In December, Indian security researcher Gaurang K Pandya noticed that internet traffic from a Nokia handset, “instead of directly hitting requested server, is being redirected to proxy servers.” He could find no way to bypass the proxies, and asked “What is Nokia/Opera doing behind the scene with all these information?” He wondered if it was just happening in India, and whether it was in order to comply with some regulatory requirement.
On 9 January he looked closer, and concluded that not only was user traffic being diverted through Nokia servers, sensitive encrypted data was being decrypted on route. “From the tests that were [performed],” he wrote, “it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.”
Nobody suggests that Nokia has abused this information; but it is a clear issue of trust. The whole purpose of https encrypted traffic is so that the user can have confidence that his message cannot be eavesdropped en route. “It is a big deal,” says Rick Falkvinge (the founder of the Swedish Pirate Party), “because banks rely on having a secure connection all the way to you. As do corporate networks. As do news outlets’ protection of sources. Anybody listening in to the conversation in the middle breaks the whole concept of secrecy – and the phone was specifically designed by Nokia to allow Nokia to listen in without telling you.”
Nokia told TechWeek Europe that the diversion through its browser “means that users can get faster web browsing and more value out of their data plans.” It added, “the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.”
Nokia seems to have quietly accepted the trust issue. Today Gaurang has updated his post. “Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers.”