From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp171.iad.emailsrvr.com (smtp171.iad.emailsrvr.com [207.97.245.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 9C2B321F0A2 for ; Thu, 10 Jan 2013 13:51:02 -0800 (PST) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp37.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 72C053B05AE; Thu, 10 Jan 2013 16:51:01 -0500 (EST) X-Virus-Scanned: OK Received: from legacy12.wa-web.iad1a (legacy12.wa-web.iad1a.rsapps.net [192.168.4.98]) by smtp37.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 5A17A3B059C; Thu, 10 Jan 2013 16:51:01 -0500 (EST) Received: from reed.com (localhost.localdomain [127.0.0.1]) by legacy12.wa-web.iad1a (Postfix) with ESMTP id 4A7CF12856A; Thu, 10 Jan 2013 16:51:01 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: dpreed@reed.com, from: dpreed@reed.com) with HTTP; Thu, 10 Jan 2013 16:51:01 -0500 (EST) Date: Thu, 10 Jan 2013 16:51:01 -0500 (EST) From: dpreed@reed.com To: "Maciej Soltysiak" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20130110165101000000_90688" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: References: <1357829880.67618376@apps.rackspace.com> Message-ID: <1357854661.301326601@apps.rackspace.com> X-Mailer: webmail7.0 Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve speed X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 21:51:02 -0000 ------=_20130110165101000000_90688 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AWhere is the data decompressed again? That's a vulnerable point, too. = It's where I would attack - a much more "target rich environment" to make m= oney, because you see *everybody's* data in the clear there.=0A =0AIn other= words, the vulnerability is not just "in the phone" but systemic.=0A =0ACr= eating a concentrated vultnerability, with uncertain protection - in the US= , this would also violate HIPAA compliance, which is a *very* serious law, = with very severe monetary and felony criminal consequences for anyone who s= ystematically opens up encrypted personal health-related data. One violati= on by Nokia technology would be enough to trigger the HIPAA stuff, if inten= tional.=0A =0A =0A-----Original Message-----=0AFrom: "Maciej Soltysiak" =0ASent: Thursday, January 10, 2013 11:50am=0ATo: dpreed= @reed.com=0ACc: cerowrt-devel@lists.bufferbloat.net=0ASubject: Re: [Cerowrt= -devel] Nokia decrypts user's HTTPS to compress to improve speed=0A=0A=0A= =0AOn Thu, Jan 10, 2013 at 3:58 PM, <[mailto:dpreed@reed.com] dpreed@reed.c= om> wrote:=0A=0AI'm curious if they have data about how much compression th= ey are achieving? Most HTTPS servers are set up by people who use quite a = bit of compression in the payload (gzip of web pages, etc, "minification" o= f javascript), so I would hypothesize that the actual savings are minimal o= n the average.=0AMy finger in the air suggests that it is no more than 30% = on average. Is it worth it? If it's up to 1/3 of more media time available = for other stations to send data, perhaps it is.=0A=0AHowever, it points out= that there is a man-in-the-middle problem with HTTPS alone. Your phone's = browser should be checking the certificates more rigorously than it does. = It can do that quite easily, and I think the destination can do that in Jav= ascript that comes with the pages.=0AHmm, wouldn't something like HTTPS Eve= rywhere + SSL Observatory help here? It should detect the certs are differe= nt than what they've been seen by other users.=0A=0A"We don't look" is not = a defense in the EU privacy regime, and probably not in the US one (though = many US Senators think that ISP's looking at content is just fine).=0AYou a= re right. There's a different angle than privacy here too. A one that users= should be able to understand better. Such a phone might also be a security= threat. Maybe Nokia don't do anyting with except compression, but maliciou= s code knowing this might steer the compromised browser+dodgy_cert+phone to= rob you of money in your bank.=0A=0A=0A=0AMaciej=0A=0A=0A=0A---Original Me= ssage-----=0AFrom: "Maciej Soltysiak" <[mailto:maciej@soltysiak.com] maciej= @soltysiak.com>=0A Sent: Thursday, January 10, 2013 9:46am=0ATo: [mailto:ce= rowrt-devel@lists.bufferbloat.net] cerowrt-devel@lists.bufferbloat.net=0ASu= bject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve s= peed=0A=0A=0A=0A[http://yro.slashdot.org/story/13/01/10/1356228/nokia-admit= s-decrypting-user-data-claiming-it-isnt-looking] http://yro.slashdot.org/st= ory/13/01/10/1356228/nokia-admits-decrypting-user-data-claiming-it-isnt-loo= king=0AHave a look at what corporations resort to when they're in need of s= erious debloating and things like TCP Fast Open? :-|=0ARegards,=0AMaciej ------=_20130110165101000000_90688 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

= Where is the data decompressed again?  That's a vulnerable point, too.=   It's where I would attack - a much more "target rich environment" to= make money, because you see *everybody's* data in the clear there.

=0A<= p style=3D"margin:0;padding:0;"> 

=0A

In other words, the vulnerability is not just "in the phone" but systemi= c.

=0A

 

=0A

Creating a concentrated vultnerability, with uncertain protect= ion - in the US, this would also violate HIPAA compliance, which is a *very= * serious law, with very severe monetary and felony criminal consequences f= or anyone who systematically opens up encrypted personal health-related dat= a.  One violation by Nokia technology would be enough to trigger the H= IPAA stuff, if intentional.

=0A

 =0A

 

=0A

-----Original Message-----
From: "Maciej Soltysiak" <macie= j@soltysiak.com>
Sent: Thursday, January 10, 2013 11:50am
To: = dpreed@reed.com
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: = Re: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve spee= d

=0A
=0A
On Thu, Jan 10, 2013 at 3:58 PM, <dpreed@reed.com> wro= te:
=0A
=0A

I'm curious if they have data about how much compression they= are achieving?  Most HTTPS servers are set up by people who use quite= a bit of compression in the payload (gzip of web pages, etc, "minification= " of javascript), so I would hypothesize that the actual savings are minima= l on the average.

=0A
=0A
My finger in the air su= ggests that it is no more than 30% on average. Is it worth it? If it's up t= o 1/3 of more media time available for other stations to send data, perhaps= it is.
=0A
=0A
<= span style=3D"font-family: times new roman;">=0A

However, it points out that there is a man-= in-the-middle problem with HTTPS alone.  Your phone's browser should b= e checking the certificates more rigorously than it does.  It can do t= hat quite easily, and I think the destination can do that in Javascript tha= t comes with the pages.

=0A
=0A
Hmm, wouldn't som= ething like HTTPS Everywhere + SSL Observatory help here? It should de= tect the certs are different than what they've been seen by other users.=0A
=0A
=0A

"We don= 't look" is not a defense in the EU privacy regime, and probably not in the= US one (though many US Senators think that ISP's looking at content is jus= t fine).

=0A
=0A
You are right. There= 's a different angle than privacy here too. A one that users should be able= to understand better. Such a phone might also be a security threat. M= aybe Nokia don't do anyting with except compression, but malicious code kno= wing this might steer the compromised browser+dodgy_cert+phone to rob you o= f money in your bank.
=0A
=0A
=0A
=0AMaciej
=0A
=0A
= =0A
=0A
= =0A

---Original M= essage-----
From: "Maciej Soltysiak" <maciej@soltysiak.com>
Sent: Thurs= day, January 10, 2013 9:46am
To: cerowrt-devel@lists.bufferbloat.net=
Subject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to i= mprove speed

=0A
=0A=0AHave a look at what corporations resort to when they're in need of serio= us debloating and things like TCP Fast Open? :-|
=0A
Regards,=0A
Maciej
=0A
=0A
=0A
=0A
=0A<= /div>=0A
 ------=_20130110165101000000_90688--