offline maps, and many other features, it somehow appears that one does not need a very expensive data plan, which kind of rules.

On Symbian, there is also a VPN 'proxy' with encryption for Facebook and Twitter, so when over the air, your stuff is encrypted.

And to top that, one does not need a credit card to buy apps, music, and whatnot, unlike the iPhone or whatever Android App devs comes up with; it's calculated on top of your service provider monthly fee.

Welcome to shit done right.

it's a fund-raiser! (1)

swschrad (312009) | about a year and a half ago | (#42537599)

well, most folks around the courthouse steps call it a hack, but, hey, whatever.

Many mobile browsers do this. (5, Insightful)

Kenja (541830) | about a year and a half ago | (#42536141)

Is this different then the acceleration offered by Amazon on the Kindles or other browsers? I know that in Amazons case it can be turned off, but they use a proxy so that the can recompress images and run scripts off of the mobile device. I know of one or two third party browsers including Opera Mobile that do much the same thing.

Re:Many mobile browsers do this. (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42536707)

They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.

Re:Many mobile browsers do this. (3, Informative)

EkriirkE (1075937) | about a year and a half ago | (#42537109)

Opera does this for even HTTPS. On their site they explain "no caching, totally secure, etc"

Re:Many mobile browsers do this. (1)

Daniel_Staal (609844) | about a year and a half ago | (#42537975)

Opera Mini does it even for HTTPS. Opera Mobile has it as an option, like their desktop browsers. (And then I don't think it does HTTPS.) That's the difference, and the advertising all mentions it. (And why they have two browsers for the same market. Mini does have a slightly smaller CPU footprint on the consumer device, so it works on lower-end devices as well.)

Re:Many mobile browsers do this. (1)

Mr. Slippery (47854) | about a year and a half ago | (#42538005)

Opera does this for even HTTPS. On their site they explain "no caching, totally secure, etc"

If Opera is calling their MITM attack "totally secure", then they are lying bastards.

Re:Many mobile browsers do this. (4, Informative)

Baloroth (2370816) | about a year and a half ago | (#42537129)

They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.

No, it's not a MITM attack. From the sound of it, that's exactly how the browser was always intended to work. I haven't used the Nokia browser, but the Opera Mini "browser" isn't actually a browser properly speaking, it downloads everything onto Opera's servers, renders it, compresses it to an image file, and sends it to the phone (reduces bandwidth and CPU costs). It does this to HTTPS and HTTP connections alike (couldn't use HTTPS without it at all). I'm guessing that is exactly what the Nokia browser is doing too. There's no legal trouble with doing that, at least if they aren't recording the data (Opera doesn't, I'd assume Nokia doesn't either). FFS, Wikipedia lists the damned browser as a proxy-based one, as does Nokia's website. It's like being surprised your browser can see the passwords you type into a website. Can't be an "attack'" if they publicly inform you that's how the thing works.

Re:Many mobile browsers do this. (3, Interesting)

Anonymous Coward | about a year and a half ago | (#42537429)

And what's to stop a disgruntled Nokia worker from firing up Wireshark and recording whatever they want without approval?

Re:Many mobile browsers do this. (2)

Luckyo (1726890) | about a year and a half ago | (#42537609)

Prison sentence.

Re:Many mobile browsers do this. (1)

Anonymous Coward | about a year and a half ago | (#42537763)

That didn't stop thousands of career criminals. Plus they could just claim they were troubleshooting the network.

Re:Many mobile browsers do this. (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42537497)

If you open an SSL connection, I think most people assume that the protocol is working as intended, and ONLY the sender and the receiver have knowledge of the exchange. It *IS* an active MITM attack; they have done exactly what an attacker would do. Why the HELL should I trust Nokia's certificate? Do they run a CA using industry standard practices that assure the identity of the sites on the other side of the connection? No? Then get their freaking certificate OFF of my trust list!

Re:Many mobile browsers do this. (0)

Anonymous Coward | about a year and a half ago | (#42537693)

So, we're supposed to go to Wikipedia to research every piece of software on every phone now?

Seriously. The default browser sends https to its own server, where it's processed and sent back. With no warning. But to find this out, we're supposed to go look it up on Wikipedia, apparently.

Does that sound remotely good, reasonable, or right? No.

Re:Many mobile browsers do this. (1)

Dahamma (304068) | about a year and a half ago | (#42537183)

No it's not. This has been done on older and/or low end cell phone browsers for years. This "security researcher" mentioned must be completely clueless if he didn't know that...

Think of it this way - the *browser* it really on their server, and the app on the phone just displays simplified/pre-rendered content. This is the only way you are going to get a decent web browser on low end phones without enough memory or CPU power to handle all of the HTML/JS that can be thrown at it.

Re:Many mobile browsers do this. (0)

Anonymous Coward | about a year and a half ago | (#42537807)

They shouldn't do this for https, but using a proxy, even one that parses en transcodes html, doesn't mean it will be used for a MitM attack. The CONNECT command should tunnel data thought the proxy transparent. But if the client and the proxy are under control of the same entity there is a greater risk for rogue certificate chains to perform a MitM attack.

Quick note (4, Informative)

Anonymous Coward | about a year and a half ago | (#42536147)

Note before anyone says anything: this isn't related to Windows Phone or Microsoft.

Re:Quick note (4, Funny)

hawguy (1600213) | about a year and a half ago | (#42536185)

Note before anyone says anything: this isn't related to Windows Phone or Microsoft.

Obviously, Microsoft is behind this to push users to Windows Phone.

Re:Quick note (1)

OffaMyLawn (1885682) | about a year and a half ago | (#42536583)

But don't the Windows Phone models sold on Verizon have that Data Sense or whatever it is which pretty much does......exactly this to compress data usage?

Re:Quick note (2)

Wamoc (1263324) | about a year and a half ago | (#42536891)

Data sense is to track how much you have used and limit some services when you are low on remaining data for the month. It does not look at the content of the data, just the amount and which app initiated it.

httpS (0)

etash (1907284) | about a year and a half ago | (#42536163)

well if there is an S in the end, even if they use a proxy, they are not able to read the sensitive, or any data that is. However i doubt they would be dumb enough to even want to do such a thing, it must be something more innocent ( for speeding up reasons? )

Re:httpS (2)

etash (1907284) | about a year and a half ago | (#42536269)

well if i had RTFA-d I would have realized that they are indeed performing a real MITM, as https can't be really proxied without a MITM. my first post is kind of dumb, but i still don't think they are doing it for sniffing our details.

Re:httpS (3, Informative)

timeOday (582209) | about a year and a half ago | (#42536469)

Nokia isn't "in the middle," they are the endpoint you are accessing. If that is compromised all bets are off. (Just like how https won't guard against a key logger installed in your keyboard).

Re:httpS (4, Funny)

fatphil (181876) | about a year and a half ago | (#42537759)

They are the middle and the endpoint. Without any proxying, you only have to trust their client on your terminal. With the proxy, you also have to trust their proxy on their server.

Fortunately, no servers have ever been hacked, and nobody's ever written an insecure proxy, so that worry can be dismissed.

Re:httpS (0)

Anonymous Coward | about a year and a half ago | (#42537767)

Wow, that's a pretty big whoosh for missing what's going on here.

Especially given the GP.

Re:httpS (1)

hawguy (1600213) | about a year and a half ago | (#42537507)

well if i had RTFA-d I would have realized that they are indeed performing a real MITM, as https can't be really proxied without a MITM. my first post is kind of dumb, but i still don't think they are doing it for sniffing our details.

Even if you trust Nokia to not steal your private data, do you trust their network security enough to believe that someone else isn't stealing it? Everything you normally think of as private and sensitive is available through their proxy servers... seems like an awfully attractive target for thieves - why steal your credit card number when they can steal your online banking password and transfer all of your cash to themselves?

Re:httpS (1)

feld (980784) | about a year and a half ago | (#42536309)

Why can't they redirect https? It's their phone -- they can bake into the firmware to ignore bad certificates from their own proxy servers.

Re:httpS (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42536419)

It's their phone

No. It was their phone. Then they sold it to someone else.

Re:httpS (0)

vlm (69642) | about a year and a half ago | (#42536783)

It's their phone

No. It was their phone. Then they sold it to someone else.

LOL you probably think the government is "your government" or the real estate you rent from the state is "your property" too.

Re:httpS (1)

CanHasDIY (1672858) | about a year and a half ago | (#42537253)

It's their phone

No. It was their phone. Then they sold it to someone else.

HA!

I take it you've never actually read a EULA or ToS?

Re:httpS (5, Informative)

Above (100351) | about a year and a half ago | (#42536353)

Actually it may not be that simple without verifying the certificates.

Many corporations for instance use products that look inside SSL streams (typically IM's) for sensitive data. The way they do this is to install a cert signed by the company on the proxy, and set the company's CA cert on your computer to always trust. Your machine makes a connection which is grabbed by the proxy, the proxy presents the valid corporate certificate. It then makes a connection off to the real service using SSL as well. Your basic man in the middle attack.

For clients that don't show the cert (like many IM clients) there's no way to know, and on those that do the user would have to check. If they are trained to just look for the padlock it appears all is well.

I can't tell if Nokia is doing something like that or not, but if you work at a big corporation you might want to check the cert fingerprints for say your bank and compare them to an access from home. I've been told the newer products can generate a cert per site on the fly, making the fake certs look correct (right company name and all of that). If your company is going to that length to spy on you, perhaps it's time to rethink your employer...

Re:httpS (0)

Anonymous Coward | about a year and a half ago | (#42536789)

Well, The thing is they are going to that length, but Only because I'm the one made it possible, so maybe its time for them to rethink my salary? Or should I be expecting exile to Soviet Russia?

Re:httpS (5, Informative)

jandar (304267) | about a year and a half ago | (#42536361)

Nokia has certificates pre-installed to make a man-in-the-middle attack. From the article:

From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse.

So this is the worst privacy nightmare.

Re:httpS (0)

Anonymous Coward | about a year and a half ago | (#42537219)

Really? The Americans are passing laws to ensure that even overseas customers are treated to the same degree of surveillance as a genuine American and Nokia's browser settings are your "worst privacy nightmare?"

Facebook. There, now you have a _SECOND_ antichrist to deal with.

Re:httpS (0)

Anonymous Coward | about a year and a half ago | (#42537237)

Sigh... Are you brown too by the chance?

Re:httpS (1)

Baloroth (2370816) | about a year and a half ago | (#42537249)

Nokia has certificates pre-installed to make a man-in-the-middle attack. From the article:

You completely misunderstand how the browser in question works. The whole point of the browser is that it doesn't connect to websites directly. Hell, it probably can't (most likely doesn't have a full rendering engine included). It connects to Nokia's servers, which fetch the page, do some pre-rendering, then sends it to the phone itself. Opera Mini works the same way, and has for probably nearly a decade now. It's called a "proxy browser". Nokia's website specifically says that's how they work. Whether it is a privacy nightmare depends on whether you believe Nokia when they say they don't store the information (well, I assume they say that, I know Opera does). It's not an "attack" any more than your router is "attacking" your traffic by directing packets through itself.

Re:httpS (0)

Anonymous Coward | about a year and a half ago | (#42537637)

mod parent up.

See for example [opera.com]

Re:httpS (0)

Anonymous Coward | about a year and a half ago | (#42537689)

The whole point of the browser is that it doesn't connect to websites directly.

The whole point of SSL is that it connects only to the server you requested, and encrypts the data so only that server can see it. Do you really think that Joe Sixpack has read Nokia's website before he logs into his bank?

Seems like just another nail in Nokia's coffin...

Re:httpS (0)

Anonymous Coward | about a year and a half ago | (#42536381)

RTFA, they hijack certificate queries, plus it is all about nokia phones which come with the necessary certs to perform a MITM attack without alert prompts. They get your full plaintext.

Opera Mini is supposed to be proxied (5, Informative)

Anonymous Coward | about a year and a half ago | (#42536183)

The whole point of Opera Mini is to use Opera's proxies to reduce the load on the phone so complaining about that would be stupid (their other browser, Opera Mobile, is the one that doesn't use proxies). Is Nokia's browser expected to do the same as Opera Mini? (that they use the same user agent may imply so)

Re:Opera Mini is supposed to be proxied (5, Informative)

MrWeelson (948337) | about a year and a half ago | (#42536291)

Exactly!
From http://www.opera.com/mobile/specs/ [opera.com]

"Opera Mini always uses Opera’s advanced server compression technology to compress web content before it gets to a device. The rendering engine is on Opera’s server."

On the Nokia website it states outright that "Compressed pages mean lower data charges" http://www.nokia.com/gb-en/products/phone/302/ [nokia.com]

Re:Opera Mini is supposed to be proxied (0)

Anonymous Coward | about a year and a half ago | (#42537533)

Opera Mobile, when Turbo is enabled, will also make use of that proxy in a limited degree. This to reduce the data amounts transferred via various means, including recompression of images using WebP. The same service can be enabled on the Opera desktop browser. btw.

ovo -Hoot

Opera's proxy is known. (1)

Anonymous Coward | about a year and a half ago | (#42536211)

It's a feature. You can enable it, or not.

Re:Opera's proxy is known. (1)

Anonymous Coward | about a year and a half ago | (#42536313)

Not technically correct.

The Opera Mini browser requires the use of the proxy. You can install Opera to avoid this, but it's not a simple toggle in the settings menu.

Re:Opera's proxy is known. (1)

ericloewe (2129490) | about a year and a half ago | (#42537093)

I'm relatively sure Nokia's browser has the same feature, as they announced (if I'm not imagining it) some time ago.

Nothing to see here, move along...

Interesting SSL behavior (2)

mveloso (325617) | about a year and a half ago | (#42536237)

Nokia also seems to have allowed MTM attacks using its own cert - the Nokia proxy is returning a nokia cert, which is trusted by the OS. Plus they're suppressing hostname checks on Nokia certs as well. You'd think they would have just sprung for a wildcard cert.

Re:Interesting SSL behavior (1)

Kalriath (849904) | about a year and a half ago | (#42536307)

No, because the wildcard character may only be in the leftmost part of the CN component of the certificate. A certificate issued to "*" would be completely invalid for all purposes.

Re:Interesting SSL behavior (0)

Anonymous Coward | about a year and a half ago | (#42536775)

Yes, but it's up to the client to validate the CN of the certificate against the resource accessed. If you wrote the client all bets are off.

I could write a browser that always says that the connection is 100% secure if the server certificate is for MAN.IN.THE.MIDDLE.nokia.com. In fact, I could write a browser, that when it connects through HTTPS and gets my MITM certificate downloads the correct certificate and shows that one to the user but uses the MITM cert instead.

It's a bit like telling Alfred to dial up the number for your bank and having him just hand you a handset. You ask him who he dialed and he'll tell you it was your bank when really it's his eastern European crime partners who are now emptying your bank account into theirs.

Re:Interesting SSL behavior (1)

feld (980784) | about a year and a half ago | (#42536333)

you can't buy a wildcard cert that is wildcard for everything

Re:Interesting SSL behavior (2)

tepples (727027) | about a year and a half ago | (#42536737)

You can if you have your root certificate installed in your end users' devices, and your proxy generates a new certificate for each hostname that is accessed.

Re:Interesting SSL behavior (1)

mveloso (325617) | about a year and a half ago | (#42536485)

You can buy a wildcard for *. browser.ovi.com, which was the point of my comment. They're suppressing hostname checking on their own domain, not on the internet. RTFA.

ISPs can do the same thing. (2)

140Mandak262Jamuna (970587) | about a year and a half ago | (#42536265)

Technically all ISPs can do it. Right? Or am I wrong, and what Nokia does is far more sinister than what a plain vanilla ISP can do to home internet connection?

Re:ISPs can do the same thing. (5, Informative)

Anonymous Coward | about a year and a half ago | (#42536397)

Wrong. It requires the ISP to plant a certificate on your system that is used to perform the MITM attack. Never install software from your ISP is my motto.

AC

Re:ISPs can do the same thing. (1)

jeti (105266) | about a year and a half ago | (#42536461)

No. You would have to run a browser that accepts the certificate of the ISP for any domain as well.

Re:ISPs can do the same thing. (1)

Rob Riggs (6418) | about a year and a half ago | (#42536613)

Anyone that provides the hardware and software from which you access the web can do this. My work does it. Your local library can do it. The internet access kiosks can do it. Any device manufacturer can do it. Those cheap Android computers-on-a-stick can do it. Your TV can do it. It's a real problem because people trust the devices they use. If you cannot trust the device, you are royally screwed.

https tunneling (0)

Anonymous Coward | about a year and a half ago | (#42536315)

Proxies which handle https do not decrypt the traffic, they simple tunnel it. And proxies, even transparent ones, don't hijack anything. What if Nokia's proxy was transparent - would a "security professional" complain then? Sounds more like a case of "manic paranoiac" than "security professional".

News? (1)

Anonymous Coward | about a year and a half ago | (#42536345)

Opera mini and similar J2ME browsers for underpowered phones have always worked like that.
And the 'cloud' browser from Amazon works like that too.
It's admittedly not great and you have to hope that the Opera, Nokia or Amazon guys know what they are doing...
But usually when you are using a computer to access your bank, you have to trust quite a number of people:
- all the Certificate Authorities in the world as any of them could issue a fake certificate that looks like your bank and you likely would not notice
- the browser developers and they are pushing updates all the time so you could get a fake update today to hack you, another one to mask the hack tomorrow.
- the OS developers
- the driver developers as most drivers have some privileged access
- the bank's IT guys
- the bank's service providers and hosting company

Finally, if you use your work computer to access your bank you have to add your IT team and they might have a proxy that opens your SSL traffic (they just need to add their CA to your browser and they can intercept everything and make it look like it's normal...)

If ever ... (1)

briancox2 (2417470) | about a year and a half ago | (#42536347)

If ever there was a case for Free Software on mobile devices, this is it. Thank God Ubuntu, Android and Tezin exist to disrupt the ole Microsoft/IBM/Apple oligarchy!

Re:If ever ... (1)

aztracker1 (702135) | about a year and a half ago | (#42537581)

You don't think this is possible on Android, etc? Any vendor can modify the distributed OS to do something similar with the default browser.. and even at the OS level. Doesn't the OS controls DNS and certificate services in mobile...

Similar to BIS? (1)

Anonymous Coward | about a year and a half ago | (#42536377)

It seems like when using my BlackBerry connected to BIS (AT&T) it has certificates installed for my wireless provider and content is going through their servers. My understanding was that the BIS was doing some translations to make the content suitable for the BlackBerry browser, but I imagine they could intercept anything and I wouldn't have been alerted about it.

I always wondered why BlackBerry was considered so secure given this...

Yep, checking the phone now, there they are in the cert list:
us.cingular.midp20.FullTrust
us.cingular.midp20.SemiTrust
us.cingular.midp20.Trusted3rd

If I distrust them I get untrusted cert warnings trying to visit google.com using https. If I trust them again, everything works smoothly.

My employer just started doing this also. (3, Insightful)

codewarren (927270) | about a year and a half ago | (#42536453)

Doesn't this open them up to all kinds of legal problems? I mean if my bank account gets compromised after I use my nokia phone to check my balance, would I not have a pretty good cause for lawsuit?

Re:My employer just started doing this also. (0)

Anonymous Coward | about a year and a half ago | (#42536577)

Yes

Re:My employer just started doing this also. (0)

geek (5680) | about a year and a half ago | (#42536899)

Its a flagrant HIPPA violation. If you were to check your medical records online and your employer has the ability to see them, they are in big trouble.

Re:My employer just started doing this also. (2)

codewarren (927270) | about a year and a half ago | (#42537275)

I have username envy.

That is a fascinating idea, but according to this story about who HIPAA applies to [wraltechwire.com] , employers are rarely subject to HIPAA except under some specific circumstances.

Traffic is *supposed to* be proxied. (4, Informative)

zyzko (6739) | about a year and a half ago | (#42536515)

For heavens sake - the point of these featurephone browsers (Opera Mini has been doing this since dawn of time) is that they use proxy to reduce data transferred and/or reformat the sites to better use lower resolution. Instead of a lot screenshots to prove that he is a very l33t h4x0r he could have just opened the friendly page [opera.com] showing how the browser works.

The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

Re:Traffic is *supposed to* be proxied. (1)

RearNakedChoke (1102093) | about a year and a half ago | (#42536755)

For heaven's sake, RTFA. They ARE using MITM.

Re:Traffic is *supposed to* be proxied. (0)

Anonymous Coward | about a year and a half ago | (#42537029)

Opera Mini and Opera Mobile do this since the day one for Christs sake!

Is there any end-to-end security between my handset and — for example — paypal.com or my bank?
Opera Mini uses a transcoder server to translate HTML/CSS/JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation, the Opera Mini server needs to have access to the unencrypted version of the webpage. Therefore no end-to-end encryption between the client and the remote web server is possible.

If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile.

http://www.opera.com/mobile/help/faq/#security [opera.com]

Re:Traffic is *supposed to* be proxied. (0)

Anonymous Coward | about a year and a half ago | (#42537303)

Did you even read his comment or was the whining like a little bitch about "RTFA" just a Slashdot reflex?

The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate

Re:Traffic is *supposed to* be proxied. (2)

Derek Pomery (2028) | about a year and a half ago | (#42536819)

You don't need client side certificates to be sure in a normal situation that your traffic isn't being hijacked by the ISP.
You only need confidence that the CAs aren't issuing certs for the site you are connecting to, which is why when TURKTRUST issued a cert for google it was Big Deal.

In this case, they are using preinstalled certs on the local browsers to perform MITM when connecting to supposedly secure sites, such as your bank.

Some workplaces do this sort of cert preinstallation to allow snooping on SSL traffic passing through their proxies. Obviously same solution as with Nokia. If you don't like your private information passing in the clear through some random server controlled by your ISP or employer, quit.

Re:Traffic is *supposed to* be proxied. (0)

Anonymous Coward | about a year and a half ago | (#42537087)

You don't need client side certificates to be sure in a normal situation that your traffic isn't being hijacked by the ISP.

You need the CA certificates, which are client-side certificates. Those must be preinstalled if you desire to trust any connection at all.

Re:Traffic is *supposed to* be proxied. (5, Informative)

miroku000 (2791465) | about a year and a half ago | (#42536993)

The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

This is *not* how SSL is supposed to work. Any certificate authority that is forging certificates for other people's web servers is not one that should be trusted. Essentially, Nokia is lying to the web browser and saying that they are actually Amazon.com or whoever you are making a secure connection with. By fraudulently representing that they are Amazon.com or whoever, they are intercepting your passwords to these sites. Client side certificates would not help in this case because the client is controlled by Nokia. So, they would have a copy of your client side certificates as well.

Re:Traffic is *supposed to* be proxied. (0)

Anonymous Coward | about a year and a half ago | (#42537515)

This should be the top comment.

Re:Traffic is *supposed to* be proxied. (0)

Anonymous Coward | about a year and a half ago | (#42537075)

The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

Nonsense. You don't have to verify both ends of the connection, because you are one of the ends. Client-side certificates are so that the server can verify you.
Having a rogue CA certificate from Nokia on your 'phone to circumvent the verification, is most certainly not how TLS is supposed to work.

Re:Traffic is *supposed to* be proxied. (0)

Anonymous Coward | about a year and a half ago | (#42537453)

But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

Uh, no, that's not how SSL is supposed to work... proxies are supposed to pass the encrypted packet unopened so that the server/client authentication is being done directly between the real server and real client.

Putting a MITM for HTTPS proxying also serves no real purpose for most sites, and by concept HTTPS traffic is usually items that are unique to an individual, so there is no use adding them to a common cache. So it doesn't help reduce bandwidth, which is a legitimate use of a proxy. As for 'reshaping' the data... see #4 below...
So there are a couple huge possibilities from doing this... all bad:
1- Obvious one: Nokia has access to all your personal info
2- User has no way to verify that the actual site being connected to is correct, they are now trusting that the proxy is validating the server certificate. What happens when you visit an HTTPS site on a Nokia phone which has an invalid cert????
3- Nokia's browser obviously isn't presenting to you that the certificate you are being presented isn't for the site you are visiting. (https://www.google.com returns a certificate from cloud1.browser.ovi.com). What happens when the -actual- server being visited is a spoof server and presents the proxy with "www.malware.com" as a certificate?? Is that passed? (similar to the above I admit, but this part of the problem now makes SSL sites more vulnerable to a DNS hijack)
4- If the proxy is reducing data by modifying the returned page, they are disturbing the integrity of the supposedly secured document, maybe not an issue with a logo JPG, but is a dangerous slope. Digitally signed documents are considered legally valid.
5- Legally, Nokia is now assuming all responsibility for the integrity of ALL data being presented via SSL, who knows what kind of lawsuits some team of lawyers will come up with. If their servers get fooled and present malware, the user is perfectly legit to hold Nokia responsible for providing bad data.

All modern (desktop) browsers give the user the opportunity to manually inspect the certificate of their SSL connections, obviously the Nokia browser does not. (Edit... looks like Safari on the iPhone doesn't either, it only present a "lock" icon, which is annoying)

Re:Traffic is *supposed to* be proxied. (1)

Derek Pomery (2028) | about a year and a half ago | (#42537559)

Indeed, that iPhone behaviour was very irritating to me when I was travelling, and borrowed my SO's 1st gen iphone to connect to my home server to check e-mail. There was no way whatsoever to inspect the certificate, so I just had to hope the people running the network weren't evil.
Now I have an Android phone of my own, and can just run Firefox on it (love the Sync feature - saves so much time on moving browsing session from computer to phone, and when entering passwords).

Re:Traffic is *supposed to* be proxied. (1)

rwyoder (759998) | about a year and a half ago | (#42537765)

For heavens sake - the point of these featurephone browsers (Opera Mini has been doing this since dawn of time) is that they use proxy to reduce data transferred and/or reformat the sites to better use lower resolution. Instead of a lot screenshots to prove that he is a very l33t h4x0r he could have just opened the friendly page [opera.com] showing how the browser works.

The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

Wrong!!! This is a MITM attack. SSL is *not* supposed to be hacked between client and server. There is supposed to be an encrypted, unbroken path between the two, else there is *no* security.

Do any of the other manufacturers do this? (1)

ohnocitizen (1951674) | about a year and a half ago | (#42536557)

Nokia is now the devil we know. Is anyone else pulling a similar stunt?

Re:Do any of the other manufacturers do this? (0)

Anonymous Coward | about a year and a half ago | (#42536705)

Traffic compression for developing countries! Who the hell do they think they are?

Re:Do any of the other manufacturers do this? (0)

Anonymous Coward | about a year and a half ago | (#42537137)

In November 2012, the consumer base of the Opera Mini and Opera Mobile browsers increased in unique users. In all, more than 215 million people used Opera Mini or Opera Mobile in November. The Opera Mini servers (which do not process pages from Opera Mobile browsers) served more than 130 billion pages and compressed over 11 petabytes of data for Opera Mini users. More than 31% of the total users of Opera Mini and Opera Mobile are using smartphones to browse the web. Compared to November 2011, the total number of Opera Mini and Opera Mobile users grew more than 92% year over year.

In November 2012, there were over 215 million Opera Mini and Opera Mobile users. Out of this number, more than 20 million were Opera Mobile users, and the rest were Opera Mini users. Compared to November 2011, Opera Mini and Opera Mobile combined grew more than 29% year over year.

Opera Mini users viewed over 130 billion pages in November 2012. Since November 2011, page views have increased by more than 47%.

In November 2012, Opera Mini users generated over 2.4 billion MB of data for operators worldwide. Data in the Opera Mini browser is compressed by up to 90%. If this data were uncompressed, Opera Mini users would have viewed over 11 petabytes of data in November. Since November 2011, data traffic has risen by more than 72%.

Re:Do any of the other manufacturers do this? (0)

Anonymous Coward | about a year and a half ago | (#42536915)

T-Mobile.
Not a manufacturer, and they don't seem to have installed certs, but ANY https site I go to through T-Mo has an invalid cert.
And don't get me started about trying to use them for technical docs/images...that all get recompressed with really crappy jpg quality settings.

Re:Do any of the other manufacturers do this? (1)

aztracker1 (702135) | about a year and a half ago | (#42537749)

Wild.. haven't seen this myself, running a stock Nexus 4 bought directly from Google though...

Re:Do any of the other manufacturers do this? (1)

fredprado (2569351) | about a year and a half ago | (#42536939)

Proxies, yes. MITM, not that I know.

Isn't PKCS supposed precisely to counter MITM? (0)

Anonymous Coward | about a year and a half ago | (#42536745)

I was under the impression that PKCS where precisely conceived such that it was possible to establish a secure connection between two parties which didn't exchange in advance any information?

How does TLS / SSL work? Isn't it a PKCS?

Lastly: what is the point of TLS / SSL if anyone can exploit the very thing TLS / SSL tries to solve!?

So, check your certificates (1)

PPH (736903) | about a year and a half ago | (#42536879)

Make sure that the certificate fingerprints agree with those obtained through some alternate channel (another browser on another system through a different ISP, etc.).

If they agree, this is all a non issue. Its not likely that a certificate replaced by a MITM attack would generate the same hash as the original.

This does not show a man in the middle attack (0)

Anonymous Coward | about a year and a half ago | (#42536903)

There's nothing here that shows a man in the middle attack. The author needs to show at least the following:

* The phone recieved a fake certificate that appears to be from google but is not. That can be done by comparing the fingerprint of the cert received by the phone with the fingerprint from a known good google certificate.

* The phone trusts the fake certificate because the fake is signed by a fake root certificate pre-installed on the phone.

All the blog post shows is the phone made an https connection to a proxy server and received a valid certificate for that proxy server (NOT a fake google certificate).

ALL YOR BEFUNKIN ARR GEBIGIN TO WUS !! (0)

Anonymous Coward | about a year and a half ago | (#42537449)

So say the Finns !!

Not MITM (0)

Anonymous Coward | about a year and a half ago | (#42537569)

It is well documented (e.g. http://www.developer.nokia.com/Develop/Series_40/Nokia_Browser_for_Series_40/ speaks of a client, not a browser) that the browser on those phones is basically a UI talking to a rendering engine running in the cloud. All the traces found in the article are showing the proprietary protocol spoken between the browser UI running on the phone and the rendering engine running on Nokia servers and the DNS lookup the UI does to find its server in the cloud. Actually I am positively surprised that this proprietary protocol is encrypted;-)

So _technically_ this is not a man-in-the-middle scenario at all: There is nobody between the rendering engine run by the user and the site that rendering engine connects to. Practically Nokia could log everything you do. But quite frankly anybody that controls your hardware and software can do the same.

So what is the fuss all about?

No secret (0)

Anonymous Coward | about a year and a half ago | (#42537885)

How can this possibly be a surprise when Nokia widely advertise their "Nokia Express Browser" as explicitly doing just this?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>