Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Nokia Admits Decrypting User Data Claiming It Isn't Looking 264

Posted by Unknown Lamer
from the we-won't-peek dept.
judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers." From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"
This discussion has been archived. No new comments can be posted.

Nokia Admits Decrypting User Data Claiming It Isn't Looking

Comments Filter:
  • Then you would have looked somewhat better. Now you're worse than Dropbox.
  • What? (Score:4, Insightful)

    by recoiledsnake (879048) on Thursday January 10, 2013 @10:30AM (#42545329)

    security researcher Gaurang Pandya

    What are this guy's credentials apart from being a guy with a blog?

    Amazon Silk browser does the same, Opera mini does the same, what's with this jumping on the Nokia hate bandwagon? Perhaps they should stop proxying HTTPS traffic, but remember in third world countries data comes at a HUGE premium, so these services are a god send, especially with a lot of sites moving to HTTPS by default. I would hope that Opera/Amazon/Nokia are atleast as credible as your ISP though it's an additional point of failure.

    • Re:What? (Score:4, Insightful)

      by h4rr4r (612664) on Thursday January 10, 2013 @10:42AM (#42545511)

      Your ISP cannot decrypt SSL traffic.
      Not everyone lives in a third world nation and surely they should be able to opt out of this.

      • Your ISP cannot decrypt SSL traffic.
        Not everyone lives in a third world nation and surely they should be able to opt out of this.

        You can "opt out" by using a real browser instead of one that's designed to be proxy-assisted. Why is everyone getting so worked up about this? If you're not living in a third world nation, why would you be using this browser anyway?

    • Re:What? (Score:5, Insightful)

      by godrik (1287354) on Thursday January 10, 2013 @10:45AM (#42545555)

      Amazon Silk and Opera mini clearly states that every single connexion goes through them in clear. I do not think nokia does.

      My ISP does not do that. When I negogiate an HTTPS session, my ISP does not intercept it and perform a MITM attack. apparently nokia does.

      That's so much not ok.

      • Re: (Score:2, Flamebait)

        by Rockoon (1252108)

        Amazon Silk and Opera mini clearly states that every single connexion goes through them in clear. I do not think nokia does.

        ok, you "do not think"

        My ISP does not do that. When I negogiate an HTTPS session, my ISP does not intercept it and perform a MITM attack. apparently nokia does.

        Wow.. in two lines you went from "I do not think" to "apparently nokia performs a MITM attack"

        • Re: (Score:3, Insightful)

          by godrik (1287354)

          I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data." From their own admission, they are performing a MITM attack, that is to say, they are putting themself in the middle of an encrypted connexion making each party believe they are directly and securely talking to each other.

          Whether they clearly explained it to the user, I do not know, but I am sure they are performing

          • Re:What? (Score:5, Insightful)

            by Rockoon (1252108) on Thursday January 10, 2013 @11:31AM (#42546149)

            I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data."

            ..because they encrypt the users data on the device, and send it to their servers where it must be decrypted in order to know what it is and even where to send it.

            Would you rather they didnt encrypt the data and sent it over the air like that instead?

            You claim to know that this is slashdot, but dont seem to know to at least make an attempt to understand the technologies that you are talking about? Worthless blabber.

            Hint: the phone is not the endpoint of the browsing session - the phone is a remote terminal for a server that is the endpoint of the browsing session

            • by godrik (1287354)

              Are you saying the device does not have a tcp/ip stack? Because if it does, there is no reason the data MUST be decrypted. The device could (and I would expect it to) talk directly with the remote server.

              TFA mentions the user of the phone was able to track the DNS request, so clearly the device can talk TCP/IP.

              The piece of software is called "Nokia Xpress Browser". It is not called "Nokia VNC client". I do understand the technology. I implemented (a much simpler version of) such a system in PHP 10 years ago

    • What are this guy's credentials apart from being a guy with a blog?

      He's a software developer, mostly focusing on database integration. He has no professional security experience beyond what you'd get in that role. source [linkedin.com]

      what's with this jumping on the Nokia hate bandwagon?

      You can't opt out of it; The platform is locked. Also, it's a cell phone, so there's a strong link between all internet traffic and a realworld identity. This isn't like Opera or Amazon, for which there are anonymizing options available to the enterprising individuals who wish to use said services (or don

      • CORRECTION (Score:4, Insightful)

        by girlintraining (1395911) on Thursday January 10, 2013 @10:57AM (#42545699)

        Wrong profile linked. Correct [linkedin.com] profile. Stupid misclick. Ugh. In other news, his background is not a software developer, but a network admin with some cisco experience. Like many in that area of IT, there is some exposure to security. I wouldn't call him an expert in MIM attacks, but he's not a layperson either.

    • What are this guy's credentials apart from being a guy with a blog?

      Who cares what his credentials are? He's making a claim that a lot of people can verify. Is his claim false?

      I would hope that Opera/Amazon/Nokia are atleast as credible as your ISP though it's an additional point of failure.

      They are, which is not at all. My ISP doesn't have certificates installed in my browser, and aren't secretly decrypting my SSL traffic (unless SSL is fundamentally broken in a way which isn't publicly known yet).

    • by DarkOx (621550)

      For the most part my 'ISP' can't break into my SSL connections. They don't have a certificate authority my machine will trust, so any kind of MTIM they might do without a herculean effort on their part anyway is going to be impossible. These phone users had essentially no idea.

      So the moral of the story is DO NOT DO NOT trust that SSL is secure on any device you don't directly control the CA certificates present, and probably you can't trust and SSL code you can't audit to make sure it trusts only the CAs

    • Re: (Score:3, Informative)

      by Anonymous Coward

      According to Amazon's statement to the EFF Silk does _not_ intercept HTTPS traffic:

      SSL Traffic

      Amazon does not intercept encrypted traffic, so your communications over HTTPS would not be accelerated or tracked. According to Jon Jenkins, director of Silk development, “secure web page requests (SSL) are routed directly from the Kindle Fire to the origin server and do not pass through Amazon’s EC2 servers.” In other words, no HTTPS requests will ever use cloud acceleration mode. Given the prevalence of web pages served over HTTPS, this gives Amazon good incentive to make Silk fast and usable even when cloud acceleration is off. Turning it off completely should be a viable option for users.

      (from https://www.eff.org/2011/october/amazon-fire%E2%80%99s-new-browser-puts-spotlight-privacy-trade-offs [eff.org])

    • by andy1307 (656570)
      Privacy is more of a concern for users in third world countries...you know..the thing where the government doesn't like what you're reading online and throws you in jail.
    • Thank you. A lot of products are already doing this. It is cool to hate Nokia though because they partnered with Microsoft vs Amazon who is running Android, but doing the same thing...
  • Listen... (Score:5, Funny)

    by rickatnight11 (818463) on Thursday January 10, 2013 @10:30AM (#42545341)
    Yes, we're opening your mail, but we're not LOOKING at it. We're just making sure you aren't wasting paper and ink.
    • This is precisely what the government said about 10 years ago. "We're reading the headers, but we're not reading the message bodies!" As if 2 CRLFs is some kind of blinder.

  • Fedware (Score:4, Insightful)

    by Anonymous Coward on Thursday January 10, 2013 @10:31AM (#42545343)

    We don't access your personal information with our closed source NSA backdoors, we just plug this strange Narus device into our routers.

  • by kasperd (592156) on Thursday January 10, 2013 @10:34AM (#42545389) Homepage Journal
    The reason Nokia is able to do this is that they control the browser. According to the article browsers on Nokia phones are delivered with a certificate, that allows Nokia to perform this MITM attack. They call it a feature and provide a plausible explanation of what benefit it has for the users. However enabling such a risky feature without user consent is a really bad move and means users should no longer trust Nokia products as much as they have done in the past.
  • Isn't that the whole point of HTTPS, to ensure that a man-in-the-middle attack (in this case, a probably benign proxy) is impossible?
    Also, why? Doesn't every website now compress html/css/js with mod_gzip?

    • Re:How? (Score:5, Informative)

      by Rich0 (548339) on Thursday January 10, 2013 @10:42AM (#42545501) Homepage

      Isn't that the whole point of HTTPS, to ensure that a man-in-the-middle attack (in this case, a probably benign proxy) is impossible?

      It is only impossible without the collusion of a trusted certificate authority. When was the last time you reviewed the list on your browser? Oh, and did YOU do anything to determine if any of those organizations were trustworthy.

      If you get a mobile device from your mobile provider, there is a pretty good chance that they stuck their own root CA in there somewhere. Maybe they just use it for SSL connections to their own websites/email/etc. But, trusted is trusted in the world of SSL which means they could just MITM every connection you make.

      Ditto for any PC you use at work. Chances are your employer has a trusted CA somewhere in there, which means they can MITM any SSL connection you make to any service on the web.

      If they didn't actually modify your browser you can probably spot this by pulling up the certificate info for your connection and noting who issued it.

      This is why I believe SSL offers a false sense of security. Moving to certificates distributed over DNSSEC would cut out the middlemen, and it would improve security. Only the domain registrar for google.com could tamper with their certificates, for example. That still isn't perfect, but it is better than any CA anywhere on the globe.

      • by h4rr4r (612664)

        Chances are your employer does not do that. It is such a huge legal minefield most avoid it. The last thing I need is someone claiming that my proxy server was used to steal their bank details.

        • Mine does (Australian government department). Interestingly they specifically exclude the local banks.

        • by Greyfox (87712)
          I actually know for a fact that my employer DOES do this, and very explicitly distrust their certificate to insure that any https connection results in a warning. Any https connection going out of the company must trust their certificate to complete. If I claim that their proxy was used to steal my bank details, they'd ask me why I was using company property for personal business. They would probably be doing so while in the process of terminating my employment for violating the "Misuse of company resources
      • How is that different from an ordinary server cert? I just got a cert for my own domain; that doesn't let me masquerade as a bank. If I get my browser from Mozilla, how do I know that my ISP isn't snooping? If I'm reading you correctly, you're saying that the entire HTTPS spec is a total wreck, and we'd be better off without it than a false illusion of security?

        • by jimicus (737525)

          If I get my browser from Mozilla, how do I know that my ISP isn't snooping?

          You trust two things:

          1. That Mozilla didn't put the root certificate for an untrustworthy firm into their browser. (Ha! Have you seen the list of root certificates with most browsers these days? Seems everyone and his dog can send their CA certificate in to the browser vendors).
          2. That the trustworthy root certificates that are in there will not subsequently be used for nefarious purposes - eg. to sign a wildcard certificate and then hand that over to your ISP.

        • by Rich0 (548339)

          How is that different from an ordinary server cert? I just got a cert for my own domain; that doesn't let me masquerade as a bank. If I get my browser from Mozilla, how do I know that my ISP isn't snooping? If I'm reading you correctly, you're saying that the entire HTTPS spec is a total wreck, and we'd be better off without it than a false illusion of security?

          You aren't a CA. The person who issued you the cert is. THEY CAN masquerade as a bank if they want to.

          The issue is more with things like mobile devices - chances are you didn't buy your phone from Mozilla. When the day comes that Ubuntu is selling phones I'd say chances are they'll stick their own CA on them, and thus they could MITM any connection (which isn't to say that they would).

          I'm not saying that we're better off without SSL at all - that is as ridiculous as the warnings you get when you connect

    • by robmv (855035)

      True, the point is that if you modify the source of Firefox or Chrome to not show a SSL error when the certificate is yours, then you have the situation of the Nokia browser, but that doesn't means SSL is broken because of that

  • If you don't like it (Score:2, Interesting)

    by ArhcAngel (247594)
    Get a BlackBerry. [blackberry.com]
    Blast them all you want for getting left behind in the app ecosystem but iOS, Android, and WP can't hold a candle to RIM's security. [blackberry.com]
  • Dear god. Is this what corporations do instead of serious engineering work to debloat the network stacks, drivers and hardware or start implementing things like TCP Fast Open? :-| Another example where fixing bufferbloat needs a strong front because people will start doing the wrong things when trying to fix something. Just as BitTorrent-induced latency was made the culprit of slow networks and caused people to think it's good to go away from Net Neutrality and charge premium for a premium experience. Nons
  • by eth1 (94901) on Thursday January 10, 2013 @11:00AM (#42545721)

    ...my ass

    Right up until the government shows up and demands that they send all the traffic to them first, and forbids them from notifying their customers.

    • by Luckyo (1726890)

      At which point customers will have problems beyond the scope of the issue at hand. Far beyond.

  • by Frankie70 (803801) on Thursday January 10, 2013 @11:29AM (#42546111)

    Wasn't it Benjamin Franklin who said "They who can give up essential security to obtain a little speed increase, deserve neither security nor speed"?

    • Not relevant to this story. That quote is about people surrendering rights because they think the net effect will be safety. This is like your postman steaming open your envelopes and claiming he's only looking for anthrax. Nokia users aren't volunteering their secure channels to get some level of protection.

  • Doesn't this violate the DMCA?

  • by nedlohs (1335013) on Thursday January 10, 2013 @12:02PM (#42546611)

    If you don't trust Nokia to not snoop on your data then why are you carrying around a device made by Nokia that contains a camera and a microphone and a cellular connection to the internet (and probably a gps though I don't know the details of Nokia's phones)?

  • by Peter Simpson (112887) on Thursday January 10, 2013 @12:22PM (#42546861)
    The user makes what he believes to be an encrypted connection. Nokia interposes their server into this connection without the user's knowledge and decrypts their data (both ways), and then claims this is perfectly OK, since they're doing it to optimize bandwidth or such. whether they make use of the information or not, they are intercepting and decrypting a connection the user believes to be private.

    This seems awfully like wiretapping and unauthorized interception of data communications. If it isn't illegal to decrypt an encrypted transaction if you are not the intended recipient, perhaps it should be. I'd wager it *is* illegal under EU data protection laws, but IANAL. It's probably OK in the US, due to some obscure law permitting just this activity, passed at the request of some large corporation.
  • This seems like it will be common place as cloud based web rendering becomes popular to save people "bandwidth".

    Kindle: http://www.zdnet.com/blog/networking/amazons-kindle-fire-silk-browser-has-serious-security-concerns/1516 [zdnet.com]

    Amazon Silk's terms and conditions state that Amazon will keep your the Web addresses you visit, the IP addresses you use, and your Kindle Fire's unique media access control (MAC) addresses for 30 days. With that information, Amazon can track your every Web move.

    On top of that,

A CONS is an object which cares. -- Bernie Greenberg.

Working...