Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Technology

Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS 200

Posted by Soulskill
from the you-can-trust-us dept.
An anonymous reader writes "On Wednesday, security professional Gaurang Pandya outlined how Nokia is hijacking Internet browsing traffic on some of its phones. As a result, the company technically has access to all your Internet content, including sensitive data that is sent over secure connections (HTTPS), such as banking credentials and pretty much any other usernames and passwords you use to login to services on the Internet. Last month, Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a proxy, instead of directly hitting the requested server. The connections are either redirected to Nokia/Ovi proxy servers if the Nokia browser is used, and to Opera proxy servers if the Opera Mini browser is used (both apps use the same User-Agent)."
This discussion has been archived. No new comments can be posted.

Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

Comments Filter:
  • So...um... (Score:3, Insightful)

    by grasshoppa (657393) <skennedy.tpno-co@org> on Wednesday January 09, 2013 @02:52PM (#42536129) Homepage

    Are they actively trying to kill the company? I have to ask, because it really seems as if that's their goal.

    • Re:So...um... (Score:5, Insightful)

      by Anonymous Coward on Wednesday January 09, 2013 @02:57PM (#42536227)

      The Opera and Silk (Amazon) browsers channel their data through to home servers to render most of the page there and is especially useful for situations with high bandwidth but low end CPU.

      This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.

      Non-story. Yawn.

      • Re:So...um... (Score:5, Interesting)

        by AliasMarlowe (1042386) on Wednesday January 09, 2013 @03:08PM (#42536471) Journal

        Non-story. Yawn.

        Indeed. Same behavior as any of several other smartphone browsers, and with no MITM attack over https.
        But we're left wondering what sort of "security professional" this Gaurang Pandya might be.

        • Yup. (Score:5, Informative)

          by Andy Prough (2730467) on Wednesday January 09, 2013 @03:29PM (#42536877)
          Anyone who didn't realize Opera Mini was rerouting data for compression on their servers just didn't look into it before downloading and using it. It's a "feature" - supposed to get you faster browsing. Worked pretty well for me when I had it on a 3G Blackberry.
        • If you _re-read_ his post, he is only showing evidence, and claims that Nokia NOT OPERA is a MITM. use of the word "attack" obviously doesnt apply. But it is -extremely clear that Nokia is intercepting and repackaging https traffic. Opera is not, and their privacy policy clearly states that Opera passes HTTPS untouched and only boosts -normal HTTP traffic-

          I may be left wondering why you have no concern that a secure https connection you expect to a website is infact, not to that website, but is decrypted -
      • This is how most i things render Flash video, incidentally -- it replaces the flash object with a transcoder on their own servers.

        Non-story. Yawn.

        I don't think it's a non-story, I think it's awesome! Automatic transcoding of videos should be touted as a feature.

    • well, most folks around the courthouse steps call it a hack, but, hey, whatever.

    • by ron_ivi (607351)

      February 2011, Nokia has had a strategic partnership with Microsoft, as part of which all Nokia smartphones will incorporate Microsoft's Windows Phone.

      (from wikipedia) Perhaps they see more potential in stealing people's credit card information than in Windows 8 phones.

    • No, this is how Nokia intends to make money in the future: by selling stolen credit card information.

  • by Kenja (541830) on Wednesday January 09, 2013 @02:53PM (#42536141)
    Is this different then the acceleration offered by Amazon on the Kindles or other browsers? I know that in Amazons case it can be turned off, but they use a proxy so that the can recompress images and run scripts off of the mobile device. I know of one or two third party browsers including Opera Mobile that do much the same thing.
    • by Anonymous Coward on Wednesday January 09, 2013 @03:20PM (#42536707)

      They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.

      • by EkriirkE (1075937) on Wednesday January 09, 2013 @03:40PM (#42537109) Homepage
        Opera does this for even HTTPS. On their site they explain "no caching, totally secure, etc"
        • Opera Mini does it even for HTTPS. Opera Mobile has it as an option, like their desktop browsers. (And then I don't think it does HTTPS.) That's the difference, and the advertising all mentions it. (And why they have two browsers for the same market. Mini does have a slightly smaller CPU footprint on the consumer device, so it works on lower-end devices as well.)

      • by Baloroth (2370816) on Wednesday January 09, 2013 @03:42PM (#42537129)

        They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.

        No, it's not a MITM attack. From the sound of it, that's exactly how the browser was always intended to work. I haven't used the Nokia browser, but the Opera Mini "browser" isn't actually a browser properly speaking, it downloads everything onto Opera's servers, renders it, compresses it to an image file, and sends it to the phone (reduces bandwidth and CPU costs). It does this to HTTPS and HTTP connections alike (couldn't use HTTPS without it at all). I'm guessing that is exactly what the Nokia browser is doing too. There's no legal trouble with doing that, at least if they aren't recording the data (Opera doesn't, I'd assume Nokia doesn't either). FFS, Wikipedia lists the damned browser as a proxy-based one, as does Nokia's website. It's like being surprised your browser can see the passwords you type into a website. Can't be an "attack'" if they publicly inform you that's how the thing works.

        • Re: (Score:3, Interesting)

          by Anonymous Coward
          And what's to stop a disgruntled Nokia worker from firing up Wireshark and recording whatever they want without approval?
          • by Luckyo (1726890)

            Prison sentence.

            • So I guess there is no crime being committed, anywhere, by anyone, which is punishable by a prison sentence?

              It's a cost / benefit question. Is the benefit of hundreds of thousands of bank login details to sell worth the risk of prison? If yes, proceed to Go. If not, sit on your hands. For some people, the benefits only need to be slight.
          • by bws111 (1216812)

            What good would that do? The traffic is still encrypted between the phone and the proxy, and the proxy and the 'real' destination.

            • If they are rendering content for you, they need the unencrypted traffic, so obviously there is some point on the line where A) The traffic is unencrypted or B) The traffic is encrypted with a certificate owned by the proxy (and thus sniffable).
              • by bws111 (1216812)

                Yes, but now you've moved from 'anyone with wireshark' to 'anyone with wireshark and access to the private key'. That is surely a much, much smaller group of people.

                • Not necessarily. That depends on the network topology and their server setup. The data might be going over an Ethernet connection in the clear at some point. And you wouldn't necessarily need direct access to the private key, either, depending on the setup (though if it was as secure as it could be, you'd need access to the machine the proxy is running on). No one is saying you can waltz into any Nokia office with your laptop and open up Wireshark. It'd have to be an inside job. And it's likely that the ins
        • by Anonymous Coward on Wednesday January 09, 2013 @04:02PM (#42537497)
          If you open an SSL connection, I think most people assume that the protocol is working as intended, and ONLY the sender and the receiver have knowledge of the exchange. It *IS* an active MITM attack; they have done exactly what an attacker would do. Why the HELL should I trust Nokia's certificate? Do they run a CA using industry standard practices that assure the identity of the sites on the other side of the connection? No? Then get their freaking certificate OFF of my trust list!
          • by loufoque (1400831)

            But you're not opening a SSL connection, the Nokia server does, then sends back the result to you.

        • They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.

          No, it's not a MITM attack. From the sound of it, that's exactly how the browser was always intended to work. I haven't used the Nokia browser, but the Opera Mini "browser" isn't actually a browser properly speaking, it downloads everything onto Opera's servers, renders it, compresses it to an image file, and sends it to the phone (reduces bandwidth and CPU costs). It does this to HTTPS and HTTP connections alike (couldn't use HTTPS without it at all). I'm guessing that is exactly what the Nokia browser is doing too. There's no legal trouble with doing that, at least if they aren't recording the data (Opera doesn't, I'd assume Nokia doesn't either). FFS, Wikipedia lists the damned browser as a proxy-based one, as does Nokia's website. It's like being surprised your browser can see the passwords you type into a website. Can't be an "attack'" if they publicly inform you that's how the thing works.

          And yet, if this were Apple doing it, the flames of hate would be enormous.

      • by Dahamma (304068)

        No it's not. This has been done on older and/or low end cell phone browsers for years. This "security researcher" mentioned must be completely clueless if he didn't know that...

        Think of it this way - the *browser* it really on their server, and the app on the phone just displays simplified/pre-rendered content. This is the only way you are going to get a decent web browser on low end phones without enough memory or CPU power to handle all of the HTML/JS that can be thrown at it.

        • by stooo (2202012)

          >> This "security researcher" mentioned must be completely clueless if he didn't know that...

          Often security breaches are waiting wide open for someone to exploit them. This is the case here.
          Often security people point it out.
          Often clueless people say "it has been broken since years, don't worry"

          • by Dahamma (304068)

            He didn't point out anything anyone in the industry didn't already know. This was an intentional implementation more than a decade old, not some obscure security hole. Go look up "mobile web proxy", "mobile proxy browser", etc. (has also been used for many years on old set-top boxes).

            And Nokia's TOS says they don't collect any information. You could choose not to believe that, but if you don't believe any TOS from any company who's services you use, you don't need a web browser anyway.

            Where is the exploi

      • by gl4ss (559668)

        They shouldn't be doing it for HTTPS traffic, though. That's straight-up a MITM attack that allows gathering of info (credentials, bank info, HIPAA info etc.), that should not be viewable to anyone outside of the user and the site he's connecting to. Despite Nokia's TOS, they could be in trouble legally here.

        the browser can't work without it in case of opera mini. it's not an acceleration feature - it's a feature how they managed to do such a fine browser in J2ME in the first place!

    • by Ksevio (865461)
      Opera Mini is the one that loads data on a server and sends the simplified page to the device. Opera Mobile is the fully functional browser for mobile devices
  • Quick note (Score:4, Informative)

    by Anonymous Coward on Wednesday January 09, 2013 @02:53PM (#42536147)

    Note before anyone says anything: this isn't related to Windows Phone or Microsoft.

    • by hawguy (1600213) on Wednesday January 09, 2013 @02:55PM (#42536185)

      Note before anyone says anything: this isn't related to Windows Phone or Microsoft.

      Obviously, Microsoft is behind this to push users to Windows Phone.

    • by quenda (644621)

      Nor is it anything to do with Nokia Maps/Navigation directing cars away from congested roads.
      That would be interesting, They really should fix TFH.

    • by gl4ss (559668)

      well yeah the wp browser doesn't support offloaded compression which is what this is used for..

  • by Anonymous Coward on Wednesday January 09, 2013 @02:55PM (#42536183)

    The whole point of Opera Mini is to use Opera's proxies to reduce the load on the phone so complaining about that would be stupid (their other browser, Opera Mobile, is the one that doesn't use proxies). Is Nokia's browser expected to do the same as Opera Mini? (that they use the same user agent may imply so)

    • by MrWeelson (948337) on Wednesday January 09, 2013 @02:59PM (#42536291)

      Exactly!
      From http://www.opera.com/mobile/specs/ [opera.com]

      "Opera Mini always uses Opera’s advanced server compression technology to compress web content before it gets to a device. The rendering engine is on Opera’s server."

      On the Nokia website it states outright that "Compressed pages mean lower data charges" http://www.nokia.com/gb-en/products/phone/302/ [nokia.com]

      • by jez9999 (618189)

        Except that my mobile phone plan includes all-you-can-eat data. :-) What do you have to say about that, Nokia?

        • by Lehk228 (705449)
          if it's like blackberry's compression it also means more responsive web access when in an area with a weak signal (my job has weak to no cell reception in many places for all carriers, including near my desk, i can still use my Bold 9700 on the web, my co workers with blackberry phones can still use the web, the ones with androids and iphones often cannot
        • by gl4ss (559668)

          Except that my mobile phone plan includes all-you-can-eat data. :-) What do you have to say about that, Nokia?

          wtf are you doing with a 3rd world phone then?

  • by mveloso (325617) on Wednesday January 09, 2013 @02:57PM (#42536237)

    Nokia also seems to have allowed MTM attacks using its own cert - the Nokia proxy is returning a nokia cert, which is trusted by the OS. Plus they're suppressing hostname checks on Nokia certs as well. You'd think they would have just sprung for a wildcard cert.

    • by Kalriath (849904)

      No, because the wildcard character may only be in the leftmost part of the CN component of the certificate. A certificate issued to "*" would be completely invalid for all purposes.

    • by mveloso (325617)

      You can buy a wildcard for *. browser.ovi.com, which was the point of my comment. They're suppressing hostname checking on their own domain, not on the internet. RTFA.

  • by 140Mandak262Jamuna (970587) on Wednesday January 09, 2013 @02:58PM (#42536265) Journal
    Technically all ISPs can do it. Right? Or am I wrong, and what Nokia does is far more sinister than what a plain vanilla ISP can do to home internet connection?
    • by Anonymous Coward on Wednesday January 09, 2013 @03:04PM (#42536397)

      Wrong. It requires the ISP to plant a certificate on your system that is used to perform the MITM attack. Never install software from your ISP is my motto.

      AC

    • by jeti (105266)

      No. You would have to run a browser that accepts the certificate of the ISP for any domain as well.

    • by Rob Riggs (6418)
      Anyone that provides the hardware and software from which you access the web can do this. My work does it. Your local library can do it. The internet access kiosks can do it. Any device manufacturer can do it. Those cheap Android computers-on-a-stick can do it. Your TV can do it. It's a real problem because people trust the devices they use. If you cannot trust the device, you are royally screwed.
  • by CockMonster (886033) on Wednesday January 09, 2013 @02:59PM (#42536283)
    Asha phones are intended for developing countries where bandwidth can be limited and expensive They talk about it here http://www.developer.nokia.com/Develop/Series_40/Nokia_Browser_for_Series_40/ [nokia.com]
  • by codewarren (927270) on Wednesday January 09, 2013 @03:07PM (#42536453)

    Doesn't this open them up to all kinds of legal problems? I mean if my bank account gets compromised after I use my nokia phone to check my balance, would I not have a pretty good cause for lawsuit?

  • by zyzko (6739) <kari.asikainen@g ... m minus caffeine> on Wednesday January 09, 2013 @03:11PM (#42536515)

    For heavens sake - the point of these featurephone browsers (Opera Mini has been doing this since dawn of time) is that they use proxy to reduce data transferred and/or reformat the sites to better use lower resolution. Instead of a lot screenshots to prove that he is a very l33t h4x0r he could have just opened the friendly page [opera.com] showing how the browser works.

    The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

    • For heaven's sake, RTFA. They ARE using MITM.
    • You don't need client side certificates to be sure in a normal situation that your traffic isn't being hijacked by the ISP.
      You only need confidence that the CAs aren't issuing certs for the site you are connecting to, which is why when TURKTRUST issued a cert for google it was Big Deal.

      In this case, they are using preinstalled certs on the local browsers to perform MITM when connecting to supposedly secure sites, such as your bank.

      Some workplaces do this sort of cert preinstallation to allow snooping on SSL

    • by miroku000 (2791465) on Wednesday January 09, 2013 @03:34PM (#42536993)

      The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

      This is *not* how SSL is supposed to work. Any certificate authority that is forging certificates for other people's web servers is not one that should be trusted. Essentially, Nokia is lying to the web browser and saying that they are actually Amazon.com or whoever you are making a secure connection with. By fraudulently representing that they are Amazon.com or whoever, they are intercepting your passwords to these sites. Client side certificates would not help in this case because the client is controlled by Nokia. So, they would have a copy of your client side certificates as well.

      • by Lehk228 (705449)
        the nokia browser lives on both the phone and the proxy server, this is an advertised feature. it is not controversial for them to reencrypt the page on the way to your phone so that they are not weakening your security between phone and server
    • by rwyoder (759998)

      For heavens sake - the point of these featurephone browsers (Opera Mini has been doing this since dawn of time) is that they use proxy to reduce data transferred and/or reformat the sites to better use lower resolution. Instead of a lot screenshots to prove that he is a very l33t h4x0r he could have just opened the friendly page [opera.com] showing how the browser works.

      The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

      Wrong!!! This is a MITM attack. SSL is *not* supposed to be hacked between client and server. There is supposed to be an encrypted, unbroken path between the two, else there is *no* security.

  • Nokia is now the devil we know. Is anyone else pulling a similar stunt?
  • Make sure that the certificate fingerprints agree with those obtained through some alternate channel (another browser on another system through a different ISP, etc.).

    If they agree, this is all a non issue. Its not likely that a certificate replaced by a MITM attack would generate the same hash as the original.

  • by viperidaenz (2515578) on Wednesday January 09, 2013 @04:52PM (#42538237)

    "Security Professional" (read: unemployed blogger) discovers that mobile browsers do what they say they do in the terms of use.

  • by hydrofix (1253498) on Wednesday January 09, 2013 @05:48PM (#42539195)

    This is an age-old technology, where a proxy server is used to compresses some of the mobile web page content (such as images) to accelerate the browsing experience on slow networks. In Opera Mobile the feature is called "Turbo browsing", and can be trivially disabled from the settings menu.

    News at 10 o'clock.

  • to disable this behavior and use the uncompressed browser, hold down the '0' key. the browser instance launched like this will not be compressing any data because it connects directly to websites. but its obviously quite inferior to the standard browser.

  • Even if you were to accept and trust Nokia (and Opera, etc) and the people working for them to intercept and re-encrypt your supposedly secure traffic without keeping any sensitive information, their servers become targets for anyone who might want to get such information.

    The more people sending sensitive information through the servers, the more interesting the servers become to 'the bad guys'.

    When they're interesting enough, they will be compromised.

  • I don't use any of the browsers that purportedly do this, so I do not know how well the applications indicate to the user that they are completely breaking SSL. But, this is something that should not be done without massive, explicit, and repeated warnings (FOR EACH SSL REQUEST!) to the user.

    As flawed as SSL and PKI may be, users have been trained to trust them. WTF is this shit? Lunacy.

    Who cares if you want to call it a MITM attack or not...

    DO NOT TOUCH SSL TRAFFIC WITHOUT ENSURING THE CURRENT USER KNOW

If it happens once, it's a bug. If it happens twice, it's a feature. If it happens more than twice, it's a design philosophy.

Working...