Can a normal proxy server decrypt your HTTPS even it if wants to? I'm by no means an expect on cryptography, but I assume they're only able to do this because they can include their keys on Nokia devices and tell them to trust it.
When I access a proxy on my computer, it can't do that. If an arbitrary proxy could MITM a secure connection, HTTPS would be useless.
No, an ordinary proxy cannot do that. HTTPS is supposed to be end-to-end. I.e. the communications can only be decrypted by the two endpoints. One of the main reasons for signed SSL certificates is to prevent a middleman from masquerading as the endpoint and convincing your browser to negotiate encryption with the middleman rather than the real endpoint.
So I presume the Nokia browser is complicit in this scheme.
google chrome sends all my pages to translation and what-not. I have to completely trust it. that's why i never use the compiled version but the chromium one only (hence not having access to any addon via the addon site, have to do some manual work there)
Even besides the browser, how many computers don't I see the skype button next to phone numbers? would you trust skype is behaving and not sending your data to their servers? did you remember to disable this add-on for ssl pages?
A browser based on an open-source codebase with many people auditing its source-code and network traffic (there was much paranoia about Chrome when it was released). And even in that case, you have the choice to use a completely open-source browser that has a different stance on user privacy (Firefox).
An NPAPI plugin that can be easily disabled.
A third-party BOX MITM all your secure connections without your knowledge.
I don't think the above are comparable in magnitude.
You're right--the third is the worst by far. And this proves that you can't trust a pre-installed, commercial browser until it has been thoroughly audited by independent researchers.
They don't decrypt HTTPS. The NokiaBrowser (former OviBrowser) is a "proxy browser", a different application that talks to Nokia servers and these servers than establish a regular HTTPS connection. The same as Opera Mini. There is one more layer of abstraction.
Do you trust your phone operating system? How do you know it is not capturing your data when you access a bank website? Same issue here.
The one difference is that the Nokia servers might be a bigger target for hacking, instead of hacking individual phones.
If the proxy also gives you certs to trust it can. Many corporate proxies do this (silently, as they control the PCs) and I've seen more than one academic campus where to access the wifi you have to accept a certificate.
On iOS this comes up after connecting to wifi as a reassuring, secure-seeming, official-looking page that pops up inviting you to accept the new certificate. Do so and boom, you're vulnerable to a MITM.
When I access a proxy on my computer, it can't do that. If an arbitrary proxy could MITM a secure connection, HTTPS would be useless.