Nokia Running A Man In The Middle Attack To Decrypt All Your Encrypted Traffic, But Promises Not To Peek

from the not-too-comforting dept

This is a bit crazy. After a security researcher pointed out that Nokia's Xpress Browser is basically running a giant man in the middle attack on any encrypted HTTPS data you transmit, the company played the whole situation down by saying, effectively, sure, that's what we do, but it's not like we look at anything. This is, to put it mildly, not comforting. Just the fact that they're running a man in the middle attack in the first place is immensely concerning. The reason they do it is that this is a proxy browser, similar to Opera, that tries to speed up browsing by proxying a lot of the content -- meaning that all of your surfing goes through their servers. In some cases, this can be much faster for mobile browsing. But, the right way to do such a thing is to only do the proxying on unencrypted traffic. With encrypted traffic, you're just asking for trouble.

After sensing the backlash, Nokia pushed out an update of the browser that appears to remove the man-in-the-middle attack, even as it had tried to claim there was nothing wrong in the first place. However, the original researcher who discovered this, Gaurang K Pandya, updated his post to note that it's not all good news.
Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    alanbleiweiss (profile), Jan 11th, 2013 @ 5:50pm

    The volume of security failure driven by profit motives on large networks is truly insane.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    MrWilson, Jan 11th, 2013 @ 6:17pm

    But if you're not doing anything wrong, you've got nothing to hide, right?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 11th, 2013 @ 8:34pm

      Re:

      Except perhaps your financial transactions and other secure communications... and now Nokia's servers are a prime target for interception by the bad guys - imagine how many useful communications they can intercept and divert through their own servers now!

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      traffikator, Feb 26th, 2013 @ 9:27pm

      Re: Really??

      Then explain why the need for security of any browser? What a foolish, ignorant comment to make! I decide to connect to my company network to complete my Accounting work for payroll. How about making a transaction on my online account...you know I am only getting upset by the minute I quit. In your opinion, everything should be open if you are not doing anything wrong!

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 11th, 2013 @ 6:47pm

    Opera has been doing this a long time.

    That's all.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 11th, 2013 @ 6:53pm

    Don't buy Sony or Nokia, it's simple.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 11th, 2013 @ 9:07pm

    If Nokia is taking a connection which is supposed to be encrypted, and decrypting it... aren't they walking a very fine line as far as wiretapping laws?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Trails (profile), Jan 11th, 2013 @ 9:23pm

      NOKIADERP

      Not to mention potential privacy laws which require such things as end-to-end encryption and audit logging, e.g. HIPAA and HITECH, as well as industry standards such as PCI.

      HTTPS is supposed to be end-to-end, but they basically put out a browser with not just known vulnerability, but a by-design vulnerability and foisted it on unsuspecting customers, giving them (the customers) a nice helping of potential liability.

      I smell class action incoming.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jan 12th, 2013 @ 12:23am

        Re: NOKIADERP

        With a side-dose of illegal hacking and possibly financial breaches?

        BONUS!!

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        aldestrawk (profile), Jan 12th, 2013 @ 1:15pm

        Re: NOKIADERP

        The PCI DSS covers business practices. Conforming business must provide a method to transmit card data securely. If the client decides to defeat that security by going through a proxy that does not tunnel the HTTPS connection then it is not the fault of the business and does not violate the PCI standard. Maybe Nokia isn't explaining well to it's clients that using their phones essentially breaks the confidentiality of all information passed through an HTTPS connection but NOKIA isn't the processor of the card transaction and so doesn't come under the PCI DSS standard. They also claim not to look at or store this information so a business could still claim to be compliant even if they encourage transactions over a NOKIA phone.

        The same arguments work for HIPAA. NOKIA is not a health care provider and although they may have potential access, they do not eavesdrop or store the data. A close analogy would be talking to your doctor over the same phone in a voice conversation. Although NOKIA, ATT, or whatever telecom, has potential access to this conversation, they supposedly don't listen in or record such things without a warrant with the small exception of the NSA's nationwide warrantless eavesdropping program which will soon record everything.

        I think we have reached a point though where the security practices of communication intermediaries need to be taken into account in such standards as HIPAA and PCI DSS.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Trails (profile), Jan 15th, 2013 @ 11:36am

          Re: Re: NOKIADERP

          Your points about PCI are well taken.

          HIPAA is a bit more complex since the user could very well be the doctor or other practitioner, hence a "covered entity".

          Since Nokia decrypts https, and quite plausibly does not do this in a compliant data facility, this could constitute a violation. Since it is unlikely a covered entity user of Nokia phone has the proper contracts in place, e.g. Business Associate Agreement, the liability is probably the user's rather than Nokia's in this case, hence "giving them (the customers) a nice helping of potential liability."

           

          reply to this | link to this | view in chronology ]

      •  
        icon
        Ophelia Millais (profile), Jan 12th, 2013 @ 1:33pm

        Re: NOKIADERP

        You wish. Check the TOS for a section on arbitration. By using Nokia services, you probably opted out of using the courts, as well as seeking relief as a member of a class.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2013 @ 2:04am

    maybe Nokia wont peek but i can take a quick guess at who will though, even if it takes threats of some sort to be allowed!! queue all USA law enforcement agencies!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Wolfy, Jan 12th, 2013 @ 3:37am

    Like A.C. #4 said, Don't buy equip. from assholes, and your better off. It's real democracy... you're voting with your dollar.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    maclypse (profile), Jan 12th, 2013 @ 3:41am

    freedictionary.com:

    hack:
    3 b. To gain access to (a computer file or network) illegally or without authorization

    Unless Nokia are openly and actively informing ALL of their customers of what they are doing...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2013 @ 5:17am

    Opera Mini and Amazon Silk have been doing the exact same thing for quite a while. Both they and Nokia have not only been clearly documenting, but advertising this feature. Why is it only Nokia that's getting heat for what is essentially an industry standard by now?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      meddle (profile), Jan 12th, 2013 @ 6:04am

      Re:

      Not Amazon -- According to Jon Jenkins, director of Silk development, “secure web page requests (SSL) are routed directly from the Kindle Fire to the origin server and do not pass through Amazon’s EC2 servers.”

      https://www.eff.org/2011/october/amazon-fire%E2%80%99s-new-browser-puts-spotlight-priva cy-trade-offs

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Derek Kerton (profile), Jan 13th, 2013 @ 1:11pm

      Re:

      Just running a Proxy server does not automatically mean that a company is decrypting your traffic.

      Mike didn't mention the main reasons that companies provide this proxy browsing for mobile devices, so I'll list the top three:

      - When your phone traffic goes through a proxy, the proxy detects the kind of phone you have, and its resolution. It then scales down images so that a bunch of unviewable data isn't transmitted unnecessarily. Also, heavy content like flash can be edited out if the device can't display it. This makes the browsing experience faster, without sacrificing any quality. Network operators also like the lighter traffic.

      - Some proxies can detect when your browser cannot display some content, and can reproduce the content in a way you CAN see it. Like taking a streaming video and turning it into a series of JPGs. This can add to the capabilities of your limited phone.

      - going to one proxy server is supposedly easier to manage for your phone than going to dozens of different TCP/IP connections to all the different servers and ad servers that make up a web page.

      If you remove the spying aspect...this can be a win win for network operators AND customers.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2013 @ 7:53am

    Is the justice dept looking into this?

    Or maybe it's ok for multinational corporations to perform these otherwise illegal actions. If done by a pleb, there would be repercussions for sure.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      meddle (profile), Jan 12th, 2013 @ 10:25am

      Re:

      It's not illegal if they let people know what they are doing. They should give people the option to opt out, but we always have the option of buying services somewhere else. And some people may even like the service. It does speed things up. We should stop looking to the gub'ment to protect us from everything and vote with our wallets.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Thomas (profile), Jan 12th, 2013 @ 12:25pm

    Glad.

    that I don't have any Nokia products. And I'll take them off my list of possible things to buy.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    aldestrawk (profile), Jan 12th, 2013 @ 2:18pm

    soon moot?

    So, it seems the rationale for phone based browsers always going through a specialized proxy is that the proxy will do the compression and rendering that would tax the limited processor(s) on the phone. The user sees a quicker response time. The rationale for becoming a MITM during an HTTPS session is, again, to allow Nokia servers to the rendering which can only be done for an unencrypted web page and compression which is only effective on unencrypted data. Also, the browser will be smaller if it doesn't have to distinguish HTTPS from HTTP traffic and then do all that rendering and compression itself.

    It would have been nice if Nokia, and other smart phone makers, had been more upfront and explicitly pointed out the compromising effect on HTTPS of how they use their proxy servers. I can't say I'm surprised with their attitude of we don't actually eavesdrop so it's all OK. What is a little surprising is how they "fixed" this, supposedly in response to Pandya's blog. They now tunnel the HTTPS connection through an HTTP connection to the proxy. One does not need to use a proxy at all in this case though. Perhaps it was easier and quicker for them to still funnel all traffic to their proxy servers. I don't understand why Pandya notes that this is better but still "bad news" as the HTTPS traffic in this situation provides confidentiality.

    This whole issue of compromising the confidentiality of HTTPS traffic should soon be moot as phones, smart phones in particular, incorporate more powerful processors. What is a bit scary is if law enforcement decides that such proxies should be required solely as an eavesdropping point for their purposes. I would be surprised, for any Nokia proxies in the U.S., if law enforcement didn't claim that CALEA required Nokia to store and allow access to compromised HTTPS traffic when a warrant or subpoena was served.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Jan 14th, 2013 @ 4:59am

    RIP Nokia. If they are searching to put the last nails in their coffins then this was a smart move. Who would buy such product knowing this?

    It's amazing how a company that leaded the mobile market not too long ago managed through multiple bad decisions to fall that low...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Gregg, Jan 14th, 2013 @ 5:24am

    Well....

    Well.... there goes the number four cell phone maker on the planet. I will never purchase a nokia. No matter how innocent they claim their hacking is, it's still hacking. They will have a huge law suit against them at some point.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This