Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Nokia Admits Decrypting User Data Claiming It Isn't Looking 264

Posted by Unknown Lamer
from the we-won't-peek dept.
judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers." From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"
This discussion has been archived. No new comments can be posted.

Nokia Admits Decrypting User Data Claiming It Isn't Looking

Comments Filter:
  • What? (Score:4, Insightful)

    by recoiledsnake (879048) on Thursday January 10, 2013 @09:30AM (#42545329)

    security researcher Gaurang Pandya

    What are this guy's credentials apart from being a guy with a blog?

    Amazon Silk browser does the same, Opera mini does the same, what's with this jumping on the Nokia hate bandwagon? Perhaps they should stop proxying HTTPS traffic, but remember in third world countries data comes at a HUGE premium, so these services are a god send, especially with a lot of sites moving to HTTPS by default. I would hope that Opera/Amazon/Nokia are atleast as credible as your ISP though it's an additional point of failure.

  • Fedware (Score:4, Insightful)

    by Anonymous Coward on Thursday January 10, 2013 @09:31AM (#42545343)

    We don't access your personal information with our closed source NSA backdoors, we just plug this strange Narus device into our routers.

  • by jeffmeden (135043) on Thursday January 10, 2013 @09:41AM (#42545481) Homepage Journal

    There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

    They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

    This is exactly what i was thinking/fearing. This is some scary shit, basically you ought to treat HTTPS on your Nokia device like HTTP, unless you really really trust that Nokia knows what they are doing and how to keep a secret. The striking thing is that users obviously have no idea they are handshaking with Nokia instead of their bank, doctor, etc. Are there at least alternate browsers available?

  • Re:What? (Score:4, Insightful)

    by h4rr4r (612664) on Thursday January 10, 2013 @09:42AM (#42545511)

    Your ISP cannot decrypt SSL traffic.
    Not everyone lives in a third world nation and surely they should be able to opt out of this.

  • Re:What? (Score:5, Insightful)

    by godrik (1287354) on Thursday January 10, 2013 @09:45AM (#42545555)

    Amazon Silk and Opera mini clearly states that every single connexion goes through them in clear. I do not think nokia does.

    My ISP does not do that. When I negogiate an HTTPS session, my ISP does not intercept it and perform a MITM attack. apparently nokia does.

    That's so much not ok.

  • CORRECTION (Score:4, Insightful)

    by girlintraining (1395911) on Thursday January 10, 2013 @09:57AM (#42545699)

    Wrong profile linked. Correct [linkedin.com] profile. Stupid misclick. Ugh. In other news, his background is not a software developer, but a network admin with some cisco experience. Like many in that area of IT, there is some exposure to security. I wouldn't call him an expert in MIM attacks, but he's not a layperson either.

  • by eth1 (94901) on Thursday January 10, 2013 @10:00AM (#42545721)

    ...my ass

    Right up until the government shows up and demands that they send all the traffic to them first, and forbids them from notifying their customers.

  • by 0123456 (636235) on Thursday January 10, 2013 @10:16AM (#42545953)

    Yeah, because having the browser display the page locally is just exactly the same as having a remote server decrypt your connection as a man in the middle.

  • Re:What? (Score:3, Insightful)

    by godrik (1287354) on Thursday January 10, 2013 @10:16AM (#42545963)

    I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data." From their own admission, they are performing a MITM attack, that is to say, they are putting themself in the middle of an encrypted connexion making each party believe they are directly and securely talking to each other.

    Whether they clearly explained it to the user, I do not know, but I am sure they are performing MITM.

  • by Anonymous Coward on Thursday January 10, 2013 @10:22AM (#42546033)

    Nothing stops the browser from transmitting information to a third-party server.

    =>

    You have to trust that the browser publisher knows what it is doing and how to keep a secret.

  • by erroneus (253617) on Thursday January 10, 2013 @10:29AM (#42546117) Homepage

    Your trust is extended because of the expectations involved. The user/owner of the device is not informed that, unlike his PC or other smart phone devices, Nokia is handling encyption differently. As https is used primarily for the purpose of securing data traffic between the user and their banks or their other services which need security, the expectation has always been that it would not involve the maker of the device which is being used.

    I "trust" my car maker to build a good car. I do not "trust" them not to install cameras in it without my knowledge and then tell me later "there are cameras, but we are not looking at the video feed."

  • Re:What? (Score:5, Insightful)

    by Rockoon (1252108) on Thursday January 10, 2013 @10:31AM (#42546149)

    I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data."

    ..because they encrypt the users data on the device, and send it to their servers where it must be decrypted in order to know what it is and even where to send it.

    Would you rather they didnt encrypt the data and sent it over the air like that instead?

    You claim to know that this is slashdot, but dont seem to know to at least make an attempt to understand the technologies that you are talking about? Worthless blabber.

    Hint: the phone is not the endpoint of the browsing session - the phone is a remote terminal for a server that is the endpoint of the browsing session

  • Re:illegal here (Score:4, Insightful)

    by ArhcAngel (247594) on Thursday January 10, 2013 @10:33AM (#42546181)

    It may be illegal in the US as well

    Just like warrantless wiretapping...oh wait!

  • by smpoole7 (1467717) on Thursday January 10, 2013 @10:55AM (#42546521) Homepage

    > If it's open source YOU have the power to stop it from doing anything like that

    In principle and theory, yes. In practice, maybe not. You would almost certainly use libraries installed on the device, unless you plan to roll your own from scratch (and that's going to eat a lot of SRAM). They could still sniff and snoop at the library level.

    Or, they could simply sniff and snoop whatever is displayed on the screen. Your open-source browser is "clean," but Nokia is, in essence, a snoop looking over your shoulder. Character-recognition software is small and fast nowadays.

    Waiting for a Slashdot story about how THAT is happening, by the way. Some manufacturers and providers are already admitting that they can access the mike and the camera on your smartphone to "see" and "hear" what you're up to ...

    Ergo, I have no doubt whatsoever that even using an open-source browser won't protect you. The only real answer is to ensure that you never do anything really sensitive on a smartphone. I certainly don't.

  • by Immerman (2627577) on Thursday January 10, 2013 @10:59AM (#42546587)

    Not really, it's relatively trivial to establish a man in the middle attack if you completely control the communication channel. A requests a secure channel to B from C. Instead C establishes a secure channel with A *claiming* that it's B, while also establishing a secure channel to B claiming that it's A. Theoretically any node your connection passes through could do this, but given the fluidity of internet routing algorithms only the ISPs at either end are likely to be able to actually pull it off. Or any routers between them and the actual computers that are doing the talking of course.

    That's why they tell you never to do internet banking, shopping, etc. at an internet cafe or other open hotspot - a fully controlled malicious data channel can do whatever it wants, and how are you going to detect it? All the validation has to go through them.

    In the case where you have vendor-controlled browsers or proxy servers it's even easier, but basically those are just additional nodes your data is guaranteed to pass through.

  • by nedlohs (1335013) on Thursday January 10, 2013 @11:02AM (#42546611)

    If you don't trust Nokia to not snoop on your data then why are you carrying around a device made by Nokia that contains a camera and a microphone and a cellular connection to the internet (and probably a gps though I don't know the details of Nokia's phones)?

  • by gl4ss (559668) on Thursday January 10, 2013 @11:26AM (#42546941) Homepage Journal

    From what I understand, the browser is not doing HTTPS at all to the bank/docter etc, its doing HTTP or HTTPS to the nokia proxy and proxy is doing the HTTPS to bank/doctor. In this scenario HTTPS is not broken, the phone is. Total fail Nokia

    it's doing a special protocol to nokias servers(encrypted).
    just like opera mini has been doing for years.

    they did this as a feature catchup. also it enables them to actually RENDER THE FUCKING PAGES THE PHONE WOULDN'T OTHERWISE BE ABLE TO. that's how these light browsers manage to do their magic on really shitty hw.

    sometimes slashdot feels like full of fucking idiots who have been living under 324 feet of rock without internet.

    if you don't like it, buy a phone that costs more than ninety bucks(no subs).

    here's a shocking reveal of opera mini passing all data through their servers on slashdot from 2006 http://tech.slashdot.org/story/06/01/24/227227/opera-mini-mobile-browser-officially-released [slashdot.org]

  • by Pieroxy (222434) on Thursday January 10, 2013 @12:05PM (#42547475) Homepage

    They advertise the feature without advertising the implications.

    Of course, that's called "marketing". Push up the upsides, burry the downsides.

  • by shutdown -p now (807394) on Thursday January 10, 2013 @01:29PM (#42548623) Journal

    The difference is that Opera Mini is explicitly advertised as a "proxy browser". If you choose to use it, you know what it is about, and what the implied security risks are.

    Here, we're talking about a stock browser in a smartphone, doing this by default with no warnings given to the user. I don't care why they thing it's a good idea, it's a major compromise of security.

  • by spongman (182339) on Thursday January 10, 2013 @02:17PM (#42549393)

    you trust Google over Microsoft?

    one of those companies has a business model that relies on gathering as much information about you that it can and selling it to advertisers.

    the other one sells software.

Possessions increase to fill the space available for their storage. -- Ryan

Working...