[cryptography] yet another certificate MITM attack

Jeffrey Walton noloader at gmail.com
Thu Jan 10 18:17:29 EST 2013


On Thu, Jan 10, 2013 at 6:02 PM, Krassimir Tzvetanov
<maillists at krassi.biz> wrote:
> What the wireshark captures are showing is the OVI app talking to
> their cloud (I would speculate the app is just updating its catalog or
> something of that sort).
>
> I did not see even a mention of the word fingerprint. Let alone
> comparing the "fake" with the "real".  Do I need to continue :)

>From Ian's initial post (below). It begs the question, why would Nokia
even comment or admit to tampering with the secure channel?

>>> Which Nokia apparently admits:
>>>
>>> "When temporary decryption of HTTPS connections is required on our proxy
>>> servers, to transform and deliver users’ content, it is done in a secure
>>> manner."
>>>
>>> http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/

Not that it matters to folks like Mozilla.....

Jeff

> On Thu, Jan 10, 2013 at 2:21 PM, Jeffrey Altman
> <jaltman at secure-endpoints.com> wrote:
>> When you look at what the Nokia Browser does in the non-TLS case you see
>> that the Nokia Browser like the Kindle Browser and Opera Mobile use a
>> dedicated proxy server to avoid DNS latency and permit
>> cached/compressed/reformatted web pages to be transmitted to the mobile
>> device.  This is
>> performed by the Nokia Browser including the desired target URL as a
>> private http header.
>>
>> What I believe is occurring for https connections is that Nokia Browser
>> is establishing a TLS connection to the Nokia Proxy and continuing to
>> send the target URL as a private http header.   What is unclear is how
>> the Nokia Browser interacts with the proxy under this situation.  Is the
>> Proxy providing a tunnel for the client or is it acting as a MITM?
>>
>> This does not appear to me to be a certificate being misused.
>>
>> Jeffrey Altman
>>
>>
>> On 1/10/2013 4:53 PM, ianG wrote:
>>
>>> Just on that theme of multiple attacks from different vectors leading to
>>> questions at the systemic level, another certificate failure just got
>>> posted on slashdot:
>>>
>>> http://mobile.slashdot.org/story/13/01/09/1910210/nokia-redirecting-traffic-on-some-of-its-phones-including
>>>
>>>
>>> "On Wednesday, security professional Gaurang Pandya outlined how Nokia
>>> is hijacking Internet browsing traffic on some of its phones. As a
>>> result, the company technically has access to all your Internet content,
>>> including sensitive data that is sent over secure connections (HTTPS),
>>> such as banking credentials and pretty much any other usernames and
>>> passwords you use to login to services on the Internet. Last month,
>>> Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a
>>> proxy, instead of directly hitting the requested server. The connections
>>> are either redirected to Nokia/Ovi proxy servers if the Nokia browser is
>>> used, and to Opera proxy servers if the Opera Mini browser is used (both
>>> apps use the same User-Agent)."
>>>
>>> Which Nokia apparently admits:
>>>
>>> "When temporary decryption of HTTPS connections is required on our proxy
>>> servers, to transform and deliver users’ content, it is done in a secure
>>> manner."
>>>
>>> http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/
>>>
>>> Pictures above seem to indicate VeriSign as the CA, but whether that
>>> means they know about the MITMing is not clear.



More information about the cryptography mailing list