Nokia decrypting your SSL sessions - Page 2 - maemo.org

Active Topics

Is there a section to talk about Java ME? Apps, etc. (5)
to General by teroyk - 5 days, 11 hrs ago
Extra softwares in Sailfish using CLI, repositories, etc (118)
to SailfishOS by nieldk - 5 days, 16 hrs ago
Paths (0)
to Maemo 7 / Leste by teroyk - 6 days, 14 hrs ago
more...

Page 2 of 4

< Prev

Next >

Thread Tools

	ste-phan	2013-01-11 , 04:30
	Posts: 1,195 \| Thanked: 2,708 times \| Joined on Jan 2010 @ Hanoi	#11

Strange choice from Nokia.
Whenever I use HTTPS for banking or private searches saving mobile bandwidth is not my primary concern.

The Nokia proxy server is not yet delivered by MS I hope?

Having the choice of turning of ads, autoplay flash and run scripts only on demand is much more useful to save some bandwith on my N900. (Fennec)

Quote & Reply |

freemangordon	2013-01-11 , 05:20
Posts: 3,074 \| Thanked: 12,960 times \| Joined on Mar 2010 @ Sofia,Bulgaria	#12

Originally Posted by woody14619

I'm sure this is disclosed in the documentation somewhere. Opera Mini, for example, discloses this in the 27 pages of legal "agreement" you say OK to on first run. Anytime you have bandwidth savings, good odds it comes at the price of some level of security.

One silly question: If you trust a phone manufacturer to not put back doors and spyware into their closed-source browser and/or base OS... Why would you suddenly not trust them running a web server that does compression and middle-man decryption needed to do that well?

There are far more examples of manufacturers putting in back doors and data dump capabilities into their software than spying on service streams.

No matter If it is disclosed or not, this is MTIM attack by all measures. As correctly pointed in one of the comments of the above article, HTTPS is supposed to mean end-to-end encryption. In the same way when you enter your card's PIN on an ATM not belonging to the bank that has issued your card, you expect it(PIN) to pass encrypted all the way from the acquirer's device PINPAD to your bank's authorization system HSM. Period

__________________
Never fear. I is here.

720p video support on N900,SmartReflex on N900,Keyboard and mouse support on N900
Nothing is impossible - Stable thumb2 on n900

Community SSU developer
kernel-power developer and maintainer

Quote & Reply |

The Following 4 Users Say Thank You to freemangordon For This Useful Post:
fw190, optimaxxx, peterleinchen, Sourav.dubey

juiceme	2013-01-11 , 05:42
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#13

Originally Posted by thedead1440

2 things:

- Unlike Opera, Nokia's privacy policy or terms of service does NOT mention this

- Opera only compress http traffic and do not touch https traffic other than transmitting it from your phone to the destination but Nokia decrypt https traffic too on their servers which means any compromising of Nokia's servers is a threat for those using it...

If it was transparent, nobody would say a thing but Nokia did realize they screwed up as usual and even before the above article posted a reply on the original blog. The above is what I gathered from the original blog but haven't verified it myself...

Actually Opera mini does it exactly like the Nokia browser in Asha.

Both of those act as a middleman, creating two secure connections where one is towards the user and one to the service provider. The traffic is decrypted between the sessions for compression.
This is something that has to be done if https traffic needs to be compressed as secure channel of course cannot be compressed.

The f***up here is not informing users about it. Neither of them does it well, Nokia supposedly does not say anything about it, and it took me 5 minutes of searching to find that about Opera.

Quote & Reply |

The Following User Says Thank You to juiceme For This Useful Post:
woody14619

thedead1440	2013-01-11 , 06:01
Moderator \| Posts: 6,215 \| Thanked: 6,400 times \| Joined on Nov 2011	#14

Juiceme,

The original blog says that for HTTPS data Opera doesn't compress it while Xpress Browser seeks to compress HTTPS data too so are you sure Opera too does the compression?

Quote & Reply |

juiceme	2013-01-11 , 06:30
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#15

From the Opera Mini FAQ;

Is there any end-to-end security between my handset and — for example — paypal.com or my bank?

Opera Mini uses a transcoder server to translate HTML/CSS/JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation, the Opera Mini server needs to have access to the unencrypted version of the webpage. Therefore no end-to-end encryption between the client and the remote web server is possible.

If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile.

Quote & Reply |

The Following 9 Users Say Thank You to juiceme For This Useful Post:
freemangordon, kumary, minimos, misiak, peterleinchen, ranbaxy, reinob, thedead1440, woody14619

	peterleinchen	2013-01-11 , 08:31
	Posts: 4,117 \| Thanked: 8,901 times \| Joined on Aug 2010 @ Ruhrgebiet, Germany	#16

Do you remember the security hole/breach Nokia had with their developer accounts?

How am I/we supposed to believe our unencrypted private communication details are safe?

PERIOD

__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature

Quote & Reply |

reinob	2013-01-11 , 09:03
Posts: 1,808 \| Thanked: 4,272 times \| Joined on Feb 2011 @ Germany	#17

I don't get what the fuss is all about. If you want to use a proxy you know what you're getting.

This has always been like that for, as mentioned above, Opera Mini, Nokia Messaging and (I guess) Apple iCloud (but there nobody complains because it's Apple, I suppose).

I don't want a proxy, don't use one. Nobody forces you to do so.

Quote & Reply |

The Following 4 Users Say Thank You to reinob For This Useful Post:
peterleinchen, ranbaxy, rcolistete, shadowjk

juiceme	2013-01-11 , 09:05
Community Council \| Posts: 4,920 \| Thanked: 12,867 times \| Joined on May 2012 @ Southerrn Finland	#18

Originally Posted by peterleinchen

Do you remember the security hole/breach Nokia had with their developer accounts?

How am I/we supposed to believe our unencrypted private communication details are safe?

PERIOD

You simply cannot. period.

There is just no way you can really really make sure that your private communications are safe, wether they are encrypted or not.

Even if you compile everything from source yourself, and inspect every line of the source code you are using you still cannot be sure. How can you make sure the compiler itself is not compromised?
There are ways of building a toolchain so that even as the sources used to build the compiler can be compromised so that when you build it yourself it still can in binary form do something you are not expecting. (you might get around this by building your build tools first with a different build tools, but to do that you would need to REALLY tweak the build chain, try building gnu compiler with MS-devstudio, for example...)

And what about all the proprietary blobs in drivers, not to mention the firmware in asics and PLD's of your computing platform...

No, when you start to go paranoid there is no end to it.