Nokia Accused of Hijacking, Decrypting User Data > Wow

Wow

Is Opera Mini not doing exactly the same thing? Opera uses its servers as proxies to compress and speed up pages, and it would have to do "man in the middle" if it is to accelerate https traffic.

I'm not saying that this is "good", but this has been happening for a while and even if you put it in the fine print most people won't understand the meaning of this. No company will say upfront that "we can see your credit card numbers but won't look at them", even the ones with best intentions.

BTW, Opera Mobile uses acceleration features too and probably has to do the same thing when data goes through their servers.

reply to anon523
Regardless of whether or not they look at the data, how can they guarantee their proxy servers are beyond compromise? What happens when an underpaid, overworked employee accepts a cash payment to compromise one of the servers for crooks?

IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site.

reply to anon523
It's called illegal wiretapping...plain and simple!

reply to JackKane
Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.

Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.

reply to rradina

Read the article. They have added trusted certificates of their own that their browser trusts. It doesn't pop-up any message on the phone.

I assumed as such, but it does not change the validity of what I said. See the "brain dead" disclaimer.

If you don't trust your software all bets are off. A normal browser would not behave in this fashion. Nokia has opened up a nasty can of worms here, both from a liability, and precedent standpoint. I doubt many other companies would be foolish enough to follow in their footsteps, and if they do I'd imagine we'll see legislation against this behavior in the not too distant future. There are too many well monied stakeholders (banks) who will be horrified by this.

reply to MovieLover76

reply to MovieLover76
Accelerate HTTPS traffic? If by "accelerate" you mean form network connections faster, then off-loading the entire SSL handshake from the phone would be a very good starting point. (but then, the *phone* isn't doing https) If you mean compression, then the only way to do it is via decrypting the stream -- the encrypted bit stream is NOT compressible. But unless you are going to actively MODIFY the content (re-encode jpg's with lower quality, etc.) (which is an illegal wiretap), you're wasting your time as pretty much *every* web server in existence is already compressing it's output.

Also, to "man in the middle" an HTTPS connection, you not only need to be in the middle, you also have to be at the origin... the ssl certificate contains a name, and when it doesn't match the name you used to get there, the browser throws up a warning. The only way around this is to, well, be the browser ("don't look be hind that curtain"), or... install a local trusted "*" wildcard certificate. (which is how we've done it at work for nearly a decade -- 'tho it's not been used in years.)

reply to Crookshanks

reply to MovieLover76