Nokia has admitted that it intercepts to HTTPS encrypted Internet traffic to its users and temporarily decrypted. That done, but only for the benefit of customers who are not ausschnuffle. Security researcher Gaurang Pandya had the procedure Nokia yesterday in a blog post made public and criticized.
Pandya working as Infrastructure Security Architect at Unisys Global Services India. By December he had initially reported that traffic passes its smartphones Nokia Asha series of its own proxy server – which actually is not a secret, but an advertised feature . Yesterday he joined it with the remark that even encrypted queries ran on Nokia’s servers. He wrote: “The DNS request was to ‘cloud13.browser.ovi.com’, which is the host, was also sent to the HTTP traffic.”
Then examined the Pandya used certificates, noting that the devices are preconfigured to trust all emitted by Nokia servers certificates. “This is the reason why pop up during this man-in-the-middle attack by Nokia no safety.”
Nokia observes, that the traffic of users over its servers redirect to compress it, which accelerates all Web services and a browser feature is Nokia Xpress. Any encrypted traffic going to indeed partially deciphered, but no one ever looked at him.
Nokia to TechWeekEurope writes: “It is important that the proxy server does not save the content of web pages visited by users, and no input from these data. If a temporary decrypt HTTPS connections from our proxy server is required to convert the content and deliver it in a safe manner. “There were also technical and organizational measures to prevent access to private data.
However, Nokia also announced to review the offer in its client information and potentially improve. Other browser vendors who use proxy servers to compress go, open the question around for data security. Opera for example decrypts HTTPS traffic of the browser Opera Mini also in its data centers. “The encrypted SSL session is established between the Mini and the visited web server,” said a spokesman. “But the connection between the mobile client and server is protected. Except in our data center, the data is transferred unencrypted at any time. But those who need end-to-end encryption should use a full browser like Opera Mobile. “
As a published yesterday a preliminary report shows Nokia has sold in its fiscal fourth quarter, 9.3 million smartphones Asha. The devices with the S40 user interface typically cost less than 100 euros. They are particularly aimed at developing markets such as India and Brazil.