From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mcr@sandelman.ca>
Received: from tuna.sandelman.ca (unknown
	[IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3])
	by huchra.bufferbloat.net (Postfix) with ESMTP id 6BC0E21F14E
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 10 Jan 2013 07:45:36 -0800 (PST)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2::247])
	by tuna.sandelman.ca (Postfix) with ESMTP id 0CF302016D;
	Thu, 10 Jan 2013 10:49:58 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179)
	id F06B663765; Thu, 10 Jan 2013 10:44:47 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1])
	by sandelman.ca (Postfix) with ESMTP id E067063761;
	Thu, 10 Jan 2013 10:44:47 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ca>
To: dpreed@reed.com
In-Reply-To: <1357829880.67618376@apps.rackspace.com>
References: <CAMZR1YAFhAs=_7hAiAjX12_QSBYxpFx1gUjEtwk-DjgimVKR0Q@mail.gmail.com>
	<1357829880.67618376@apps.rackspace.com>
X-Mailer: MH-E 8.3; nmh 1.3-dev; XEmacs 21.4 (patch 22)
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;
	<'$9xN5Ub#
	z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
Date: Thu, 10 Jan 2013 10:44:47 -0500
Message-ID: <17284.1357832687@sandelman.ca>
Sender: mcr@sandelman.ca
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to
	improve speed
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2013 15:45:37 -0000


>>>>> "dpreed" == dpreed  <dpreed@reed.com> writes:
    dpreed> However, it points out that there is a man-in-the-middle
    dpreed> problem with HTTPS alone.  Your phone's browser should be
    dpreed> checking the certificates more rigorously than it does.  It
    dpreed> can do that quite easily, and I think the destination can do
    dpreed> that in Javascript that comes with the pages. 

The problem is that you have to trust someone, and in this case, if you
have a nokia phone (I guess, a windows phone), then you have to trust
it.  The browser could lie to the Javascript just as easily.

BTW: microsoft lets one force new trusted root CAs into desktops via
Active Directory "group policy", and they've been doing this exact thing
for years in order to enable "virus scanning"

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [