[Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve speed

Michael Richardson mcr at sandelman.ca
Thu Jan 10 07:44:47 PST 2013


>>>>> "dpreed" == dpreed  <dpreed at reed.com> writes:
    dpreed> However, it points out that there is a man-in-the-middle
    dpreed> problem with HTTPS alone.  Your phone's browser should be
    dpreed> checking the certificates more rigorously than it does.  It
    dpreed> can do that quite easily, and I think the destination can do
    dpreed> that in Javascript that comes with the pages. 

The problem is that you have to trust someone, and in this case, if you
have a nokia phone (I guess, a windows phone), then you have to trust
it.  The browser could lie to the Javascript just as easily.

BTW: microsoft lets one force new trusted root CAs into desktops via
Active Directory "group policy", and they've been doing this exact thing
for years in order to enable "virus scanning"

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [ 
	


More information about the Cerowrt-devel mailing list