Nokia has admitted it does decrypt some internet traffic sent over “secure” connections on some of its cellphones. However, it insists there is absolutely no question of it accessing the information while it is in unencrypted form.
The issue was raised by an Indian security researcher and involves the Nokia Xpress Browser. That’s a tool aimed particularly at people who either have low data limits or pay-as-you-go data and is the default option on some handsets. As with the better known Opera Mini, the browser routes traffic through a server where it is compressed and reformatted for the smaller screen. The idea is that the resulting speed of delivery and lower data use outweighs the redirection time.
Earlier this week the researcher, Gaurang Pandya, noted that this was happening with all traffics, regardless of whether the connection was through 3G or WiFi, and with no apparant way to switch the feature off off. He then noted that “the most obvious next step was to check if at least HTTPS traffic is getting its due respect and is being transferred without any intermediate host inspecting it”
He discovered that not only was the encrypted data going through Nokia servers in a clear text format, but that Nokia had configured the phone to accept security certificates even though the one being issued by Nokia for the “last leg” of the transfer clearly didn’t match that one issued by the original website. Pandya went so far as to accuse Nokia of carrying out a Man In The Middle attack, a term that appears to be technically correct if perhaps a little pejorative.
Nokia has confirmed the set-up is as described, but insists that its servers don’t retain any data: “When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.
The company has also noted it will review the instructions and other information that come with the browser to see if it can make things clearer to users.
As long as you are willing to trust Nokia, this appears to be a case of an inevitable effect of the process rather than either a malicious or unintentional consequence. Some rival “compression” browsers simply pass through encrypted data without compression, which means you don’t get the benefits when browsing secure sites.