Nokia has confirmed reports that its Xpress Browser decrypts data that flows through HTTPS connections – that includes the connections set up for banking sessions, encrypted email and more. However, it insists that there’s no need for users to panic because it would never access customers’ encrypted data.
The confirmation-slash-denial comes after security researcher Gaurang Pandya, who works for Unisys Global Services in India, detailed on his personal blog how browser traffic from his Series 40 ‘Asha’ phone was getting routed via Nokia’s servers…
However, it was Pandya’s second post on the subject that caused some alarm. Unlike the first, which looked at general traffic, the Wednesday post specifically examined Nokia’s treatment of HTTPS traffic. It found that such traffic was indeed also getting routed via Nokia’s servers. Crucially, Pandya said that Nokia had access to this data in unencrypted form:
“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature…”
In a statement – “Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”
To paraphrase: we decrypt your data, but trust us, we don’t peek. Which is, in a way, fair enough. After all, they need to decrypt the data in order to de-bulk it…
UPDATE: A kind soul has reminded me that, unlike Xpress Browser and Opera Mini, two other services that also do the compression thing leave HTTPS traffic unperturbed, namely Amazon with its Silk browser and Skyfire. This is arguably how things should be done, although it does of course mean that users don’t get speedier loading…on HTTPS pages.
If you live on the same planet with the United States government, the NSA and Congress – trust no one!