FYI -------- Original Message -------- Subject: Falkvinge on Infopolicy Date: Fri, 11 Jan 2013 11:21:06 +0000 From: Falkvinge on Infopolicy <rick(a)piratpartiet.se> To: sabela(a)piratasdegalicia.org Falkvinge on Infopolicy /////////////////////////////////////////// Death Twitches: Nokia Caught Wiretapping Encrypted Traffic From Its Handsets Posted: 11 Jan 2013 02:55 AM PST http://feedproxy.google.com/~r/Falkvinge-on-Infopolicy/~3/S8JeeGYd3MI/?utm_… Privacy:Nokia, the cellphone manufacturer, has been listening in to all encrypted communications from its handsets. Every connection advertised as secure banking, social networks, dating, corporate secrets has been covertly wiretapped by Nokia themselves and decrypted for analysis. Security researcher Gaurang posted an article on January 5 about some unexpected behavior with his Nokia handset. It would appear that no matter which browser they used, the traffic would get diverted through Nokias servers. Then, a followup article on January 9 dropped the bomb, and though the article is quite technical: It wasnt enough that Nokia diverted all traffic from its handsets through its own servers, it also decrypted the encrypted traffic, re-encrypting it before passing it on, issuing HTTPS certificates on the fly that the Nokia phone has been instructed to trust as secure. This means that Nokia has deliberately been wiretapping all traffic that has been advertised as encrypted on Nokia handsets including but not limited to banking, dating, and corporate secrets. This means that Nokia puts itself between your bank and you, and presents itself as YourBank, Inc. to your phone. This wouldnt normally be possible, if it werent for the fact that the phone had been specifically designed for this deceptive behavior, by installing a Nokia signing certificate on the phone. (The wiretapping is not just limited to encrypted traffic, by the way; Nokia listens to non-encrypted traffic, too. However, in the case of proxying, this can be excused if given a very large benefit of the doubt.) Nokia has confirmed this behavior in correspondence with TechWeek Europe (my highlight): The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value [...] when temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users content, it is done in a secure manner, a Nokia spokesperson told TechWeek Europe. So why is this a big deal? It is a big deal because banks rely on having a secure connection all the way to you. As do corporate networks. As do news outlets protection of sources. Anybody listening in to the conversation in the middle breaks the whole concept of secrecy and the phone was specifically designed by Nokia to allow Nokia to listen in without telling you. My, my. Secure connections are presenting themselves as secure end-to-end, and a handset manufacturer breaches this most basic of trusts? Wed have a very hard time trusting a company that says yes, were listening to all of your encrypted communications, but were not doing anything bad with it. No, really. If Nokia was in trouble over its handset sales already, this complete breach of trustworthiness has to be a death twitch. -- You are subscribed to email updates from "Falkvinge on Infopolicy." To stop receiving these emails, you may unsubscribe now: http://feedburner.google.com/fb/a/mailunsubscribe?k=F5BsSUrtNmgUT_n3zFmWQ28… Email delivery powered by Google. Google Inc., 20 West Kinzie, Chicago IL USA 60610 -- Recibiches esta mensaxe porque estás subscrito a rolda de correo "pirata.gal". Para enviar unha nova mensaxe á rolda: PiratasDeGalicia(a)googlegroups.com Para anular a subscripción: PiratasDeGalicia+unsubscribe(a)googlegroups.com