Comments on: Nokia: Yes, we decrypt your HTTPS data, but don’t worry about it

By: Alex Pyyaho

Alex Pyyaho — Wed, 27 Mar 2013 08:16:32 +0000

use a computer. problem solved

By: ralph

ralph — Thu, 31 Jan 2013 02:14:57 +0000

I am afraid your understanding of the issue and the opera mini FAQ is not correct.
Decrypting and transcoding content with a warning to the user, is not the same as decrypting and impersonating the receiving end. It is actually technically impossible for Opera Mini to do that without installing their own CA on the device (which is not possible without root access). Please read up on the issue a bit more and get a basic understanding of it, just quoting some FAQ that you dont have a full understanding of does not make it so.

By: ralph

ralph — Thu, 31 Jan 2013 02:07:16 +0000

You seem to not have a basic understanding of the issue. For Opera Mini to be able to perform a man in the middle attack similar to Nokia, they would be required to install their own CA on the device (which Nokia does), which Opera cannot do (this requires full access to the device). The FAQ you linked to only claims Opera Mini does not support end-to-end encryption, it does not mention they are decrypting the SSL traffic and impersonating the receiving end. It is actually technically impossible for Opera Mini to do what you are claiming, so you are in fact the one spreading misinformation.

By: adaviel

adaviel — Thu, 24 Jan 2013 19:49:02 +0000

Running a man-in-the-middle attack against SSL is a common practice in intrusion detection appliances.
I find it extremely worrisome, not in practice but in principle – SSL has long been touted as secure, but this makes a nonsense of security claims.

It’s possible (but I haven’t checked) that the “green” “enhanced security” site certificates issued by some CAs will give a warning by changing colour.

By: Jürgen Messing

Jürgen Messing — Sun, 13 Jan 2013 09:54:29 +0000

Fair enough? I don’t think so. What if Nokia’s proxy servers get hacked? What if a rogue employee steals the data? It happened before (to others) and it will happen again. It is an absolute no-go.

By: Johannes Geyer

Johannes Geyer — Sat, 12 Jan 2013 20:37:02 +0000

SSL has no built-in end-to-end security.
That’s why we at FileSpirit (http://www.file-spirit.com) encrypt all data on the server and decrypt it only on the mobile device. Like this we prevent Man in the Middle Attacks (http://en.wikipedia.org/wiki/Man-in-the-middle_attack).
You never know who is listening (FBI, CIA, …).

By: superfc

superfc — Fri, 11 Jan 2013 22:30:33 +0000

I’m usually not really interested by security stuff but I find this news really interesting…

It’s not just a man in the middle attack, it’s a centralized man in the middle attack:
- A service server breach breaks the security of the service and thus potentially all the people using the service
- A personnal breach breaks the security of every service.
- A Nokia’s compression server’s breach breaks the security of all the users on all the services they used.

The fact that they thought about designing their system that way is already scary. But it’s crazy to imagine they actually did it…

I hope they planned a way to do some Over Their Air Provisioning (to update their browser). I wouldn’t be surprise company started to block any access to secure services using the terminal’s user agent.

By: disgusted

disgusted — Fri, 11 Jan 2013 20:24:26 +0000

A Man in the Middle Attack is an attack. They had no right to access that information. What they did was absolutely wrong. Technically, any patient data that was ever decrypted was breached. Organizations that conduct financial and medical transactions depend on the integrity of the end to end connection. They are required to account for all data access. This was a violation of trust at so many levels. I am just shocked that they try to justify the practice at any level. Utterly dumb-founded.

By: Vic Berggren

Vic Berggren — Fri, 11 Jan 2013 18:44:50 +0000

Nokia is completely missing the point… do they not think users/corporate have to adhere to encryption policies?

By: Jon von Gillern

Jon von Gillern — Fri, 11 Jan 2013 18:27:48 +0000

it is “cache” not “cash”