aspose file tools*
The moose likes Meaningless Drivel and the fly likes Nokia admits to implementing a Man-In-The-Middle flaw in HTTPS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Other » Meaningless Drivel
Reply locked New topic
Author

Nokia admits to implementing a Man-In-The-Middle flaw in HTTPS

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

I know we discourage cross-posting between forum sections, I beg your indulgence, because I know more folks read MD than read the security forum. I mentioned this post, and a senior member here expressed shock that (1) Nokia would do this and (2) that the notice was missed.

http://www.coderanch.com/t/602568/Security/Nokia-admits-implementing-Man-Middle

For the past 15+ years, we have been teaching consumers that when we build systems using HTTPS (aka TLS/SSL) that we have made it secure. Or at least
secure enough for sensitive things like accessing your bank account, brokerage, or doing online shopping where real money transfers.

The security folks have long suspected that some smartphone technologies break this agreement. The proxy the traffic through a vendor-specific server and then reformat, compress, and otherwise "make better" the communications. What this really is, no matter what the marketing words say, is an explicit Man In The Middle (MITM) attack. It reflects a fundamental weakness in all RSA encrypted communications, exactly what we use in HTTPS and SSL, SSH, etc.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42929
    
  68
Point taken about the respective quantities of readership in both forums. But I'll close this topic so that any follow-up discussion (which I've just started) can happen in the Security forum - which is the proper place for that.
 
permaculture playing cards
 
subject: Nokia admits to implementing a Man-In-The-Middle flaw in HTTPS