Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Nokia: Yes, we decrypt your HTTPS data, but don?t worry about it
3 views
Skip to first unread message
Anton Gorlov
Jan 10, 2013, 2:59:14 PM1/10/13
to
������ All!
Nokia: Yes, we decrypt your HTTPS data, but don?t worry about it
by David Meyer 5 HOURS AGO 15 Comments
A A
SUMMARY:
The company has confirmed that the Xpress Browser used on its Asha and Lumia
handsets does route HTTPS traffic via its servers, temporarily decrypting it as
it does so. However, Nokia maintains that it wouldn?t access complete
unencrypted information.
tweet this
Nokia has confirmed reports that its Xpress Browser decrypts data that flows
through HTTPS connections ? that includes the connections set up for banking
sessions, encrypted email and more. However, it insists that there?s no need
for users to panic because it would never access customers? encrypted data.
The confirmation-slash-denial comes after security researcher Gaurang Pandya,
who works for Unisys Global Services in India, detailed on his personal blog
how browser traffic from his Series 40 ?Asha? phone was getting routed via
Nokia?s servers. So far, so Opera Mini: after all, the whole point of using a
proxy browser such as this is to compress traffic so you can save on data and
thereby cash. This is particularly handy for those on constricted data plans or
pay-by-use data, as those using the low-end Series 40 handsets on which the
browser is installed by default (it used to be known as the ?Nokia Browser for
Series 40?) are likely to be.
However, it was Pandya?s second post on the subject that caused some alarm.
Unlike the first, which looked at general traffic, the Wednesday post
specifically examined Nokia?s treatment of HTTPS traffic. It found that such
traffic was indeed also getting routed via Nokia?s servers. Crucially, Pandya
said that Nokia had access to this data in unencrypted form:
?From the tests that were preformed, it is evident that Nokia is performing Man
In The Middle Attack for sensitive HTTPS traffic originated from their phone
and hence they do have access to clear text information which could include
user credentials to various sites such as social networking, banking, credit
card information or anything that is sensitive in nature.?
tweet this
Pandya pointed out how this potentially clashes with Nokia?s privacy statement,
which claims: ?we do not collect any usernames or passwords or any related
information on your purchase transactions, such as your credit card number
during your browsing sessions?.
So, does it clash?
Nokia came back today with a statement on the matter, in which it stressed that
it takes the privacy and security of its customers and their data very
seriously, and reiterated the point of the Xpress Browser?s compression
capabilities, namely so that ?users can get faster web browsing and more value
out of their data plans?.
?Importantly, the proxy servers do not store the content of web pages visited
by our users or any information they enter into them,? the company said. ?When
temporary decryption of HTTPS connections is required on our proxy servers, to
transform and deliver users? content, it is done in a secure manner.
?Nokia has implemented appropriate organizational and technical measures to
prevent access to private information. Claims that we would access complete
unencrypted information are inaccurate.?
tweet this
To paraphrase: we decrypt your data, but trust us, we don?t peek. Which is, in
a way, fair enough. After all, they need to decrypt the data in order to
de-bulk it.
The issue here seems to be around how Nokia informs ? or fails to inform ? its
customers of what?s going on. For example, look at Opera. The messaging around
Opera Mini is pretty clear: the browser?s FAQs spell out how it routes traffic.
Although you can find out about the Xpress Browser?s equivalent functionality
with a bit of online searching, it?s far less explicit to the average user. And
this is particularly unfortunate given that the browser is installed by default
? people won?t necessarily choose it based on those data-squeezing chops.
And it looks like Nokia belatedly recognizes that fact. The statement
continued:
?We aim to be completely transparent on privacy practices. As part of our
policy of continuous improvement we will review the information provided in the
mobile client in case this can be improved.?
tweet this
The moral of the story is that those who want absolute security in their mobile
browsing should probably steer clear of browsers that compress to cut down on
data. Even if Nokia isn?t tapping into that data ? and there is no reason to
suspect that it is ? the very existence of that feature will be a turn-off for
the paranoid, and reasonably so. And that?s why Nokia should be up-front about
such things.
UPDATE: A kind soul has reminded me that, unlike Xpress Browser and Opera Mini,
two other services that also do the compression thing leave HTTPS traffic
unperturbed, namely Amazon with its Silk browser and Skyfire. This is arguably
how things should be done, although it does of course mean that users don?t get
speedier loading and so on on HTTPS pages.
http://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it/
� ���������. Anton aka Stalker
Linux Registered User #386476
[#*TEAM:*#] [#_���� �����_#] [*Heavy Metal!*] [*_�����_*]
Nokia: Yes, we decrypt your HTTPS data, but don?t worry about it
by David Meyer 5 HOURS AGO 15 Comments
A A
SUMMARY:
The company has confirmed that the Xpress Browser used on its Asha and Lumia
handsets does route HTTPS traffic via its servers, temporarily decrypting it as
it does so. However, Nokia maintains that it wouldn?t access complete
unencrypted information.
tweet this
Nokia has confirmed reports that its Xpress Browser decrypts data that flows
through HTTPS connections ? that includes the connections set up for banking
sessions, encrypted email and more. However, it insists that there?s no need
for users to panic because it would never access customers? encrypted data.
The confirmation-slash-denial comes after security researcher Gaurang Pandya,
who works for Unisys Global Services in India, detailed on his personal blog
how browser traffic from his Series 40 ?Asha? phone was getting routed via
Nokia?s servers. So far, so Opera Mini: after all, the whole point of using a
proxy browser such as this is to compress traffic so you can save on data and
thereby cash. This is particularly handy for those on constricted data plans or
pay-by-use data, as those using the low-end Series 40 handsets on which the
browser is installed by default (it used to be known as the ?Nokia Browser for
Series 40?) are likely to be.
However, it was Pandya?s second post on the subject that caused some alarm.
Unlike the first, which looked at general traffic, the Wednesday post
specifically examined Nokia?s treatment of HTTPS traffic. It found that such
traffic was indeed also getting routed via Nokia?s servers. Crucially, Pandya
said that Nokia had access to this data in unencrypted form:
?From the tests that were preformed, it is evident that Nokia is performing Man
In The Middle Attack for sensitive HTTPS traffic originated from their phone
and hence they do have access to clear text information which could include
user credentials to various sites such as social networking, banking, credit
card information or anything that is sensitive in nature.?
tweet this
Pandya pointed out how this potentially clashes with Nokia?s privacy statement,
which claims: ?we do not collect any usernames or passwords or any related
information on your purchase transactions, such as your credit card number
during your browsing sessions?.
So, does it clash?
Nokia came back today with a statement on the matter, in which it stressed that
it takes the privacy and security of its customers and their data very
seriously, and reiterated the point of the Xpress Browser?s compression
capabilities, namely so that ?users can get faster web browsing and more value
out of their data plans?.
?Importantly, the proxy servers do not store the content of web pages visited
by our users or any information they enter into them,? the company said. ?When
temporary decryption of HTTPS connections is required on our proxy servers, to
transform and deliver users? content, it is done in a secure manner.
?Nokia has implemented appropriate organizational and technical measures to
prevent access to private information. Claims that we would access complete
unencrypted information are inaccurate.?
tweet this
To paraphrase: we decrypt your data, but trust us, we don?t peek. Which is, in
a way, fair enough. After all, they need to decrypt the data in order to
de-bulk it.
The issue here seems to be around how Nokia informs ? or fails to inform ? its
customers of what?s going on. For example, look at Opera. The messaging around
Opera Mini is pretty clear: the browser?s FAQs spell out how it routes traffic.
Although you can find out about the Xpress Browser?s equivalent functionality
with a bit of online searching, it?s far less explicit to the average user. And
this is particularly unfortunate given that the browser is installed by default
? people won?t necessarily choose it based on those data-squeezing chops.
And it looks like Nokia belatedly recognizes that fact. The statement
continued:
?We aim to be completely transparent on privacy practices. As part of our
policy of continuous improvement we will review the information provided in the
mobile client in case this can be improved.?
tweet this
The moral of the story is that those who want absolute security in their mobile
browsing should probably steer clear of browsers that compress to cut down on
data. Even if Nokia isn?t tapping into that data ? and there is no reason to
suspect that it is ? the very existence of that feature will be a turn-off for
the paranoid, and reasonably so. And that?s why Nokia should be up-front about
such things.
UPDATE: A kind soul has reminded me that, unlike Xpress Browser and Opera Mini,
two other services that also do the compression thing leave HTTPS traffic
unperturbed, namely Amazon with its Silk browser and Skyfire. This is arguably
how things should be done, although it does of course mean that users don?t get
speedier loading and so on on HTTPS pages.
http://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it/
� ���������. Anton aka Stalker
Linux Registered User #386476
[#*TEAM:*#] [#_���� �����_#] [*Heavy Metal!*] [*_�����_*]
0 new messages