Nokia Admits to Decrypting Lumia Owners’ Secure Web Traffic

On the surface, Nokia’s proxy-based Xpress Web browser — available for the manufacturer’s Asha and flagship Lumia handsets — sounds nothing short of excellent, routing Internet traffic through Nokia’s servers in order to compress data and eliminate precious bits that would otherwise count toward your cellular data cap. So far so good, right? Now for the bad part. As part of the process, Nokia’s servers temporarily decrypt all HTTPS data sent its way — without clearly informing end users of the fact.

Websites often use HTTPS to secure sensitive information such as payment details and other intensely personal tidbits. Security researcher Gaurang Pandya first discovered the issue, which is essentially a man-in-the-middle attack — but, Nokia claims, a benign one. The company released a statement to GigaOm admitting that, yes, Nokia’s Xpress Browser servers do decrypt HTTPS-encrypted data in order to compress it, but no, Nokia doesn’t look at the unprotected information.

Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner… Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.

Basically, you have to trust Nokia’s word and non-described security procedures if you plan to continue using the Xpress Browser to send HTTPS traffic. A couple of Nokia’s actions in this ordeal come off as a bit questionable, however, even if there is no reason to believe Nokia is snooping on your Web traffic.

First, the company didn’t disclose the privacy-busting decryption in a straightforward way to its customers — a security researcher had to discover the procedure. Secondly, Pandya points out that Nokia configured the browser to automatically trust the security certificates issued by Nokia, which stops the Xpress browser from warning you about the HTTPS hijacking. In other words, the company’s circumventing a security procedure designed to inform people that the server they’re communicating with isn’t the server they think they’re communicating with. That shatters the protection HTTPS is supposed to provide, and Nokia breaks that trust without clearly warning users up-front.

By comparison, other mobile browsers that offer data compression handle things a little differently. Opera Mini clearly states that it decrypts HTTPS traffic in its FAQ, whereas Amazon’s Silk browser doesn’t decrypt HTTPS traffic whatsoever. The Silk browser also doesn’t compress HTTPS traffic as a result, however. The bigger issue here isn’t so much what Nokia is doing, so much as how the company is doing it.

LEAVE A REPLY
Name*
Email* (will not be published)
Website
*Indicates required field
Comments*
Submit Comments

FIND A REVIEW
Laptops
All Product Types Accessories Cars Digital Camcorders Digital Cameras eReaders GPS Laptops MP3 & Video Players Projectors Smartphones Software Storage Tablets / MIDs VoIP Wi-Fi
All Subcategories
All Subcategories All-Purpose Budget Business Desktop Replacement Gaming Multimedia Netbook Nettop Rugged Student Tablet PCs Ultraportable
Brand
Acer Alienware Apple Archos ASUS Averatec BenQ CTL Corp. Dell Digital Storm eMachines Emtec Everex Fujitsu GammaTech Gateway General Dynamics Getac Gigabyte Hercules HP HTC iBuyPower Intel Lenovo MSI Nokia Nvidia OCZ OLPC OQO Origin Panasonic Sager Samsung Sony Sylvania Systemax TabletKiosk Toshiba Verizon Viewsonic Viliv VooDoo Workhorse PC ZT Systems
Minimum Rating
Any Rating Editor's Choice 4.5 Stars 4.0 Stars 3.5 Stars 3.0 Stars
Screen Size
10 11 12 13 14 15 16 17 18 20 4 5 6 7 8 9
Resolution
1024x576 1024x600 1024x768 1200X800 1280 x 720 1280x1024 1280x768 1280x800 1366x678 1366x768 1440x1050 1440x900 1600x768 1600x900 1680x1050 1680x945 1920x1080 1920x1200 800x400 800x480
Weight Range
10.1 - 12.0 pounds 12.1 - 14.0 pounds 14.1 - 16.0 pounds 2 lbs 2 pounds and under 2+ lbs 2.1 - 4.0 pounds 4.1 - 6.0 pounds 6.1 - 8.0 pounds 8.1 - 10.0 pounds Over 16 pounds Under 2 pounds
more options
SUBSCRIBE