[cryptography] yet another certificate MITM attack

ianG iang at iang.org
Thu Jan 10 16:53:23 EST 2013


On 7/01/13 14:33 PM, ianG wrote:
> On 7/01/13 13:25 PM, Ben Laurie wrote:

>> This is a bizarre statement in the face of Diginotar.
>
> http://wiki.cacert.org/Risk/History shows no real correlation in
> attacks.  There are many many possible attacks, so...

Just on that theme of multiple attacks from different vectors leading to 
questions at the systemic level, another certificate failure just got 
posted on slashdot:

http://mobile.slashdot.org/story/13/01/09/1910210/nokia-redirecting-traffic-on-some-of-its-phones-including

"On Wednesday, security professional Gaurang Pandya outlined how Nokia 
is hijacking Internet browsing traffic on some of its phones. As a 
result, the company technically has access to all your Internet content, 
including sensitive data that is sent over secure connections (HTTPS), 
such as banking credentials and pretty much any other usernames and 
passwords you use to login to services on the Internet. Last month, 
Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a 
proxy, instead of directly hitting the requested server. The connections 
are either redirected to Nokia/Ovi proxy servers if the Nokia browser is 
used, and to Opera proxy servers if the Opera Mini browser is used (both 
apps use the same User-Agent)."

Which Nokia apparently admits:

"When temporary decryption of HTTPS connections is required on our proxy 
servers, to transform and deliver users’ content, it is done in a secure 
manner."

http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/

Pictures above seem to indicate VeriSign as the CA, but whether that 
means they know about the MITMing is not clear.

iang


>
>> Maybe they aren't the attackers that interest you, but they are
>> certainly attackers.
>
> ... when there are too many possible attacks, and they keep happening,
> attention switches to the architecture, not the attacker.
>
> (Is his focus.)
>
>



More information about the cryptography mailing list