From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path:
Received: from smtp171.iad.emailsrvr.com (smtp171.iad.emailsrvr.com
[207.97.245.171])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by huchra.bufferbloat.net (Postfix) with ESMTPS id 9C2B321F0A2
for ;
Thu, 10 Jan 2013 13:51:02 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by smtp37.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id
72C053B05AE; Thu, 10 Jan 2013 16:51:01 -0500 (EST)
X-Virus-Scanned: OK
Received: from legacy12.wa-web.iad1a (legacy12.wa-web.iad1a.rsapps.net
[192.168.4.98])
by smtp37.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id
5A17A3B059C; Thu, 10 Jan 2013 16:51:01 -0500 (EST)
Received: from reed.com (localhost.localdomain [127.0.0.1])
by legacy12.wa-web.iad1a (Postfix) with ESMTP id 4A7CF12856A;
Thu, 10 Jan 2013 16:51:01 -0500 (EST)
Received: by apps.rackspace.com
(Authenticated sender: dpreed@reed.com, from: dpreed@reed.com)
with HTTP; Thu, 10 Jan 2013 16:51:01 -0500 (EST)
Date: Thu, 10 Jan 2013 16:51:01 -0500 (EST)
From: dpreed@reed.com
To: "Maciej Soltysiak"
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_20130110165101000000_90688"
Importance: Normal
X-Priority: 3 (Normal)
X-Type: html
In-Reply-To:
References:
<1357829880.67618376@apps.rackspace.com>
Message-ID: <1357854661.301326601@apps.rackspace.com>
X-Mailer: webmail7.0
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to
improve speed
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Thu, 10 Jan 2013 21:51:02 -0000
------=_20130110165101000000_90688
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
=0AWhere is the data decompressed again? That's a vulnerable point, too. =
It's where I would attack - a much more "target rich environment" to make m=
oney, because you see *everybody's* data in the clear there.=0A =0AIn other=
words, the vulnerability is not just "in the phone" but systemic.=0A =0ACr=
eating a concentrated vultnerability, with uncertain protection - in the US=
, this would also violate HIPAA compliance, which is a *very* serious law, =
with very severe monetary and felony criminal consequences for anyone who s=
ystematically opens up encrypted personal health-related data. One violati=
on by Nokia technology would be enough to trigger the HIPAA stuff, if inten=
tional.=0A =0A =0A-----Original Message-----=0AFrom: "Maciej Soltysiak" =0ASent: Thursday, January 10, 2013 11:50am=0ATo: dpreed=
@reed.com=0ACc: cerowrt-devel@lists.bufferbloat.net=0ASubject: Re: [Cerowrt=
-devel] Nokia decrypts user's HTTPS to compress to improve speed=0A=0A=0A=
=0AOn Thu, Jan 10, 2013 at 3:58 PM, <[mailto:dpreed@reed.com] dpreed@reed.c=
om> wrote:=0A=0AI'm curious if they have data about how much compression th=
ey are achieving? Most HTTPS servers are set up by people who use quite a =
bit of compression in the payload (gzip of web pages, etc, "minification" o=
f javascript), so I would hypothesize that the actual savings are minimal o=
n the average.=0AMy finger in the air suggests that it is no more than 30% =
on average. Is it worth it? If it's up to 1/3 of more media time available =
for other stations to send data, perhaps it is.=0A=0AHowever, it points out=
that there is a man-in-the-middle problem with HTTPS alone. Your phone's =
browser should be checking the certificates more rigorously than it does. =
It can do that quite easily, and I think the destination can do that in Jav=
ascript that comes with the pages.=0AHmm, wouldn't something like HTTPS Eve=
rywhere + SSL Observatory help here? It should detect the certs are differe=
nt than what they've been seen by other users.=0A=0A"We don't look" is not =
a defense in the EU privacy regime, and probably not in the US one (though =
many US Senators think that ISP's looking at content is just fine).=0AYou a=
re right. There's a different angle than privacy here too. A one that users=
should be able to understand better. Such a phone might also be a security=
threat. Maybe Nokia don't do anyting with except compression, but maliciou=
s code knowing this might steer the compromised browser+dodgy_cert+phone to=
rob you of money in your bank.=0A=0A=0A=0AMaciej=0A=0A=0A=0A---Original Me=
ssage-----=0AFrom: "Maciej Soltysiak" <[mailto:maciej@soltysiak.com] maciej=
@soltysiak.com>=0A Sent: Thursday, January 10, 2013 9:46am=0ATo: [mailto:ce=
rowrt-devel@lists.bufferbloat.net] cerowrt-devel@lists.bufferbloat.net=0ASu=
bject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve s=
peed=0A=0A=0A=0A[http://yro.slashdot.org/story/13/01/10/1356228/nokia-admit=
s-decrypting-user-data-claiming-it-isnt-looking] http://yro.slashdot.org/st=
ory/13/01/10/1356228/nokia-admits-decrypting-user-data-claiming-it-isnt-loo=
king=0AHave a look at what corporations resort to when they're in need of s=
erious debloating and things like TCP Fast Open? :-|=0ARegards,=0AMaciej
------=_20130110165101000000_90688
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
=
Where is the data decompressed again? That's a vulnerable point, too.=
It's where I would attack - a much more "target rich environment" to=
make money, because you see *everybody's* data in the clear there.
=0A<=
p style=3D"margin:0;padding:0;">
=0AIn other words, the vulnerability is not just "in the phone" but systemi=
c.
=0A
=0ACreating a concentrated vultnerability, with uncertain protect=
ion - in the US, this would also violate HIPAA compliance, which is a *very=
* serious law, with very severe monetary and felony criminal consequences f=
or anyone who systematically opens up encrypted personal health-related dat=
a. One violation by Nokia technology would be enough to trigger the H=
IPAA stuff, if intentional.
=0A =
p>=0A
=0A-----Original Message-----
From: "Maciej Soltysiak" <macie=
j@soltysiak.com>
Sent: Thursday, January 10, 2013 11:50am
To: =
dpreed@reed.com
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: =
Re: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve spee=
d
=0A=0A
On Thu, Jan 10, 2013 at 3:58 PM,
<dpreed@reed.com> wro=
te:
=0A
=0AI'm curious if they have data about how much compression they=
are achieving? Most HTTPS servers are set up by people who use quite=
a bit of compression in the payload (gzip of web pages, etc, "minification=
" of javascript), so I would hypothesize that the actual savings are minima=
l on the average.
=0A
=0A
My finger in the air su=
ggests that it is no more than 30% on average. Is it worth it? If it's up t=
o 1/3 of more media time available for other stations to send data, perhaps=
it is.
=0A
=0A
<=
span style=3D"font-family: times new roman;">=0AHowever, it points out that there is a man-=
in-the-middle problem with HTTPS alone. Your phone's browser should b=
e checking the certificates more rigorously than it does. It can do t=
hat quite easily, and I think the destination can do that in Javascript tha=
t comes with the pages.
=0A
=0A
Hmm, wouldn't som=
ething like HTTPS Everywhere + SSL Observatory help here? It should de=
tect the certs are different than what they've been seen by other users.=0A
=0A
=0A"We don=
't look" is not a defense in the EU privacy regime, and probably not in the=
US one (though many US Senators think that ISP's looking at content is jus=
t fine).
=0A
=0A
You are right. There=
's a different angle than privacy here too. A one that users should be able=
to understand better. Such a phone might also be a security threat. M=
aybe Nokia don't do anyting with except compression, but malicious code kno=
wing this might steer the compromised browser+dodgy_cert+phone to rob you o=
f money in your bank.
=0A
=0A
=0A
=0A
Maciej=0A
=0A
=
=0A=0A
=
=0A
---Original M=
essage-----
From: "Maciej Soltysiak" <maciej@soltysiak.com>
Sent: Thurs=
day, January 10, 2013 9:46am
To: cerowrt-devel@lists.bufferbloat.net=
Subject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to i=
mprove speed
=0A
=0A
=0A
Have a look at what corporations resort to when they're in need of serio=
us debloating and things like TCP Fast Open? :-|=0A
Regards,
=0A
Maciej
=0A
=0A
=0A
=0A=0A<=
/div>=0A
------=_20130110165101000000_90688--