On Sat, Jan 12, 2013 at 4:27 AM, ianG <[email protected]> wrote: > On 11/01/13 02:59 AM, Jon Callas wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Others have said pretty much the same in this thread; this isn't an MITM >> attack, it's a proxy browsing service. >> >> There are a number of "optimized" browsers around. Opera Mini/Mobile, >> Amazon Silk for the Kindle Fire, and likely others. Lots of old "WAP" >> proxies did pretty much the same thing. The Nokia one is essentially Opera. >> >> These optimized browsers take your URL, process it on their server and >> then send you back an "optimized" page. > > Oh, I see. So basically they are breaking the implied promise of the https > component of the URL. > > In words, if one sticks https at the front of the URL, we are instructing > the browser as our agent to connect securely with the server using SSL, and > to check the certs are in sync. > > The browser is deciding it has a better idea, and is redirecting that URL to > a cloud server somewhere. > > (I'm still just trying to understand the model. Yes, I'm surprised, I had > never previously heard of this.) It's right up there with the PenTesters using BurpSuite to to destroy a secure channel. I look at the PenTest reports and shake my head in disbelief that no one took exception to what the PenTesters did....
> One could interpret the browser as being a combined service between the > client on the phone, and the cloud support services, sure. > > I think this interpretation would be unusual to any ordinary user. At a > contractual level, it would also need to be agreed by both ends. We can > easily ensure the end-users' agreement by means of the phone agreement, but > it is less easy to imply the banks' agreement. Absolutely - users have been trained otherwise. No layman would expect it if the padlock is displayed. What do we do about the developers? Security Professionals? >> Some of these browsers let you turn off the "optimizations" for SSL pages. >> The Amazon Silk browser does. Odd, but its apparently been "fixed". Why fix something that's not broken? http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/ Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
