 | | Wow Just spying on some http traffic is bad, but this takes it to a whole new level. It just amazes me that a company who is trying to increase their market share would also do something that could pull the rug out from underneath them.
So we just decrypted your bank traffic and made sure to store that info on our servers, but we promise we're not going to use that data.... | |
|
 | | | Re: Wow Is Opera Mini not doing exactly the same thing? Opera uses its servers as proxies to compress and speed up pages, and it would have to do "man in the middle" if it is to accelerate https traffic.
I'm not saying that this is "good", but this has been happening for a while and even if you put it in the fine print most people won't understand the meaning of this. No company will say upfront that "we can see your credit card numbers but won't look at them", even the ones with best intentions.
BTW, Opera Mobile uses acceleration features too and probably has to do the same thing when data goes through their servers. | |
|
| | |
| | |  LinklistPremium
join:2002-03-03
Longport, NJ
kudos:5 | Re: Wow said by MovieLover76:Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.
Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.
Opera doesn't accelerate https traffic.
--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury. | |
|
| | | cramer
join:2007-04-10
Raleigh, NC
kudos:7 | Accelerate HTTPS traffic? If by "accelerate" you mean form network connections faster, then off-loading the entire SSL handshake from the phone would be a very good starting point. (but then, the *phone* isn't doing https) If you mean compression, then the only way to do it is via decrypting the stream -- the encrypted bit stream is NOT compressible. But unless you are going to actively MODIFY the content (re-encode jpg's with lower quality, etc.) (which is an illegal wiretap), you're wasting your time as pretty much *every* web server in existence is already compressing it's output.
Also, to "man in the middle" an HTTPS connection, you not only need to be in the middle, you also have to be at the origin... the ssl certificate contains a name, and when it doesn't match the name you used to get there, the browser throws up a warning. The only way around this is to, well, be the browser ("don't look be hind that curtain"), or... install a local trusted "*" wildcard certificate. (which is how we've done it at work for nearly a decade -- 'tho it's not been used in years.) | |
|
| | |  SeleniaI love DebianPremium
join:2006-09-22
Lanesboro, MA
kudos:2 | said by MovieLover76:Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.
Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.
Opera Mini, not Opera Mobile. 2 different beasts. Opera Mobile does the rendering on the device and uses http compression to attempt to speed it up on slower connections. Opera Mini renders all visited sites on their servers, including https. Then a compressed form of the rendered page is sent to the browser, sort of an image with the links overlaid(which is how it renders full pages even on low end java feature phones that are normally incapable). Opera does sufficiently warn about the security implications of this, telling you that https traffic between your phone and their servers is not secured, and not to use it on an unencrypted connection or insecure network. Nokia does the same thing but probably did not want to reveal the trade secret behind the acceleration.
--
A fool thinks they know everything.
A wise person knows enough to know they couldn't possibly know everything.
There are zealots for every OS, like every religion. They do not represent the majority of users for either. | |
|
| rradina
join:2000-08-08
Chesterfield, MO | Regardless of whether or not they look at the data, how can they guarantee their proxy servers are beyond compromise? What happens when an underpaid, overworked employee accepts a cash payment to compromise one of the servers for crooks?
IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site. | |
|
| | Reviews:
 ·Frontier Communi..
| Re: Wow said by rradina:IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site.
Unless your browser is totally brain dead (possible), or the would-be hacker has compromised a root security certificate (highly unlikely), you will get a certificate error if someone is attempting to perform a man-in-the-middle attack.
Those errors pop up for a reason! Don't ignore them. | |
|
| | | rradina
join:2000-08-08
Chesterfield, MO | Re: Wow Read the article. They have added trusted certificates of their own that their browser trusts. It doesn't pop-up any message on the phone. | |
|
| | | | Reviews:
·Frontier Communi..
| Re: Wow I assumed as such, but it does not change the validity of what I said. See the "brain dead" disclaimer. 
If you don't trust your software all bets are off. A normal browser would not behave in this fashion. Nokia has opened up a nasty can of worms here, both from a liability, and precedent standpoint. I doubt many other companies would be foolish enough to follow in their footsteps, and if they do I'd imagine we'll see legislation against this behavior in the not too distant future. There are too many well monied stakeholders (banks) who will be horrified by this. | |
|
| | | |
| | | It's called illegal wiretapping...plain and simple! | |
|
 jjoshuaPremium
join:2001-06-01
Scotch Plains, NJ
kudos:3 | Huh? Why does any phone traffic go through nokia servers? | |
|
| | | Re: Huh? That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it. | |
|
| | sk1939Premium
join:2010-10-23
Washington, DC
kudos:9 Reviews:
 ·T-Mobile US
| Re: Huh? said by aciddrink:That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it.
A lot of companies do it or are doing it in order to "speed up" how fast web pages display on a screen. It's much faster to render the page on a server and send it to the phone than have the phone do it. All of the major cell providers use a similar system, as does Apple I'm sure. | |
|
| | | |
| | | | rradina
join:2000-08-08
Chesterfield, MO
1 edit | Re: Huh? I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.
EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:
Handset Model: Nokia Asha 302
OS Version: 14.78 (31-08-12), RM-813
Browsers Tested On: Nokia Browser (2.2.0.0.31)
OS Type: Series 40 (S40) | |
|
| | | | | sk1939Premium
join:2010-10-23
Washington, DC
kudos:9 Reviews:
·T-Mobile US
| Re: Huh? said by rradina:I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.
EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:
Handset Model: Nokia Asha 302
OS Version: 14.78 (31-08-12), RM-813
Browsers Tested On: Nokia Browser (2.2.0.0.31)
OS Type: Series 40 (S40)
Which makes sense given their lower processing power compared to a single, dual, or quad core smart phone like the Lumia series. | |
|
| | | They are probably doing it for more directed advertisement then anybody else | |
|
| | Really? Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions.
--
I speak for myself, not my employer. | |
|
| patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | Re: Really? Lawsuit dismissed with prejudice. Nokia says they won't store it, but of course they will store it with a legal request from the authorities. | |
|
| | | And the company will pay out millions and will learn it's less.
Which is how the system should work and I have no issue with that. | |
|
| | | said by Anonymous:Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions.
That, in a nutshell, is why you should have gone to law school. | |
|
 newviewEx .. Ex .. ExactlyPremium
join:2001-10-01
Parsonsburg, MD
kudos:1 | Nokia just shot themselves in the foot Any company that does something nefarious to begin with .. and then asks to be forgiven because "it's in the subscriber's best interest" needs to suffer dire consequences ... like huge numbers of subscribers jumping ship. | |
|
| |
| | |
| | | |
| | | | |
| | | | |
|  skeechanAi OtsukaholicPremium
join:2012-01-26
AA169|170
kudos:2
1 edit | Re: Nokia just shot themselves in the foot There are no shortage of Google zealots that stay with them like frequently beaten wives. | |
|
| |  nokia servers
| |
|
skeechanAi OtsukaholicPremium
join:2012-01-26
AA169|170
kudos:2 Reviews:
 ·Cox HSI
·Clear Wireless
| Seems this is criminal Until Title 18 2511 it seems to be illegal to intercept communications in this manner, since it is not a "...necessary incident to the rendition of his service...", meaning it is not necessary to intercept and decrypt the communications in order to provide the cell service.
»www.law.cornell.edu/uscode/text/18/2511 | |
|
| KearnstdElf WizardPremium
join:2002-01-22
Mullica Hill, NJ | Re: Seems this is criminal And that is only here in the US. They likely will run into issues in the EU not only for similar laws to this one, but the stricter privacy laws over there too.
unless this interception is strictly in phones for the USDM.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports | |
|
| | Spy Last phone I had from Nokia cost $10 and it didn't even have the internet. Enjoy your spying ! I find their products to be terrible. I switch to LG now that is a real phone! | |
|
| | | Re: Spy said by brianiscool:Last phone I had from Nokia cost $10 and it didn't even have the internet. Enjoy your spying ! I find their products to be terrible. I switch to LG now that is a real phone!
Exactly why I DO NOT need or want the most modern phone in existence! Besides the phone carrier you're using there's also Google crap on those phones and I DO NOT trust them one lick either. Actually, there's just so much crap on today's phones, I simply DON'T want a new one. If computers came with all that bloatware, which they do have but not as much comparatively as modern phones, people would be griping up a storm about that!
It's gotten to the point where cell phones are one of the WORST inventions of this century!
--
The Firefox alternative.
»www.mozilla.org/projects/seamonkey/ | |
|
| |  Woody79_00I run Linux am I still a PC?Premium
join:2004-07-08
united state | Re: Spy Well said cork.
Smartphone are just tracking devices, i mean honestly thats what they are...tracking devices a person pays for...this type of stuff is to be expected... | |
|
| | | | | Re: Spy Feels a bit like paying for the ticket on the train to the prison... No offense intended to people whose family had to do something like that - just a moral lesson! | |
|
 jmn1207Premium
join:2000-07-19
Ashburn, VA
kudos:1 | Bank Data? What are they decrypting? Is it RC4 128-bit? Most banks now use this level of encryption at a minimum. I realize this is an older encryption method and there are more secure options available, but is Nokia able to break this level of authentication on the fly as a middle man? | |
|
|
See 8 replies to this post |
|
MTUPremium
join:2005-02-15
San Luis Obispo, CA | User Data Are there those who actually still believe that their data is sacrosanct? Especially as regards cellphone data. | |
|
 DavidNow accepting new patientsPremium,VIP
join:2002-05-30
Granite City, IL
kudos:78 | doesn't iAds do the same thing? Seems like it to me. | |
|
| | | Re: doesn't iAds Do you even know what you're talking about? What does iAds have to do with anything? | |
|
| DavidNow accepting new patientsPremium,VIP
join:2002-05-30
Granite City, IL
kudos:78
1 edit | I think this was a doublepost I saw the famous "404 gateway not found" and the "ngix" on bbr when I posted.
My guess is it posted 2x. | |
|
DavidNow accepting new patientsPremium,VIP
join:2002-05-30
Granite City, IL
kudos:78 | spy and snoop the same way?
If so, it doesn't seem to affect apple much. I am sure Google is completely innocent from sniffing via the droid platform as well. | |
|
| |
| | Wow! Not only do they spy on your https traffic, but they even use invalid certificates, and so ANYONE ELSE can do MITM attacks on HTTPS traffic of a Nokia phone?! Disgusting! | |
|
| | not as bad at AT&T's snooping rooms... (aka Room 641A). | |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 | I wonder if they send a copy of the decrypted traffic to the NSA/CIA/FBI/etc. Actually that's a rhetorical question.
--
Don't feed trolls--it only makes them grow! | |
|
| |
 KrKHeavy Artillery For The Little GuyPremium
join:2000-01-17
Tulsa, OK | Compromise most all known forms of secure communications. | |
|
Reviews:
·AT&T Midwest
| All of their promoted phones in the US run WP7-8 which do not let OEM's to change much like the browser IE.
/There is no such thing as a Ovi(Nokia) browser on WP
//There is no such thing as a HTC browser on WP
///There is no such thing as a Samsung browser on WP
////There is no such thing as a Dell browser on WP
/////There is no such thing as a LG browser on WP
\BTW any carrier or OEM bloat can be removed for good in WP in a 2 seconds | |
|
 C0deZer0Oc'D To Rhythm And PolicePremium
join:2001-10-03
Tempe, AZ | Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy.
--
Because, f*ck Sony | |
|
|  MichailPremium
join:2000-08-02
Boynton Beach, FL
kudos:1 | Re: Manufacturer kills the platform said by C0deZer0:Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy.
But this has nothing to do WP8 Nokia phones at all. | |
|
wistlo
join:2003-01-04
New Orleans, LA | From what I can see in the original article, https works as expected. The user's device has a pre-installed certificate that essentially gives Nokia keys to all secure browser traffic.
The lesson to take away is not that https traffic is easily decrypted (it isn't), but that users must be very aware of what certificates are installed locally--either by the user, or put there by the carrier or manufacturer. | |
|
|
|
·
·
·
