When you look at what the Nokia Browser does in the non-TLS case you see that the Nokia Browser like the Kindle Browser and Opera Mobile use a dedicated proxy server to avoid DNS latency and permit cached/compressed/reformatted web pages to be transmitted to the mobile device. This is performed by the Nokia Browser including the desired target URL as a private http header.
What I believe is occurring for https connections is that Nokia Browser is establishing a TLS connection to the Nokia Proxy and continuing to send the target URL as a private http header. What is unclear is how the Nokia Browser interacts with the proxy under this situation. Is the Proxy providing a tunnel for the client or is it acting as a MITM? This does not appear to me to be a certificate being misused. Jeffrey Altman On 1/10/2013 4:53 PM, ianG wrote: > Just on that theme of multiple attacks from different vectors leading to > questions at the systemic level, another certificate failure just got > posted on slashdot: > > http://mobile.slashdot.org/story/13/01/09/1910210/nokia-redirecting-traffic-on-some-of-its-phones-including > > > "On Wednesday, security professional Gaurang Pandya outlined how Nokia > is hijacking Internet browsing traffic on some of its phones. As a > result, the company technically has access to all your Internet content, > including sensitive data that is sent over secure connections (HTTPS), > such as banking credentials and pretty much any other usernames and > passwords you use to login to services on the Internet. Last month, > Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a > proxy, instead of directly hitting the requested server. The connections > are either redirected to Nokia/Ovi proxy servers if the Nokia browser is > used, and to Opera proxy servers if the Opera Mini browser is used (both > apps use the same User-Agent)." > > Which Nokia apparently admits: > > "When temporary decryption of HTTPS connections is required on our proxy > servers, to transform and deliver users’ content, it is done in a secure > manner." > > http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ > > Pictures above seem to indicate VeriSign as the CA, but whether that > means they know about the MITMing is not clear. > > iang >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
