Nokia Running A Man In The Middle Attack To Decrypt All Your Encrypted Traffic, But Promises Not To Peek

from the not-too-comforting dept

This is a bit crazy. After a security researcher pointed out that Nokia's Xpress Browser is basically running a giant man in the middle attack on any encrypted HTTPS data you transmit, the company played the whole situation down by saying, effectively, sure, that's what we do, but it's not like we look at anything. This is, to put it mildly, not comforting. Just the fact that they're running a man in the middle attack in the first place is immensely concerning. The reason they do it is that this is a proxy browser, similar to Opera, that tries to speed up browsing by proxying a lot of the content -- meaning that all of your surfing goes through their servers. In some cases, this can be much faster for mobile browsing. But, the right way to do such a thing is to only do the proxying on unencrypted traffic. With encrypted traffic, you're just asking for trouble.

After sensing the backlash, Nokia pushed out an update of the browser that appears to remove the man-in-the-middle attack, even as it had tried to claim there was nothing wrong in the first place. However, the original researcher who discovered this, Gaurang K Pandya, updated his post to note that it's not all good news.
Just upgraded my Nokia browser, the version now is, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: browser proxy, encryption, https, man in the middle, security, xpress browser
Companies: nokia

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    aldestrawk (profile), 12 Jan 2013 @ 1:15pm


    The PCI DSS covers business practices. Conforming business must provide a method to transmit card data securely. If the client decides to defeat that security by going through a proxy that does not tunnel the HTTPS connection then it is not the fault of the business and does not violate the PCI standard. Maybe Nokia isn't explaining well to it's clients that using their phones essentially breaks the confidentiality of all information passed through an HTTPS connection but NOKIA isn't the processor of the card transaction and so doesn't come under the PCI DSS standard. They also claim not to look at or store this information so a business could still claim to be compliant even if they encourage transactions over a NOKIA phone.

    The same arguments work for HIPAA. NOKIA is not a health care provider and although they may have potential access, they do not eavesdrop or store the data. A close analogy would be talking to your doctor over the same phone in a voice conversation. Although NOKIA, ATT, or whatever telecom, has potential access to this conversation, they supposedly don't listen in or record such things without a warrant with the small exception of the NSA's nationwide warrantless eavesdropping program which will soon record everything.

    I think we have reached a point though where the security practices of communication intermediaries need to be taken into account in such standards as HIPAA and PCI DSS.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.