Acceptable use of SSL MITM attack by Nokia?
While going through my Twitter feed today, I stumbled across a tweet pointing to some articles about Nokia, which has been employing a Man-in-the-Middle attack in one of it’s products.
Apparently, the browser on Nokia’s Asha phones doesn’t connect to websites directly. Rather, it connects to Nokia’s servers, which then act as a proxy to the actual website. Nokia’s service grabs the requested page and sends it back to the phone in compressed form in order to deliver a cheaper and faster experience to it’s customers.
One could say this seems like an excellent service, especially in India (which the Asha phone appears to be specifically aimed at) where mobile data plans are outrageously expensive, however, there’s a catch. Namely, Nokia has been doing the very same trick to SSL protected websites as well, thus breaking the end-to-end security that SSL is supposed to provide.
Instead of leaving SSL connections untouched and happen directly between the phone’s browser and the site itself, Nokia has set up it’s service to make the SSL connection to the requested site itself and deliver the response back to the browser using a certificate signed by Nokia, which the phone has marked as trusted.
Nokia claims it doesn’t store any content of these web pages, nor is staff able to access any of the information, but this is no excuse. It doesn’t take much effort to come up with various ways in which it could still be breached, such as an employee going rogue, Nokia’s servers getting breached or some government surveillance agency such as, say, the NSA installing a massive digital wiretap.
Nokia isn’t the first, or only, company to break end-to-end security, Opera for example does the same thing, but at least they’re open about it. I cannot help but see this is a slippery slope. While reducing the costs and improving the speed of (mobile) bandwith is a noble goal, I strongly believe security and privacy should not be second citizens here.