[cryptography] yet another certificate MITM attack

Krassimir Tzvetanov maillists at krassi.biz
Thu Jan 10 18:02:36 EST 2013


What the wireshark captures are showing is the OVI app talking to
their cloud (I would speculate the app is just updating its catalog or
something of that sort).

I did not see even a mention of the word fingerprint. Let alone
comparing the "fake" with the "real".  Do I need to continue :)

Krassi


On Thu, Jan 10, 2013 at 2:21 PM, Jeffrey Altman
<jaltman at secure-endpoints.com> wrote:
> When you look at what the Nokia Browser does in the non-TLS case you see
> that the Nokia Browser like the Kindle Browser and Opera Mobile use a
> dedicated proxy server to avoid DNS latency and permit
> cached/compressed/reformatted web pages to be transmitted to the mobile
> device.  This is
> performed by the Nokia Browser including the desired target URL as a
> private http header.
>
> What I believe is occurring for https connections is that Nokia Browser
> is establishing a TLS connection to the Nokia Proxy and continuing to
> send the target URL as a private http header.   What is unclear is how
> the Nokia Browser interacts with the proxy under this situation.  Is the
> Proxy providing a tunnel for the client or is it acting as a MITM?
>
> This does not appear to me to be a certificate being misused.
>
> Jeffrey Altman
>
>
> On 1/10/2013 4:53 PM, ianG wrote:
>
>> Just on that theme of multiple attacks from different vectors leading to
>> questions at the systemic level, another certificate failure just got
>> posted on slashdot:
>>
>> http://mobile.slashdot.org/story/13/01/09/1910210/nokia-redirecting-traffic-on-some-of-its-phones-including
>>
>>
>> "On Wednesday, security professional Gaurang Pandya outlined how Nokia
>> is hijacking Internet browsing traffic on some of its phones. As a
>> result, the company technically has access to all your Internet content,
>> including sensitive data that is sent over secure connections (HTTPS),
>> such as banking credentials and pretty much any other usernames and
>> passwords you use to login to services on the Internet. Last month,
>> Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a
>> proxy, instead of directly hitting the requested server. The connections
>> are either redirected to Nokia/Ovi proxy servers if the Nokia browser is
>> used, and to Opera proxy servers if the Opera Mini browser is used (both
>> apps use the same User-Agent)."
>>
>> Which Nokia apparently admits:
>>
>> "When temporary decryption of HTTPS connections is required on our proxy
>> servers, to transform and deliver users’ content, it is done in a secure
>> manner."
>>
>> http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/
>>
>> Pictures above seem to indicate VeriSign as the CA, but whether that
>> means they know about the MITMing is not clear.
>>
>> iang
>>
>
>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>



More information about the cryptography mailing list