Good point. My thinking is: First how do you know it's Nokia that really posted this?
Second read the post carefully. They are not admitting to anything. There is an implied - "if we needed to it would be secure" or something along those lines which means exactly nothing. this second thing makes me think it's really Nokia throwing dust in their face in a nice way since it's a difficult to explian this stuff to people of the clueless-new level demonstrated on the forum. Btw. there is a Bulgarian proverb that states (don't read if you are easily offend-able): If somebody says your sister is a whore, go prove you don't even have a sister. Thus Nokia stated that if they were to have a sister she would be seeing the doctor regularly and be clean. Best, Krassi On Thu, Jan 10, 2013 at 3:17 PM, Jeffrey Walton <[email protected]> wrote: > On Thu, Jan 10, 2013 at 6:02 PM, Krassimir Tzvetanov > <[email protected]> wrote: >> What the wireshark captures are showing is the OVI app talking to >> their cloud (I would speculate the app is just updating its catalog or >> something of that sort). >> >> I did not see even a mention of the word fingerprint. Let alone >> comparing the "fake" with the "real". Do I need to continue :) > > From Ian's initial post (below). It begs the question, why would Nokia > even comment or admit to tampering with the secure channel? > >>>> Which Nokia apparently admits: >>>> >>>> "When temporary decryption of HTTPS connections is required on our proxy >>>> servers, to transform and deliver users’ content, it is done in a secure >>>> manner." >>>> >>>> http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ > > Not that it matters to folks like Mozilla..... > > Jeff > >> On Thu, Jan 10, 2013 at 2:21 PM, Jeffrey Altman >> <[email protected]> wrote: >>> When you look at what the Nokia Browser does in the non-TLS case you see >>> that the Nokia Browser like the Kindle Browser and Opera Mobile use a >>> dedicated proxy server to avoid DNS latency and permit >>> cached/compressed/reformatted web pages to be transmitted to the mobile >>> device. This is >>> performed by the Nokia Browser including the desired target URL as a >>> private http header. >>> >>> What I believe is occurring for https connections is that Nokia Browser >>> is establishing a TLS connection to the Nokia Proxy and continuing to >>> send the target URL as a private http header. What is unclear is how >>> the Nokia Browser interacts with the proxy under this situation. Is the >>> Proxy providing a tunnel for the client or is it acting as a MITM? >>> >>> This does not appear to me to be a certificate being misused. >>> >>> Jeffrey Altman >>> >>> >>> On 1/10/2013 4:53 PM, ianG wrote: >>> >>>> Just on that theme of multiple attacks from different vectors leading to >>>> questions at the systemic level, another certificate failure just got >>>> posted on slashdot: >>>> >>>> http://mobile.slashdot.org/story/13/01/09/1910210/nokia-redirecting-traffic-on-some-of-its-phones-including >>>> >>>> >>>> "On Wednesday, security professional Gaurang Pandya outlined how Nokia >>>> is hijacking Internet browsing traffic on some of its phones. As a >>>> result, the company technically has access to all your Internet content, >>>> including sensitive data that is sent over secure connections (HTTPS), >>>> such as banking credentials and pretty much any other usernames and >>>> passwords you use to login to services on the Internet. Last month, >>>> Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a >>>> proxy, instead of directly hitting the requested server. The connections >>>> are either redirected to Nokia/Ovi proxy servers if the Nokia browser is >>>> used, and to Opera proxy servers if the Opera Mini browser is used (both >>>> apps use the same User-Agent)." >>>> >>>> Which Nokia apparently admits: >>>> >>>> "When temporary decryption of HTTPS connections is required on our proxy >>>> servers, to transform and deliver users’ content, it is done in a secure >>>> manner." >>>> >>>> http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ >>>> >>>> Pictures above seem to indicate VeriSign as the CA, but whether that >>>> means they know about the MITMing is not clear. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
