|
anon523
Anon
2013-Jan-10 12:37 pm
WowJust spying on some http traffic is bad, but this takes it to a whole new level. It just amazes me that a company who is trying to increase their market share would also do something that could pull the rug out from underneath them.
So we just decrypted your bank traffic and made sure to store that info on our servers, but we promise we're not going to use that data.... | |
|
| |
JackKane
Anon
2013-Jan-10 2:11 pm
Re: WowIs Opera Mini not doing exactly the same thing? Opera uses its servers as proxies to compress and speed up pages, and it would have to do "man in the middle" if it is to accelerate https traffic.
I'm not saying that this is "good", but this has been happening for a while and even if you put it in the fine print most people won't understand the meaning of this. No company will say upfront that "we can see your credit card numbers but won't look at them", even the ones with best intentions.
BTW, Opera Mobile uses acceleration features too and probably has to do the same thing when data goes through their servers. | |
|
| | (Software) pfSense Asus RT-AC68 Asus RT-AC66
1 recommendation |
Re: WowOpera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.
Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic. | |
|
| | | FFH5 Premium Member join:2002-03-03 Tavistock NJ |
FFH5
Premium Member
2013-Jan-10 5:45 pm
Re: Wowsaid by MovieLover76:Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.
Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic. Opera doesn't accelerate https traffic. | |
|
| | | cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to MovieLover76
Accelerate HTTPS traffic? If by "accelerate" you mean form network connections faster, then off-loading the entire SSL handshake from the phone would be a very good starting point. (but then, the *phone* isn't doing https) If you mean compression, then the only way to do it is via decrypting the stream -- the encrypted bit stream is NOT compressible. But unless you are going to actively MODIFY the content (re-encode jpg's with lower quality, etc.) (which is an illegal wiretap), you're wasting your time as pretty much *every* web server in existence is already compressing it's output.
Also, to "man in the middle" an HTTPS connection, you not only need to be in the middle, you also have to be at the origin... the ssl certificate contains a name, and when it doesn't match the name you used to get there, the browser throws up a warning. The only way around this is to, well, be the browser ("don't look be hind that curtain"), or... install a local trusted "*" wildcard certificate. (which is how we've done it at work for nearly a decade -- 'tho it's not been used in years.) | |
|
| | | SeleniaGentoo Convert Premium Member join:2006-09-22 Fort Smith, AR |
to MovieLover76
said by MovieLover76:Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.
Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic. Opera Mini, not Opera Mobile. 2 different beasts. Opera Mobile does the rendering on the device and uses http compression to attempt to speed it up on slower connections. Opera Mini renders all visited sites on their servers, including https. Then a compressed form of the rendered page is sent to the browser, sort of an image with the links overlaid(which is how it renders full pages even on low end java feature phones that are normally incapable). Opera does sufficiently warn about the security implications of this, telling you that https traffic between your phone and their servers is not secured, and not to use it on an unencrypted connection or insecure network. Nokia does the same thing but probably did not want to reveal the trade secret behind the acceleration. | |
|
| rradina join:2000-08-08 Chesterfield, MO |
to anon523
Regardless of whether or not they look at the data, how can they guarantee their proxy servers are beyond compromise? What happens when an underpaid, overworked employee accepts a cash payment to compromise one of the servers for crooks?
IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site. | |
|
| | |
Re: Wowsaid by rradina:IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site. Unless your browser is totally brain dead (possible), or the would-be hacker has compromised a root security certificate (highly unlikely), you will get a certificate error if someone is attempting to perform a man-in-the-middle attack. Those errors pop up for a reason! Don't ignore them. | |
|
| | | rradina join:2000-08-08 Chesterfield, MO |
Re: WowRead the article. They have added trusted certificates of their own that their browser trusts. It doesn't pop-up any message on the phone. | |
|
| | | | |
Re: WowI assumed as such, but it does not change the validity of what I said. See the "brain dead" disclaimer. If you don't trust your software all bets are off. A normal browser would not behave in this fashion. Nokia has opened up a nasty can of worms here, both from a liability, and precedent standpoint. I doubt many other companies would be foolish enough to follow in their footsteps, and if they do I'd imagine we'll see legislation against this behavior in the not too distant future. There are too many well monied stakeholders (banks) who will be horrified by this. | |
|
| | | bobjohnson Premium Member join:2007-02-03 Spartanburg, SC |
to Crookshanks
said by Crookshanks:Unless your browser is totally brain dead (possible) Mobile IE9 is brain dead! | |
|
| |
to anon523
It's called illegal wiretapping...plain and simple! | |
|
jjoshua Premium Member join:2001-06-01 Scotch Plains, NJ |
jjoshua
Premium Member
2013-Jan-10 1:01 pm
Huh?Why does any phone traffic go through nokia servers? | |
|
| |
Re: Huh?That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it. | |
|
| | sk1939 Premium Member join:2010-10-23 Frederick, MD ARRIS SB8200 Ubiquiti UDM-Pro Juniper SRX320
|
sk1939
Premium Member
2013-Jan-10 1:37 pm
Re: Huh?said by AnonPerson:That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it. A lot of companies do it or are doing it in order to "speed up" how fast web pages display on a screen. It's much faster to render the page on a server and send it to the phone than have the phone do it. All of the major cell providers use a similar system, as does Apple I'm sure. | |
|
| | | (Software) pfSense Asus RT-AC68 Asus RT-AC66
|
Re: Huh?But most systems, do not decrypt https traffic, they only optimize http traffic.
You shouldn't trade security for a few seconds on a page load. and it definitely shouldn't be done by default.
Nokia should be slammed for this. They literally hack your https traffic on a regular basis. No matter what Nokia PR tries to claim, this is a security risk.
I'm very glad I don't own anything from Nokia. | |
|
| | | | rradina join:2000-08-08 Chesterfield, MO 1 edit |
Re: Huh?I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.
EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:
Handset Model: Nokia Asha 302 OS Version: 14.78 (31-08-12), RM-813 Browsers Tested On: Nokia Browser (2.2.0.0.31) OS Type: Series 40 (S40) | |
|
| | | | | sk1939 Premium Member join:2010-10-23 Frederick, MD ARRIS SB8200 Ubiquiti UDM-Pro Juniper SRX320
|
sk1939
Premium Member
2013-Jan-10 3:38 pm
Re: Huh?said by rradina:I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.
EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:
Handset Model: Nokia Asha 302 OS Version: 14.78 (31-08-12), RM-813 Browsers Tested On: Nokia Browser (2.2.0.0.31) OS Type: Series 40 (S40) Which makes sense given their lower processing power compared to a single, dual, or quad core smart phone like the Lumia series. | |
|
| Metatron2008You're it Premium Member join:2008-09-02 united state |
to jjoshua
They are probably doing it for more directed advertisement then anybody else | |
|
|
Really?Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions. | |
|
| |
Re: Really?Lawsuit dismissed with prejudice. Nokia says they won't store it, but of course they will store it with a legal request from the authorities. | |
|
| |
to Anonymous88
And the company will pay out millions and will learn it's less.
Which is how the system should work and I have no issue with that. | |
|
| MaynardKrebsWe did it. We heaved Steve. Yipee. Premium Member join:2009-06-17 |
to Anonymous88
said by Anonymous88:Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions.
That, in a nutshell, is why you should have gone to law school. | |
|
newviewEx .. Ex .. Exactly Premium Member join:2001-10-01 Parsonsburg, MD |
newview
Premium Member
2013-Jan-10 1:14 pm
Nokia just shot themselves in the footAny company that does something nefarious to begin with .. and then asks to be forgiven because "it's in the subscriber's best interest" needs to suffer dire consequences ... like huge numbers of subscribers jumping ship. | |
|
| |
| | |
| | | |
| | | | |
| | | | |
| skeechanAi Otsukaholic Premium Member join:2012-01-26 AA169|170 1 edit |
to newview
Re: Nokia just shot themselves in the footThere are no shortage of Google zealots that stay with them like frequently beaten wives. | |
|
|
Anonalittle
Anon
2013-Jan-10 1:16 pm
nokia serversUnless it goes to Nokia servers and "then" funneled to the nsa/cia servers.....someone got alittle greedy......... | |
|
skeechanAi Otsukaholic Premium Member join:2012-01-26 AA169|170 |
skeechan
Premium Member
2013-Jan-10 1:50 pm
Seems this is criminalUntil Title 18 2511 it seems to be illegal to intercept communications in this manner, since it is not a "...necessary incident to the rendition of his service...", meaning it is not necessary to intercept and decrypt the communications in order to provide the cell service. » www.law.cornell.edu/usco ··· /18/2511 | |
|
| KearnstdSpace Elf Premium Member join:2002-01-22 Mullica Hill, NJ |
Kearnstd
Premium Member
2013-Jan-10 1:53 pm
Re: Seems this is criminalAnd that is only here in the US. They likely will run into issues in the EU not only for similar laws to this one, but the stricter privacy laws over there too.
unless this interception is strictly in phones for the USDM. | |
|
|
SpyLast phone I had from Nokia cost $10 and it didn't even have the internet. Enjoy your spying ! I find their products to be terrible. I switch to LG now that is a real phone! | |
|
| ••• |
jmn1207 Premium Member join:2000-07-19 Sterling, VA |
jmn1207
Premium Member
2013-Jan-10 2:26 pm
Bank Data?What are they decrypting? Is it RC4 128-bit? Most banks now use this level of encryption at a minimum. I realize this is an older encryption method and there are more secure options available, but is Nokia able to break this level of authentication on the fly as a middle man? | |
|
| •••••••• |
MTU Premium Member join:2005-02-15 San Luis Obispo, CA |
MTU
Premium Member
2013-Jan-10 3:42 pm
User DataAre there those who actually still believe that their data is sacrosanct? Especially as regards cellphone data. | |
|
David Premium Member join:2002-05-30 Granite City, IL |
David
Premium Member
2013-Jan-10 3:46 pm
doesn't iAdsdo the same thing? Seems like it to me. | |
|
| |
Re: doesn't iAdsDo you even know what you're talking about? What does iAds have to do with anything? | |
|
| David Premium Member join:2002-05-30 Granite City, IL 1 edit |
David
Premium Member
2013-Jan-10 4:53 pm
I think this was a doublepost I saw the famous "404 gateway not found" and the "ngix" on bbr when I posted.
My guess is it posted 2x. | |
|
David |
David
Premium Member
2013-Jan-10 3:49 pm
spy and snoop the same way?
If so, it doesn't seem to affect apple much. I am sure Google is completely innocent from sniffing via the droid platform as well. | |
|
| |
Re: doesn't iAdssaid by David:If so, it doesn't seem to affect apple much. I am sure Google is completely innocent from sniffing via the droid platform as well. Apple and Google don't need to, David. AT&T does it for them. And, besides, no https traffic gets intercepted either by Apple or by Google. | |
|
ConstantineM |
Wow! Not only do they spy on your https traffic, but they even use invalid certificates, and so ANYONE ELSE can do MITM attacks on HTTPS traffic of a Nokia phone?! Disgusting! | |
|
|
not as bad at AT&T's snooping rooms... (aka Room 641A). | |
|
|
StuartMW
Premium Member
2013-Jan-10 5:30 pm
I wonder if they send a copy of the decrypted traffic to the NSA/CIA/FBI/etc. Actually that's a rhetorical question. | |
|
| |
Re: I wonder if...Yeah, probably sent a copy of Nokia's snooping to NSA's snoop room at AT&T Room 641A! LOLOL said by StuartMW:I wonder if they send a copy of the decrypted traffic to the NSA/CIA/FBI/etc. Actually that's a rhetorical question. | |
|
KrKHeavy Artillery For The Little Guy Premium Member join:2000-01-17 Tulsa, OK |
KrK
Premium Member
2013-Jan-10 8:06 pm
Compromise most all known forms of secure communications. | |
|
|
All of their promoted phones in the US run WP7-8 which do not let OEM's to change much like the browser IE. /There is no such thing as a Ovi(Nokia) browser on WP //There is no such thing as a HTC browser on WP ///There is no such thing as a Samsung browser on WP ////There is no such thing as a Dell browser on WP /////There is no such thing as a LG browser on WP \BTW any carrier or OEM bloat can be removed for good in WP in a 2 seconds | |
|
C0deZer0Oc'D To Rhythm And Police Premium Member join:2001-10-03 Tempe, AZ |
C0deZer0
Premium Member
2013-Jan-11 11:16 am
Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy. | |
|
| Michail Premium Member join:2000-08-02 Boynton Beach, FL |
Michail
Premium Member
2013-Jan-11 1:37 pm
Re: Manufacturer kills the platformsaid by C0deZer0:Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy. But this has nothing to do WP8 Nokia phones at all. | |
|
wistlo join:2003-01-04 New Orleans, LA |
wistlo
Member
2013-Jan-12 1:07 pm
From what I can see in the original article, https works as expected. The user's device has a pre-installed certificate that essentially gives Nokia keys to all secure browser traffic.
The lesson to take away is not that https traffic is easily decrypted (it isn't), but that users must be very aware of what certificates are installed locally--either by the user, or put there by the carrier or manufacturer. | |
|
|
|