On Thu, Jan 10, 2013 at 3:58 PM, wrote: > I'm curious if they have data about how much compression they are > achieving? Most HTTPS servers are set up by people who use quite a bit of > compression in the payload (gzip of web pages, etc, "minification" of > javascript), so I would hypothesize that the actual savings are minimal on > the average. > My finger in the air suggests that it is no more than 30% on average. Is it worth it? If it's up to 1/3 of more media time available for other stations to send data, perhaps it is. > However, it points out that there is a man-in-the-middle problem with > HTTPS alone. Your phone's browser should be checking the certificates more > rigorously than it does. It can do that quite easily, and I think the > destination can do that in Javascript that comes with the pages. > Hmm, wouldn't something like HTTPS Everywhere + SSL Observatory help here? It should detect the certs are different than what they've been seen by other users. > "We don't look" is not a defense in the EU privacy regime, and probably > not in the US one (though many US Senators think that ISP's looking at > content is just fine). > You are right. There's a different angle than privacy here too. A one that users should be able to understand better. Such a phone might also be a security threat. Maybe Nokia don't do anyting with except compression, but malicious code knowing this might steer the compromised browser+dodgy_cert+phone to rob you of money in your bank. Maciej > ---Original Message----- > From: "Maciej Soltysiak" > Sent: Thursday, January 10, 2013 9:46am > To: cerowrt-devel@lists.bufferbloat.net > Subject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to > improve speed > > > http://yro.slashdot.org/story/13/01/10/1356228/nokia-admits-decrypting-user-data-claiming-it-isnt-looking > Have a look at what corporations resort to when they're in need of > serious debloating and things like TCP Fast Open? :-| > Regards, > Maciej >