<div class="gmail_quote">On Thu, Jan 10, 2013 at 3:58 PM, <span dir="ltr"><<a href="mailto:dpreed@reed.com" target="_blank">dpreed@reed.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><font face="times new roman">
<p style="PADDING-BOTTOM:0px;MARGIN:0px;PADDING-LEFT:0px;PADDING-RIGHT:0px;PADDING-TOP:0px">I'm curious if they have data about how much compression they are achieving? Most HTTPS servers are set up by people who use quite a bit of compression in the payload (gzip of web pages, etc, "minification" of javascript), so I would hypothesize that the actual savings are minimal on the average.</p>
</font></blockquote>
<div>My finger in the air suggests that it is no more than 30% on average. Is it worth it? If it's up to 1/3 of more media time available for other stations to send data, perhaps it is.</div>
<div> </div>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><font face="times new roman">
<p style="PADDING-BOTTOM:0px;MARGIN:0px;PADDING-LEFT:0px;PADDING-RIGHT:0px;PADDING-TOP:0px">However, it points out that there is a man-in-the-middle problem with HTTPS alone. Your phone's browser should be checking the certificates more rigorously than it does. It can do that quite easily, and I think the destination can do that in Javascript that comes with the pages.</p>
</font></blockquote>
<div>Hmm, wouldn't something like HTTPS Everywhere + SSL Observatory help here? It should detect the certs are different than what they've been seen by other users.</div>
<div> </div>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><font face="times new roman"><font face="times new roman">
<p style="PADDING-BOTTOM:0px;MARGIN:0px;PADDING-LEFT:0px;PADDING-RIGHT:0px;PADDING-TOP:0px">"We don't look" is not a defense in the EU privacy regime, and probably not in the US one (though many US Senators think that ISP's looking at content is just fine).</p>
</font></font></blockquote>
<div>You are right. There's a different angle than privacy here too. A one that users should be able to understand better. Such a phone might also be a security threat. Maybe Nokia don't do anyting with except compression, but malicious code knowing this might steer the compromised browser+dodgy_cert+phone to rob you of money in your bank.</div>
<div> </div>
<div> </div>
<div> </div>
<div>Maciej</div>
<div> </div>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><font face="times new roman">
<div>
<div class="h5">
<p style="PADDING-BOTTOM:0px;MARGIN:0px;PADDING-LEFT:0px;PADDING-RIGHT:0px;PADDING-TOP:0px">---Original Message-----<br>From: "Maciej Soltysiak" <<a href="mailto:maciej@soltysiak.com" target="_blank">maciej@soltysiak.com</a>><br>
Sent: Thursday, January 10, 2013 9:46am<br>To: <a href="mailto:cerowrt-devel@lists.bufferbloat.net" target="_blank">cerowrt-devel@lists.bufferbloat.net</a><br>Subject: [Cerowrt-devel] Nokia decrypts user's HTTPS to compress to improve speed<br>
<br></p>
<div>
<div><a href="http://yro.slashdot.org/story/13/01/10/1356228/nokia-admits-decrypting-user-data-claiming-it-isnt-looking" target="_blank">http://yro.slashdot.org/story/13/01/10/1356228/nokia-admits-decrypting-user-data-claiming-it-isnt-looking</a></div>
<div></div>
<div>Have a look at what corporations resort to when they're in need of serious debloating and things like TCP Fast Open? :-|</div>
<div></div>
<div>Regards,</div>
<div>Maciej</div></div></div></div></font></blockquote></div><br>