Win a copy of Programming with Types this week in the Angular and TypeScript forum
or The Design of Web APIs in the Web Services forum!
    Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Knute Snortum
  • Henry Wong
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Joe Ess
  • salvin francis

Nokia admits to implementing a Man-In-The-Middle flaw in HTTPS

Posts: 4686
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
  • Report post to moderator
I know we discourage cross-posting between forum sections, I beg your indulgence, because I know more folks read MD than read the security forum. I mentioned this post, and a senior member here expressed shock that (1) Nokia would do this and (2) that the notice was missed.

For the past 15+ years, we have been teaching consumers that when we build systems using HTTPS (aka TLS/SSL) that we have made it secure. Or at least
secure enough for sensitive things like accessing your bank account, brokerage, or doing online shopping where real money transfers.

The security folks have long suspected that some smartphone technologies break this agreement. The proxy the traffic through a vendor-specific server and then reformat, compress, and otherwise "make better" the communications. What this really is, no matter what the marketing words say, is an explicit Man In The Middle (MITM) attack. It reflects a fundamental weakness in all RSA encrypted communications, exactly what we use in HTTPS and SSL, SSH, etc.

Posts: 43011
  • Likes 2
  • Mark post as helpful
  • send pies
  • Report post to moderator
Point taken about the respective quantities of readership in both forums. But I'll close this topic so that any follow-up discussion (which I've just started) can happen in the Security forum - which is the proper place for that.
Danger, 10,000 volts, very electic .... tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!