Perhaps, given Nokia's plummeting market share, this isn't such big news - but it's certainly a big deal. It seems that when Unisys engineer Gaurang Pandya analysed traffic from the "Xpress" browser on Nokia phones, the results weren't what he expected:
From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS [secure Web connection] traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse.What Nokia is doing is, instead of sending web traffic directly from the phone to the required website (Google, Facebook, Amazon etc.) it's redirecting the traffic to its proxy computers at browser.ovi.com and using that information to compress and speed up the connection from the proxy to the destination web site. This is all very laudable. The problem is, it's doing this with secure traffic as well as regular traffic.
A brief digression here. When your web browser connects securely to Google, how does it know it has reached Google and not some other site pretending to be Google? Go to https://www.google.com/ and look at the bar in your browser. There should be a padlock there; click on the padlock in most sensible browsers to reveal more information about how your browser knows this is Google. In essence, Google has "signed" a short note saying "hey, I'm really www.google.com" and sent it back to you. The signature involves heavy maths, but works in much the same way as a very-hard-to-forge written signature. But how do you know that's really Google's signature - after all, you don't know Larry Page's writing from Bill Gates's writing? Well, someone else (a certificate authority, in this case "Thawte SGC CA") has signed Google's signature and said "yes, this is Google's real signature". Your browser has a list of the signatures of the very small number of CAs out there, so can check that Thawte's signature is valid, and hence that Thawte really has verified that you are looking at Google's signature.
Right, so what's going on with Nokia? When your Xpress browser connects to Nokia's proxy instead of google.com, the proxy can't return a valid Google signature to the browser. The proxy establishes a secure connection with Google, but the signature for that connection isn't valid for the connection starting from your browser. Well, it turns out that Nokia's browser completely ignores the fact that it's getting the wrong certificate for the connection.
What's the implication of this for users? Anyone using Xpress for secure connections (think credit card data, secure searching, medical records, online banking) has their sensitive data completely on Nokia's proxy computers, and is totally reliant on Nokia not maliciously or accidentally storing, transmitting or exposing it.
"The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans," a spokesperson said, in an email sent to TechWeekEurope.You see, it was done with the "best intentions"...
"Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner.Well yes. Until someone within Nokia or some external cracker compromises your single-point-of-failure server. At that point all secure connections from all Xpress browsers to all secure sites worldwide are completely vulnerable and can be captured in clear by the crackers.
Nokia used to make good phones, but they have always suffered from "not invented here" syndrome, and this attempt to "improve" secure web connections is so drastically demented that, I have to say, they deserve to die.
[Hat tip: The Reg]