Nokia confirms HTTPS traffic is temporarily decrypted on its servers

Jan 11, 2013
2
Nokia confirms HTTPS traffic is temporarily decrypted on its servers

Phone maker Nokia has confirmed some recent reports that have been circulating claiming that it was decrypting HTTPS traffic originating from some of its smartphones. Nokia confirmed that its Xpress Browser used on the company's Asha and Lumia smartphones temporarily decrypts the HTTPS traffic as it passes through Nokia servers.

Nokia confirmed that it servers are decrypting all the data that flows through HTTPS connections, even data sent from banking, encrypted e-mail, and others. Nokia also says that there's no need for people to worry because it would never access the customer's data. Nokia's admission that its decrypting encrypted web traffic comes after a security researcher from India detailed how secure browser traffic from his Series 40 Asha device was being routed by Nokia servers.

Originally, the researcher posting that general traffic was being routed via Nokia servers. That routing to Nokia servers is done to compress data to help users save money by reducing the amount of data that is used. The researcher then came back and noted that secure HTTPS traffic is also being routed through Nokia services and that Nokia had access to that data in unencrypted form.

The researcher, Gaurang Pandya, wrote that it was evident Nokia was performing a man in the middle attack. The researcher claims that Nokia would have access to clear text information that could include login information for social networks, banking, and anything else transmitted by HTTPS. The researcher also noted that decrypting the information also goes against Nokia's privacy statement that says it doesn't collect usernames or passwords during purchase transactions. For its part, Nokia says that it doesn't store any of the information that passes through its servers.

“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them,” the company said. “When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.

“Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”

[via Gigaom]


Must Read Bits & Bytes