Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is it even possible? HTTPS is used to avoid any possibility of man in the middle attack. How can nokia's proxy servers be able to decrypt that encrypted information unless they themselves have the private key?


It's pretty standard for corporate proxy servers - at least in financial companies where theres regulations that tend to require some level of monitoring of external communications.

It's a simple MITM attack, where the endpoint (your browser) has a whitelisted certificate for the proxy, so the browser is happy that it's talking to a correctly signed certificate that it trusts, and the proxy uses the the certificate for the other end of the connection.


One provider of "next-generation" firewalls that do this is Palo Alto Networks:

http://www.paloaltonetworks.com/products/features/decryption...

It works for SSH too, if you are not careful about host keys and fingerprints.


Actually corporate proxy servers generally use CONNECT to allow HTTPS through.


and what is that?


Wikipedia describes it briefly at http://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_Tunnel.... The most recent standard for it appears to be RFC 2817 section 5.2, http://tools.ietf.org/html/rfc2817#section-5.2, and it’s also in the HTTPbis Semantics and Content drafts, currently at http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-2....


thats super cool.


Fortunately that kind of wiretapping is a crime in most of the civilized world, finance sector employer or not.


If they are really doing it, its really bad.


It's not really a man-in-the-middle, as Nokia is actually controlling one of the two end points, that is, the browser.


It's more like a browser running on a remote desktop (you have hopefully exclusive access to) which sends your phone the repackaged html and recompressed images instead of a screencast.


My guess is that the browser just won't tell you who the other party is. Whenever you go to a secure site you actually connect to (and are encrypted with) Nokia's server. That server then connects to the remote site securely.


The only way I can think is if Nokia operate their own CA and configure the phones to trust it. They then issue their own certificate for any site you visit which your phone will trust.

I don't think that's what is happening, we need further explanation. Although if that is what is happening it;s really bad as they would effectively be impersonating the sites.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: