Perhaps, given Nokia's plummeting market share, this isn't such big news - but it's certainly a big deal. It seems that when Unisys engineer Gaurang Pandya analysed traffic from the "Xpress" browser on Nokia phones, the results weren't what he expected:
From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS [secure Web connection] traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse.What Nokia is doing is, instead of sending web traffic directly from the phone to the required website (Google, Facebook, Amazon etc.) it's redirecting the traffic to its proxy computers at browser.ovi.com and using that information to compress and speed up the connection from the proxy to the destination web site. This is all very laudable. The problem is, it's doing this with secure traffic as well as regular traffic.
A brief digression here. When your web browser connects securely to Google, how does it know it has reached Google and not some other site pretending to be Google? Go to https://www.google.com/ and look at the bar in your browser. There should be a padlock there; click on the padlock in most sensible browsers to reveal more information about how your browser knows this is Google. In essence, Google has "signed" a short note saying "hey, I'm really www.google.com" and sent it back to you. The signature involves heavy maths, but works in much the same way as a very-hard-to-forge written signature. But how do you know that's really Google's signature - after all, you don't know Larry Page's writing from Bill Gates's writing? Well, someone else (a certificate authority, in this case "Thawte SGC CA") has signed Google's signature and said "yes, this is Google's real signature". Your browser has a list of the signatures of the very small number of CAs out there, so can check that Thawte's signature is valid, and hence that Thawte really has verified that you are looking at Google's signature.
Right, so what's going on with Nokia? When your Xpress browser connects to Nokia's proxy instead of google.com, the proxy can't return a valid Google signature to the browser. The proxy establishes a secure connection with Google, but the signature for that connection isn't valid for the connection starting from your browser. Well, it turns out that Nokia's browser completely ignores the fact that it's getting the wrong certificate for the connection.
What's the implication of this for users? Anyone using Xpress for secure connections (think credit card data, secure searching, medical records, online banking) has their sensitive data completely on Nokia's proxy computers, and is totally reliant on Nokia not maliciously or accidentally storing, transmitting or exposing it.
So what does Nokia say about subverting browser security?
"The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans," a spokesperson said, in an email sent to TechWeekEurope.You see, it was done with the "best intentions"...
"Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner.Well yes. Until someone within Nokia or some external cracker compromises your single-point-of-failure server. At that point all secure connections from all Xpress browsers to all secure sites worldwide are completely vulnerable and can be captured in clear by the crackers.
Nokia used to make good phones, but they have always suffered from "not invented here" syndrome, and this attempt to "improve" secure web connections is so drastically demented that, I have to say, they deserve to die.
[Hat tip: The Reg]
This is not really news. And it's not really a man-in-the-middle-attack. It's more like a man-in-the-browser-giving-you-speed-attack.
ReplyDeleteBrowsers like Opera Mini have been around and known to do this for years. It's the very design. Nokia's browser is similar. And datacenter optimization (uncompression and re-compression) of mobile traffic has been around for ages as well.
Bottom line from a page you link: "It comes down to a question of trust on the user side and of transparency on the vendor side. Users have to have faith their browser maker won’t be snooping on their unencrypted traffic, whilst vendors are being asked to be more upfront about what compression features mean for privacy."
And if you don't trust your phone maker, all your concern about the server in the middle of the transactions is not hugely interesting. The browser could do just about anything with your data anyway, and send it to any place. You'd never know. The browser could, for instance, steganographically insert your private information to pictures that you move to Picasa, Dropbox or Facebook. Or anything.
Of course, if the browser compression site is compromised, you do have an additional security risk for SSL traffic (while you always have this anyway for any other HTTP traffic). That's the price of increased speed when browsing. Are there known incidents?
pjt: no, really, it's news and a big deal. As you say, HTTP is not an issue and Opera Mini already does this; HTTP traffic goes in the clear all around the world, so proxying this is no additional risk. The big, huge problem is the deliberate compromise of SSL and the resulting concentration of risk of compromise in one place (the Nokia proxy) rather than attackers currently having to compromise on a site-by-site basis (e.g. the TURKTRUST CA mistake, the DigiNotar CA compromise).
ReplyDeleteFair point about the browser - but then, this is why we have diversity in browsers on the mobile and desktop platforms, each browser manufacturer keeping the others honest. If any browser manufacturer were to pull a stunt like you suggest - and I don't exclude the possibility - then as soon as anyone finds out about it, that browser is *dead*.
pjt: Steve Schultze confirms that Opera Mini does SSL MITM too ( https://freedom-to-tinker.com/blog/sjs/how-the-nokia-browser-decrypts-ssl-traffic-a-man-in-the-client/ ) although he points out that it's a little bit more necessary for Opera Mini than for Xpress since Mini doesn't understand HTML and so needs the proxy to turn HTML into OBML, making end-to-end SSL from the browser practically impossible - still, a pretty bad idea.
Delete