[h4nnib4l]

So apparently Nokia has been caught decrypting HTTPS traffic, ostensibly for its customers good. Here's the entire article: cite.

Quote

Nokia has since responded by confirming that it shifts HTTPS requests from its Asha and Lumia handsets to Nokia’s own proxy servers, decrypts the data, compresses it, and sends back the appropriate response.

You mean you did it for me? Well shucks, that was sweet of you.

Quote

As Gaurang Pandya, the researcher who discovered the flaw, points out, the flaw here is that Nokia has configured these devices to trust certificates it issues — and therefore not throw warnings that HTTPS traffic is being hijacked.

...

This is rather more serious than the question of whether or not Nokia is stealing credit card data. By circumventing the security measures that are supposed to tell people they’re communicating with the server they think they’re communicating with, Nokia has made itself the single point of failure for customers who use these devices. The phones in question have been configured not to warn users that their web traffic has been compromised by what amounts to a man-in-the-middle attack.

However, this can be circumvented by simply not using Nokia's browser. So it can be avoided. I've been waiting for upgrade eligibility to get a new phone, and I wanted to try out the Lumia 920, but this really makes me question that. What do you guys think? Deal breaker due to the blatant disregard for security? Or just dumb but easy enough to circumvent that it's only an afterthought? I don't know if you can change the default browser on those phones, but that would definitely be an issue for me.

[AnalyticLunatic]

Definitely sketchy enough to make me question using their phones. Personally I'm a Motorola Droid-Line fan though.

[h4nnib4l]

I've played with plenty of Androids (but never owned one), but I'm really interested in picking up a Windows phone. It's an obvious starting point for me for mobile development (I develop exclusively in .NET), and it's something I haven't even played with. These phones are all pretty much the same, but at least the Nokia differentiated itself by having a good camera. Apparently it also differentiates itself by circumventing web security.

[AnalyticLunatic]

All my smartphones to date have been Android, specifically the Droid-X. This will probably continue until the Motorola Razr Maxx HD comes down in cost from it's mighty price of $300.00 w/2yr Contract. Mainly interested in it due to it's quoted 32hrs of Battery Life.

If I ever pick up a secondary line, I'd probably be willing to try out a Windows phone myself. I'm also a purely .NET developer at the moment. I've heard a few good things about Windows phones, but personally haven't used any.

[Ticon]

I prefer droids, simply because you can delete anything you want when rooted.

[farrell2k]

Almost as bad as their tax evasion.

[alicemenezes]

So...I don't understand. Does that count as a security invasion?

[calvinthedestroyer]

Maybe we should all switch back to cans and string...

[baavgai]

alicemenezes, on 11 January 2013 - 03:50 AM, said:

So...I don't understand. Does that count as a security invasion?

It is technically a man-in-the-middle attack.

Some proxy servers do this, allowing for consistent enforcement of proxy rules. Otherwise, once https is established, the proxy can't seem what's going on.

You can argue that Nokia is using a proxy to better serve their customers, but it still means they can see data you assumed was only visible to site you were talking to.

[h4nnib4l]

And, as the article points out, now Nokia is the single point of failure for all of the secure web traffic on its servers. There is a single place where all HTTPS traffic on its devices is decrypted. That's just bad security practices. Their intentions aren't nefarious, but that doesn't mean it's a good thing to do.

[j4v3d]

I'm surprised Nokia still even exist, they must be down there in the markets, I mean its all about Apple, Samsung and HTC's now.

[farrell2k]

j4v3d, on 11 January 2013 - 05:43 PM, said:

I'm surprised Nokia still even exist, they must be down there in the markets, I mean its all about Apple, Samsung and HTC's now.

I think Nokia is still the number two mobile device manufacturer in the world, behind samsung.

[baavgai]

They've been dropping like a stone since iPhone. Samsung, who recently passed Apple, are stamping on their grave.

Quote

In the third quarter, Nokia held on to a 4 percent share of the global smartphone market, and was ranked a distant No. 10 in the sector, according to Strategy Analytics, a research firm.

Samsung and Apple, the No. 1 and No. 2 smartphone makers, together had 50 percent of the global smartphone market, and their sales were growing. While its competitors rose, Nokia has generated nearly 5 billion euros ($6.5 billion) in losses under Mr. Elop, and eliminated a third of its work force.
-- http://www.nytimes.c...-line.html?_r=0

[shintetsu_80]

When I first read the topic heading I was expecting to see some dirty pics of Nokia phones. Is that weird?

[h4nnib4l]

Yes.