[Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve speed
maciej at soltysiak.com
Thu Jan 10 11:50:08 EST 2013
On Thu, Jan 10, 2013 at 3:58 PM, <dpreed at reed.com> wrote:
> I'm curious if they have data about how much compression they are
> achieving? Most HTTPS servers are set up by people who use quite a bit of
> compression in the payload (gzip of web pages, etc, "minification" of
> the average.
My finger in the air suggests that it is no more than 30% on average. Is it
worth it? If it's up to 1/3 of more media time available for other stations
to send data, perhaps it is.
> However, it points out that there is a man-in-the-middle problem with
> HTTPS alone. Your phone's browser should be checking the certificates more
> rigorously than it does. It can do that quite easily, and I think the
Hmm, wouldn't something like HTTPS Everywhere + SSL Observatory help here?
It should detect the certs are different than what they've been seen by
> "We don't look" is not a defense in the EU privacy regime, and probably
> not in the US one (though many US Senators think that ISP's looking at
> content is just fine).
You are right. There's a different angle than privacy here too. A one that
users should be able to understand better. Such a phone might also be a
security threat. Maybe Nokia don't do anyting with except compression, but
malicious code knowing this might steer the compromised
browser+dodgy_cert+phone to rob you of money in your bank.
> ---Original Message-----
> From: "Maciej Soltysiak" <maciej at soltysiak.com>
> Sent: Thursday, January 10, 2013 9:46am
> To: cerowrt-devel at lists.bufferbloat.net
> Subject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to
> improve speed
> Have a look at what corporations resort to when they're in need of
> serious debloating and things like TCP Fast Open? :-|
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Cerowrt-devel