Nokia Admits Decrypting User Data Claiming It Isn't Looking

judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers." From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"

The reason Nokia is able to do this

[kasperd]

The reason Nokia is able to do this is that they control the browser. According to the article browsers on Nokia phones are delivered with a certificate, that allows Nokia to perform this MITM attack. They call it a feature and provide a plausible explanation of what benefit it has for the users. However enabling such a risky feature without user consent is a really bad move and means users should no longer trust Nokia products as much as they have done in the past.

Re:How do they even do that?

[kasperd]

There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

Re:How do they even do that?

[ledow]

On their own phones, they just install a browser and their own trusted wildcard cert.

Then anything you browse to, the browser trusts and encrypts but just to the "wrong" destination.

On any decent machine, or decent browser under your own control, you wouldn't let it happen. And if you did, SSL would be similarly "broken".

SSL is a trust mechanism only. If your phone trusts Nokia, the padlock icon means nothing beyond that you're talking to Nokia. If your phone DIDN'T trust Nokia, it wouldn't be an issue and they would have to pass your traffic through unchanged (and still encrypted!) to the destination servers or risk SSL warnings on your browser.

This is why you don't ignore browser certificate warnings, and why you NEVER install a certificate on your computer (or allow software to). I've seen software that installs a trust certificate for the vendor when installed (as administrator), that would be show up and be allowed in the IE certificate store too (so browsing to any site with a cert signed by that cert would let you think you were talking to Google, etc.)

See also Google's TURKTRUST issue lately - if you trusted TURKTRUST, you thought you were talking to Google and weren't. If you didn't, you would just have got an error and still been secure.

Re:How?

[Rich0]

Isn't that the whole point of HTTPS, to ensure that a man-in-the-middle attack (in this case, a probably benign proxy) is impossible?

It is only impossible without the collusion of a trusted certificate authority. When was the last time you reviewed the list on your browser? Oh, and did YOU do anything to determine if any of those organizations were trustworthy.

If you get a mobile device from your mobile provider, there is a pretty good chance that they stuck their own root CA in there somewhere. Maybe they just use it for SSL connections to their own websites/email/etc. But, trusted is trusted in the world of SSL which means they could just MITM every connection you make.

Ditto for any PC you use at work. Chances are your employer has a trusted CA somewhere in there, which means they can MITM any SSL connection you make to any service on the web.

If they didn't actually modify your browser you can probably spot this by pulling up the certificate info for your connection and noting who issued it.

This is why I believe SSL offers a false sense of security. Moving to certificates distributed over DNSSEC would cut out the middlemen, and it would improve security. Only the domain registrar for google.com could tamper with their certificates, for example. That still isn't perfect, but it is better than any CA anywhere on the globe.

Re:How do they even do that?

[dririan]

The same thing can be (and is) accomplished in normal desktop OSs by adding a CA certificate to the certificate store. It's commonly used in businesses that have an HTTPS proxy as well as an HTTP proxy so they can filter/monitor HTTPS access as well. IIRC there was an Ask Slashdot question about it as well. In any case, no modification of the implementation is needed.

Re:RIM isn't any better

[thePowerOfGrayskull]

If you're using BES, it's all encrypted - it goes through RIM's servers, but RIM can't read it.

Hence the big kerfuffle about governments insisting on access to BES data, and RIM's refusal to give it -- they literally can't.

Consumer email/BIS access is a different story. RIM does have access to that, and presumably government as well (similar to what any other provider gives).

Any browser publisher is the same way

[tepples]

This is some scary shit, basically you ought to treat HTTPS on your Nokia device like HTTP, unless you really really trust that Nokia knows what they are doing and how to keep a secret.

Any web page retrieved through HTTPS is parsed into an unencrypted DOM within the web browser. You have to trust that the browser publisher knows what it is doing and how to keep a secret.

Re:What?

[Anonymous Coward]

According to Amazon's statement to the EFF Silk does _not_ intercept HTTPS traffic:

SSL Traffic

Amazon does not intercept encrypted traffic, so your communications over HTTPS would not be accelerated or tracked. According to Jon Jenkins, director of Silk development, “secure web page requests (SSL) are routed directly from the Kindle Fire to the origin server and do not pass through Amazon’s EC2 servers.” In other words, no HTTPS requests will ever use cloud acceleration mode. Given the prevalence of web pages served over HTTPS, this gives Amazon good incentive to make Silk fast and usable even when cloud acceleration is off. Turning it off completely should be a viable option for users.

(from https://www.eff.org/2011/october/amazon-fire%E2%80%99s-new-browser-puts-spotlight-privacy-trade-offs [eff.org])

Re:Any browser publisher is the same way

[Minwee]

Yeah, because having the browser display the page locally is just exactly the same as having a remote server decrypt your connection as a man in the middle.

Is this your first time using a web browser on a mobile device?

Data has been being received, rendered and compressed by remote servers for years. Opera billed it as a major feature of their browser in 2005, but even then it was nothing new.

Re:If it was so good then why didn't you tell us?

[Luckyo]

They don't just tell you - they advertise it. It's one of the phones biggest selling features.

The issue in countries where the phone is sold is network traffic. It's costly. VERY costly. This browser does what opera mini did for about a decade - it works through nokia's special proxy that fetches the page for you, renders it in unique way that saves a lot of traffic and then sends it to your phone's browser.

Re:It's easy when you're god

[FrangoAssado]

It's sad that this is modded so high; it's completely wrong.

A requests a secure channel to B from C. Instead C establishes a secure channel with A *claiming* that it's B, while also establishing a secure channel to B claiming that it's A.

You're describing a MITM attack [wikipedia.org], which is prevented by SSL and TLS by using certificates -- C can only fool A into thinking it's B if C knows B's private key (in which case, C has essentially stolen B's identity).

What happens in Nokia phone's case is that the browser happily trusts C to forward things to B without looking at what's being transmitted (the browser accepts C's certificate authority).