From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa0-f49.google.com (mail-oa0-f49.google.com [209.85.219.49]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2585E208AD4 for ; Thu, 10 Jan 2013 08:50:10 -0800 (PST) Received: by mail-oa0-f49.google.com with SMTP id l10so825724oag.36 for ; Thu, 10 Jan 2013 08:50:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=g513iKbWvMCe+RKSuVueNGBpAx324wvfbxEl5pn8CcU=; b=OPCUzyiGdVSpRhMrsMax5b5wYiS62mGaCxqydkZhH5hHR6sgztBV0YmzhXkOBO52+K v6EWCOdePwNXC7IfRRgOwGJrtLf3WbO52Z52TC1y0U8u27XrvNU/otb7hQj7K8zMfhh+ 2L4kNvM0ChFHvXD1/Ol+mXURhwJ0nS6zhvzu2wOhHdR5SjVIphrbrlr1/FKE6RW7YHjG cD1b0XzXBwUh1oKwmzlI3Zc4kO+cFhUI126JLGS24Nw+Kdk/RXEs+VmDOcz3JweL9SB3 j16eLB5JQ+aJaAMR1Fx4Ge7sQptcJrNLmgtbqrQlWBa7XOv+NpvDbLNTOuEN7SpLplZs ZKTQ== MIME-Version: 1.0 Received: by 10.182.12.101 with SMTP id x5mr52044009obb.47.1357836609106; Thu, 10 Jan 2013 08:50:09 -0800 (PST) Received: by 10.76.82.73 with HTTP; Thu, 10 Jan 2013 08:50:08 -0800 (PST) X-Originating-IP: [213.189.36.98] In-Reply-To: <1357829880.67618376@apps.rackspace.com> References: <1357829880.67618376@apps.rackspace.com> Date: Thu, 10 Jan 2013 17:50:08 +0100 Message-ID: From: Maciej Soltysiak To: dpreed@reed.com Content-Type: multipart/alternative; boundary=f46d04446909bfb3c904d2f1f8b9 X-Gm-Message-State: ALoCoQmu/r4BC0TpN8csx/y7pewSlGhcmWdva5cp1btEsjoLtnNWyqHqY/SYEeBlKP2CKBL4fxfe Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve speed X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 16:50:10 -0000 --f46d04446909bfb3c904d2f1f8b9 Content-Type: text/plain; charset=UTF-8 On Thu, Jan 10, 2013 at 3:58 PM, wrote: > I'm curious if they have data about how much compression they are > achieving? Most HTTPS servers are set up by people who use quite a bit of > compression in the payload (gzip of web pages, etc, "minification" of > javascript), so I would hypothesize that the actual savings are minimal on > the average. > My finger in the air suggests that it is no more than 30% on average. Is it worth it? If it's up to 1/3 of more media time available for other stations to send data, perhaps it is. > However, it points out that there is a man-in-the-middle problem with > HTTPS alone. Your phone's browser should be checking the certificates more > rigorously than it does. It can do that quite easily, and I think the > destination can do that in Javascript that comes with the pages. > Hmm, wouldn't something like HTTPS Everywhere + SSL Observatory help here? It should detect the certs are different than what they've been seen by other users. > "We don't look" is not a defense in the EU privacy regime, and probably > not in the US one (though many US Senators think that ISP's looking at > content is just fine). > You are right. There's a different angle than privacy here too. A one that users should be able to understand better. Such a phone might also be a security threat. Maybe Nokia don't do anyting with except compression, but malicious code knowing this might steer the compromised browser+dodgy_cert+phone to rob you of money in your bank. Maciej > ---Original Message----- > From: "Maciej Soltysiak" > Sent: Thursday, January 10, 2013 9:46am > To: cerowrt-devel@lists.bufferbloat.net > Subject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to > improve speed > > > http://yro.slashdot.org/story/13/01/10/1356228/nokia-admits-decrypting-user-data-claiming-it-isnt-looking > Have a look at what corporations resort to when they're in need of > serious debloating and things like TCP Fast Open? :-| > Regards, > Maciej > --f46d04446909bfb3c904d2f1f8b9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Thu, Jan 10, 2013 at 3:58 PM, <dpreed@reed.com= > wrote:

I'm curious if they have data about how much compres= sion they are achieving?=C2=A0 Most HTTPS servers are set up by people who = use quite a bit of compression in the payload (gzip of web pages, etc, &quo= t;minification" of javascript), so I would hypothesize that the actual= savings are minimal on the average.

My finger in the air suggests that it is no more than 30% on average. = Is it worth it? If it's up to 1/3 of more media time available for othe= r stations to send data, perhaps it is.
=C2=A0

However, it points out that there is a man-in-the-middle= problem with HTTPS alone.=C2=A0 Your phone's browser should be checkin= g the certificates more rigorously than it does.=C2=A0 It can do that quite= easily, and I think the destination can do that in Javascript that comes w= ith the pages.

Hmm, wouldn't something like HTTPS Everywhere +=C2=A0SSL Observato= ry help here? It should detect the certs are different than what they'v= e been seen by other users.
=C2=A0

"We don't look" is not a defense in the EU= privacy regime, and probably not in the US one (though many US Senators th= ink that ISP's looking at content is just fine).

You are right.=C2=A0There's a different angle than privacy here to= o. A one that users should be able to understand better.=C2=A0Such a phone = might also be a security threat. Maybe Nokia don't do anyting with exce= pt compression, but malicious code knowing this might steer the compromised= browser+dodgy_cert+phone to rob you of money in your bank.
=C2=A0
=C2=A0
=C2=A0
Maciej
=C2=A0

---Original Message-----
From: "Maciej Soltysiak= " <maciej= @soltysiak.com>
Sent: Thursday, January 10, 2013 9:46am
To: cerowrt-devel@lists.bufferbloa= t.net
Subject: [Cerowrt-devel] Nokia decrypts user's HTTPS to co= mpress to improve speed

Have a look at what corporations resort to when they're in need of= serious debloating and things like TCP Fast Open? :-|
Regards,
Maciej

--f46d04446909bfb3c904d2f1f8b9--