

anon523

@mich.net anon523 Anon Wow Just spying on some http traffic is bad, but this takes it to a whole new level. It just amazes me that a company who is trying to increase their market share would also do something that could pull the rug out from underneath them.



So we just decrypted your bank traffic and made sure to store that info on our servers, but we promise we're not going to use that data....



JackKane

@covad.net JackKane Anon Re: Wow Is Opera Mini not doing exactly the same thing? Opera uses its servers as proxies to compress and speed up pages, and it would have to do "man in the middle" if it is to accelerate https traffic.



I'm not saying that this is "good", but this has been happening for a while and even if you put it in the fine print most people won't understand the meaning of this. No company will say upfront that "we can see your credit card numbers but won't look at them", even the ones with best intentions.



BTW, Opera Mobile uses acceleration features too and probably has to do the same thing when data goes through their servers.



MovieLover76

join:2009-09-11

Cherry Hill, NJ ·Verizon FiOS

(Software) pfSense

Asus RT-AC68

Asus RT-AC66

1 recommendation MovieLover76 Member Re: Wow Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.



Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.



FFH5

Premium Member

join:2002-03-03

Tavistock NJ FFH5 Premium Member Re: Wow said by MovieLover76: Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.



Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.

Opera doesn't accelerate https traffic.

cramer

Premium Member

join:2007-04-10

Raleigh, NC Westell 6100

Cisco PIX 501

cramer to MovieLover76

Premium Member to MovieLover76

Accelerate HTTPS traffic? If by "accelerate" you mean form network connections faster, then off-loading the entire SSL handshake from the phone would be a very good starting point. (but then, the *phone* isn't doing https) If you mean compression, then the only way to do it is via decrypting the stream -- the encrypted bit stream is NOT compressible. But unless you are going to actively MODIFY the content (re-encode jpg's with lower quality, etc.) (which is an illegal wiretap), you're wasting your time as pretty much *every* web server in existence is already compressing it's output.



Also, to "man in the middle" an HTTPS connection, you not only need to be in the middle, you also have to be at the origin... the ssl certificate contains a name, and when it doesn't match the name you used to get there, the browser throws up a warning. The only way around this is to, well, be the browser ("don't look be hind that curtain"), or... install a local trusted "*" wildcard certificate. (which is how we've done it at work for nearly a decade -- 'tho it's not been used in years.)



Selenia

Gentoo Convert

Premium Member

join:2006-09-22

Fort Smith, AR Selenia to MovieLover76

Premium Member to MovieLover76

said by MovieLover76: Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.



Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.

Opera Mini, not Opera Mobile. 2 different beasts. Opera Mobile does the rendering on the device and uses http compression to attempt to speed it up on slower connections. Opera Mini renders all visited sites on their servers, including https. Then a compressed form of the rendered page is sent to the browser, sort of an image with the links overlaid(which is how it renders full pages even on low end java feature phones that are normally incapable). Opera does sufficiently warn about the security implications of this, telling you that https traffic between your phone and their servers is not secured, and not to use it on an unencrypted connection or insecure network. Nokia does the same thing but probably did not want to reveal the trade secret behind the acceleration.

rradina

join:2000-08-08

Chesterfield, MO ·Charter

rradina to anon523

Member to anon523

Regardless of whether or not they look at the data, how can they guarantee their proxy servers are beyond compromise? What happens when an underpaid, overworked employee accepts a cash payment to compromise one of the servers for crooks?



IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site.

Crookshanks

join:2008-02-04

Binghamton, NY Crookshanks Member Re: Wow said by rradina: IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site.





Those errors pop up for a reason! Don't ignore them. Unless your browser is totally brain dead (possible), or the would-be hacker has compromised a root security certificate (highly unlikely), you will get a certificate error if someone is attempting to perform a man-in-the-middle attack.Those errors pop up for a reason! Don't ignore them.

rradina

join:2000-08-08

Chesterfield, MO rradina Member Re: Wow Read the article. They have added trusted certificates of their own that their browser trusts. It doesn't pop-up any message on the phone.

Crookshanks

join:2008-02-04

Binghamton, NY Crookshanks Member Re: Wow



If you don't trust your software all bets are off. A normal browser would not behave in this fashion. Nokia has opened up a nasty can of worms here, both from a liability, and precedent standpoint. I doubt many other companies would be foolish enough to follow in their footsteps, and if they do I'd imagine we'll see legislation against this behavior in the not too distant future. There are too many well monied stakeholders (banks) who will be horrified by this. I assumed as such, but it does not change the validity of what I said. See the "brain dead" disclaimer.If you don't trust your software all bets are off. A normal browser would not behave in this fashion. Nokia has opened up a nasty can of worms here, both from a liability, and precedent standpoint. I doubt many other companies would be foolish enough to follow in their footsteps, and if they do I'd imagine we'll see legislation against this behavior in the not too distant future. There are too many well monied stakeholders (banks) who will be horrified by this.



bobjohnson

Premium Member

join:2007-02-03

Spartanburg, SC bobjohnson to Crookshanks

Premium Member to Crookshanks

said by Crookshanks: Unless your browser is totally brain dead (possible)

Mobile IE9 is brain dead!

8744675

join:2000-10-10

Decatur, GA 8744675 to anon523

Member to anon523

It's called illegal wiretapping...plain and simple!



jjoshua

Premium Member

join:2001-06-01

Scotch Plains, NJ jjoshua Premium Member Huh? Why does any phone traffic go through nokia servers?



AnonPerson

join:2000-08-26

Lexington, KY AnonPerson Member Re: Huh? That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it.



sk1939

Premium Member

join:2010-10-23

Frederick, MD ·Comcast XFINITY

ARRIS SB8200

Ubiquiti UDM-Pro

Juniper SRX320

sk1939 Premium Member Re: Huh? said by AnonPerson: That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it.

A lot of companies do it or are doing it in order to "speed up" how fast web pages display on a screen. It's much faster to render the page on a server and send it to the phone than have the phone do it. All of the major cell providers use a similar system, as does Apple I'm sure.



MovieLover76

join:2009-09-11

Cherry Hill, NJ ·Verizon FiOS

(Software) pfSense

Asus RT-AC68

Asus RT-AC66

MovieLover76 Member Re: Huh? But most systems, do not decrypt https traffic, they only optimize http traffic.



You shouldn't trade security for a few seconds on a page load.

and it definitely shouldn't be done by default.



Nokia should be slammed for this. They literally hack your https traffic on a regular basis. No matter what Nokia PR tries to claim, this is a security risk.



I'm very glad I don't own anything from Nokia.

rradina

join:2000-08-08

Chesterfield, MO ·Charter

1 edit rradina Member Re: Huh? I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.



EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:



Handset Model: Nokia Asha 302

OS Version: 14.78 (31-08-12), RM-813

Browsers Tested On: Nokia Browser (2.2.0.0.31)

OS Type: Series 40 (S40)



sk1939

Premium Member

join:2010-10-23

Frederick, MD ·Comcast XFINITY

ARRIS SB8200

Ubiquiti UDM-Pro

Juniper SRX320

sk1939 Premium Member Re: Huh? said by rradina: I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.



EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:



Handset Model: Nokia Asha 302

OS Version: 14.78 (31-08-12), RM-813

Browsers Tested On: Nokia Browser (2.2.0.0.31)

OS Type: Series 40 (S40)

Which makes sense given their lower processing power compared to a single, dual, or quad core smart phone like the Lumia series.



Metatron2008

Premium Member

join:2008-09-02

united state Metatron2008 to jjoshua

Premium Member to jjoshua

They are probably doing it for more directed advertisement then anybody else



Anonymous

Premium Member

join:2004-06-01

IA Anonymous Premium Member Really? Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions.

patcat88

join:2002-04-05

Jamaica, NY patcat88 Member Re: Really? Lawsuit dismissed with prejudice. Nokia says they won't store it, but of course they will store it with a legal request from the authorities.

Skippy25

join:2000-09-13

Hazelwood, MO Skippy25 to Anonymous

Member to Anonymous

And the company will pay out millions and will learn it's less.



Which is how the system should work and I have no issue with that.

MaynardKrebs

We did it. We heaved Steve. Yipee.

Premium Member

join:2009-06-17 MaynardKrebs to Anonymous

Premium Member to Anonymous

said by Anonymous: Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions.



That, in a nutshell, is why you should have gone to law school.



newview

Ex .. Ex .. Exactly

Premium Member

join:2001-10-01

Parsonsburg, MD newview Premium Member Nokia just shot themselves in the foot Any company that does something nefarious to begin with .. and then asks to be forgiven because "it's in the subscriber's best interest" needs to suffer dire consequences ... like huge numbers of subscribers jumping ship.



Anonalittle

@centurytel.net Anonalittle Anon nokia servers Unless it goes to Nokia servers and "then" funneled to the nsa/cia servers.....someone got alittle greedy.........



skeechan

Ai Otsukaholic

Premium Member

join:2012-01-26

AA169|170 skeechan Premium Member Seems this is criminal



»www.law.cornell.edu/usco ··· /18/2511 Until Title 18 2511 it seems to be illegal to intercept communications in this manner, since it is not a "...necessary incident to the rendition of his service...", meaning it is not necessary to intercept and decrypt the communications in order to provide the cell service.

Kearnstd

Space Elf

Premium Member

join:2002-01-22

Mullica Hill, NJ Kearnstd Premium Member Re: Seems this is criminal And that is only here in the US. They likely will run into issues in the EU not only for similar laws to this one, but the stricter privacy laws over there too.



unless this interception is strictly in phones for the USDM.

brianiscool

join:2000-08-16

Tampa, FL brianiscool Member Spy Last phone I had from Nokia cost $10 and it didn't even have the internet. Enjoy your spying ! I find their products to be terrible. I switch to LG now that is a real phone!



jmn1207

Premium Member

join:2000-07-19

Sterling, VA jmn1207 Premium Member Bank Data? What are they decrypting? Is it RC4 128-bit? Most banks now use this level of encryption at a minimum. I realize this is an older encryption method and there are more secure options available, but is Nokia able to break this level of authentication on the fly as a middle man?

MTU

Premium Member

join:2005-02-15

San Luis Obispo, CA MTU Premium Member User Data Are there those who actually still believe that their data is sacrosanct? Especially as regards cellphone data.



David

Premium Member

join:2002-05-30

Granite City, IL David Premium Member doesn't iAds do the same thing? Seems like it to me.

ConstantineM

join:2011-09-02

San Jose, CA ConstantineM Member Re: doesn't iAds Do you even know what you're talking about? What does iAds have to do with anything?



David

Premium Member

join:2002-05-30

Granite City, IL 1 edit David Premium Member I think this was a doublepost I saw the famous "404 gateway not found" and the "ngix" on bbr when I posted.



My guess is it posted 2x.

David David Premium Member spy and snoop the same way?



If so, it doesn't seem to affect apple much. I am sure Google is completely innocent from sniffing via the droid platform as well.

ConstantineM

join:2011-09-02

San Jose, CA ConstantineM Member Re: doesn't iAds said by David: If so, it doesn't seem to affect apple much. I am sure Google is completely innocent from sniffing via the droid platform as well.





And, besides, no https traffic gets intercepted either by Apple or by Google. Apple and Google don't need to, David. AT&T does it for them.And, besides, no https traffic gets intercepted either by Apple or by Google.

ConstantineM ConstantineM Member Wow! Not only do they spy on your https traffic, but they even use invalid certificates, and so ANYONE ELSE can do MITM attacks on HTTPS traffic of a Nokia phone?! Disgusting!



compuguybna

join:2009-06-17

Nashville, TN compuguybna Member not as bad at AT&T's snooping rooms... (aka Room 641A).



StuartMW

Premium Member

join:2000-08-06 StuartMW Premium Member I wonder if they send a copy of the decrypted traffic to the NSA/CIA/FBI/etc. Actually that's a rhetorical question.



compuguybna

join:2009-06-17

Nashville, TN compuguybna Member Re: I wonder if... said by StuartMW: I wonder if they send a copy of the decrypted traffic to the NSA/CIA/FBI/etc. Actually that's a rhetorical question.

Yeah, probably sent a copy of Nokia's snooping to NSA's snoop room at AT&T Room 641A! LOLOL



KrK

Heavy Artillery For The Little Guy

Premium Member

join:2000-01-17

Tulsa, OK KrK Premium Member Compromise most all known forms of secure communications.



odreian615

join:2006-01-18

Chicago, IL odreian615 Member All of their promoted phones in the US run WP7-8 which do not let OEM's to change much like the browser IE.

/There is no such thing as a Ovi(Nokia) browser on WP

//There is no such thing as a HTC browser on WP

///There is no such thing as a Samsung browser on WP

////There is no such thing as a Dell browser on WP

/////There is no such thing as a LG browser on WP

\BTW any carrier or OEM bloat can be removed for good in WP in a 2 seconds



C0deZer0

Oc'D To Rhythm And Police

Premium Member

join:2001-10-03

Tempe, AZ C0deZer0 Premium Member Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy.



Michail

Premium Member

join:2000-08-02

Boynton Beach, FL Michail Premium Member Re: Manufacturer kills the platform said by C0deZer0: Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy.

But this has nothing to do WP8 Nokia phones at all.