[Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve speed
Michael Richardson
mcr at sandelman.ca
Thu Jan 10 10:44:47 EST 2013
>>>>> "dpreed" == dpreed <dpreed at reed.com> writes:
dpreed> However, it points out that there is a man-in-the-middle
dpreed> problem with HTTPS alone. Your phone's browser should be
dpreed> checking the certificates more rigorously than it does. It
dpreed> can do that quite easily, and I think the destination can do
dpreed> that in Javascript that comes with the pages.
The problem is that you have to trust someone, and in this case, if you
have a nokia phone (I guess, a windows phone), then you have to trust
it. The browser could lie to the Javascript just as easily.
BTW: microsoft lets one force new trusted root CAs into desktops via
Active Directory "group policy", and they've been doing this exact thing
for years in order to enable "virus scanning"
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
More information about the Cerowrt-devel
mailing list