Bookmark Topic Watch Topic
  • New Topic

Nokia admits to implementing a Man-In-The-Middle flaw in HTTPS

 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Report post to moderator
I know we discourage cross-posting between forum sections, I beg your indulgence, because I know more folks read MD than read the security forum. I mentioned this post, and a senior member here expressed shock that (1) Nokia would do this and (2) that the notice was missed.

http://www.coderanch.com/t/602568/Security/Nokia-admits-implementing-Man-Middle

For the past 15+ years, we have been teaching consumers that when we build systems using HTTPS (aka TLS/SSL) that we have made it secure. Or at least
secure enough for sensitive things like accessing your bank account, brokerage, or doing online shopping where real money transfers.

The security folks have long suspected that some smartphone technologies break this agreement. The proxy the traffic through a vendor-specific server and then reformat, compress, and otherwise "make better" the communications. What this really is, no matter what the marketing words say, is an explicit Man In The Middle (MITM) attack. It reflects a fundamental weakness in all RSA encrypted communications, exactly what we use in HTTPS and SSL, SSH, etc.

 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Likes 2
  • Mark post as helpful
  • send pies
  • Report post to moderator
Point taken about the respective quantities of readership in both forums. But I'll close this topic so that any follow-up discussion (which I've just started) can happen in the Security forum - which is the proper place for that.
 
    Bookmark Topic Watch Topic
  • New Topic