Security

Redirection and decryption of mobile traffic: Is your browser a MitM?

By design, certain mobile web browsers send HTTPS-encrypted traffic to their home servers first. Michael Kassner finds out why, and what it means to each of us.

If you think HTTPS traffic from your mobile web browser travels unaltered, and safely encrypted all the way to the remote web server you requested information from, don't be so sure. Opera Mini developers were asked:

Is there any end-to-end security between my handset and - for example - paypal.com or my bank?

The answer:

Opera Mini uses a transcoder server to translate HTML/CSS/JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation, the Opera Mini server needs to have access to the unencrypted version of the webpage. Therefore no end-to-end encryption between the client and the remote web server is possible.

To rule out any doubt:

If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile.

Just to be clear "end-to-end encryption," in this case, means HTTPS (encrypted) traffic travels to a remote web server, a bank for example, unhampered (not decrypted).

I don't use any of Opera's web browsers. I'll be honest, even if I did use Opera, I would not have known about the redirection. I only started checking what mobile web browsers were doing after a colleague informed me the tech press crucified Nokia for doing something similar.

How it started

The upheaval about mobile web browsers started when Gaurang Pandya, Infrastructure Security Architect at Unisys Global Services India, determined HTTP web-browser requests on his Nokia phone were unexpectedly redirected to Nokia servers. Gaurang explains on his personal blog site:

It has been noticed that internet browsing traffic, instead of directly hitting requested server, is being redirected to proxy servers. They get redirected to Nokia/Ovi proxy servers if Nokia browser is used and to Opera proxy servers if Opera Mini browser is used.

Then Gaurang tried to sidestep the redirection:

I could not see any straightforward way to bypass this proxy setting and let my internet traffic pass through normally. This behavior is noticed regardless of whether the browsing is done through 3G or Wi-Fi network connections.

Gaurang wasn't done; he decided to see if the same applied to HTTPS web-browser requests. He found his answer, posting his findings in this blog post:

[I]t is evident that Nokia is performing a Man In The Middle Attack for sensitive HTTPS traffic originated from their phone, and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information, or anything that is sensitive in nature.

Needless to say, Gaurang's comments garnered a great deal of attention. The blog post received 10,000 views in the first 24 hours, and currently has 20 pages of comments debating if redirecting traffic could "officially" be called a Man in the Middle attack or not. I'll get to that later. Right now, I'd like to focus on the comment by Mark Durant, Nokia Communications:

We take the privacy and security of our consumers and their data very seriously. The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans. Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner.

This confirmation by Nokia virtually silenced those disagreeing with Gaurang's results.

Why do it?

Why go through all this? The developers had to know there would be push back from people concerned about privacy. As alluded to in the above quote, it's all about reorganizing the web page for speed and viewing on a mobile device. The question then becomes what does a Man in the Middle attack, a proxy redirection, or whatever you want to call it have to do with improving the mobile web browsing experience?

Mobile web browsers are not as powerful as the ones installed on computers. To help, Nokia and Opera shift most of the rendering work from the mobile web browser to the web browser's home servers, which after optimizing the web page code send the web page information back to the mobile web browser for viewing.

The problem is when the traffic from the mobile web browser is encrypted (HTTPS). The Nokia or Opera servers are unable to manipulate the web page response. So, Nokia and Opera have altered their mobile web browsers to set up an encrypted link to their servers. That is, the HTTPS traffic we see, is also the HTTPS traffic Nokia and Opera can decrypt as they have the encryption keys.

It might help to look at one of Gaurang's tests. He was watching what happened when his Nokia mobile web browser sent out a website request for Google.com.

Here are the steps:

  • Mobile web browser attempts to connect to https://www.google.com.
  • Connection is redirected to https://cloud13.browser.ovi.com (Nokia server as seen in the above slide).
  • The mobile web browser receives a valid HTTPS certificate for cloud13.browser.ovi.com, not Google.com.
  • The server behind cloud13.browser.ovi.com makes a connection to https://www.google.com, acting as the mobile web browser by proxy.
  • Nokia's server replicates requests, and replies between the mobile web browser and Google.com.

One way to look at it -- there are two distinct encryption processes taking place, one at the mobile web browser, and one at the Nokia server. The issue then becomes whether we are comfortable with Nokia, Opera, or whichever mobile web browser developer intercedes, having the ability to do whatever they want with what we consider sensitive information, otherwise, why would we be using HTTPS encryption?

Workarounds

I've been trying to determine which mobile web browsers use this approach, but wading through privacy policies, and contacting the developers is slow going. For now, the best approach may be to assume any mobile web browser that displays HTTP, and particularly HTTPS web pages differently than on a computer should be suspect.

I already use a proxy service with my computer and mobile devices, so I believe I unknowingly have been avoiding this issue. This may be an alternative solution for those who are concerned about sensitive information being controlled by yet another organization.

Final thoughts

I should have been aware of HTTPS traffic redirection. I've written two articles, "Ashkan Soltani introduces MobileScope, an innovative approach to online privacy" and "Find out which mobile apps are stealing your identity," where both featured applications employed redirection techniques.

I also wanted to mention Gaurang has an update on his blog, stating Nokia still uses HTTPS proxy redirection, but no longer employs MitM technology, a good sign they listened. I was asked why Nokia was getting so beat up about using redirection, and not Opera. I would have to say it is because Opera was up front about it, and Nokia was not.

I'd like to end with a quote from Bruce Schneier, well-known security expert:

This is an area where security concerns are butting up against other issues. Nokia's answer, which is basically ‘trust us, we're not looking at your data,' is going to increasingly be the norm.

I want to thank Gaurang for his research, and allowing me to use quotes and slides from his blog site.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

10 comments
jack.h.reynolds
jack.h.reynolds

... and I very much appreciate the fact that you bought this issue to people's attention. I spend much of my time working on security issues, who doesn't now-a-days. Your news was more than surprising to me at least, I would never have guessed that a Vendor or Carrier would have taken such a responsibility onto themselves. I will be buying a Windows Phone sometime later this month and Nokia is no longer on my shopping list. Thank You

jack.h.reynolds
jack.h.reynolds

I believe the original assertion was correct. They accomplish this in precisely the same manner that a 'Man In The Middle' attack is implemented. They do this to realize efficiencies, so my expectation is that in time with faster processors and increased bandwidth, the need will disappear completely. You'd hope that in the interim, people would be permitted to choose what's most important to them,... security or efficiency.

jack.h.reynolds
jack.h.reynolds

The fact that Nokia trusts itself doesn't mean anything to me. If my right to privacy was ignored in this fashion, then Nokia could trust that my account would be closed within minutes.

HAL 9000
HAL 9000

Kind of cutting off your nose to spite your face that attitude. If it was just Nokia involved that would be fine but here it appears to be every Browser which Speeds and Optimizers web content for the smaller screens of the Smart Phones. So if your browser on the Smart Phone changes the web site to suit your device and save you money you are affected by the same problem. Doesn't really matter what OS is being used here what Browser or the Maker of the Phone. So by refusing to buy 1 brand specifically because you don't like what will be done in the version of IE on your Windows Phone seems to me at least to be a silly idea when it's going to happen exactly the same on another brand with the same OS. But maybe I'm just missing your point somehow. ;) Col

Michael Kassner
Michael Kassner

My point is that hardly anyone that I talked to was aware of this. I certainly wasn't.

Michael Kassner
Michael Kassner

More and more companies are pushing this sentiment -- Facebook comes to mind. It will be interesting to see where this ends up.

HAL 9000
HAL 9000

Does this just revolve around Nokia or every Mobile Web Browser which makes it cheaper for you to use? Doesn't matter about Nokia itself but if you use that type of Browser you are giving your information to someone unencrypted and without knowing most likely. Col

Michael Kassner
Michael Kassner

I guess they are waiting and seeing what the outcome will be. Nokia is responding, and they need to. I have read they are not doing that well business-wise

Michael Kassner
Michael Kassner

If one follows the logic, any web browser that alters their HTTP/HTTPS feed for mobile devices would have to somehow account for the differences in screen size and other parameters. The simplest way is to act as a MitM. If I understand what Nokia is doing now, they are tunneling the HTTPS inside HTTP. I believe that is another way, but I am no expert on this.

HAL 9000
HAL 9000

Which wasn't all that popular with customers till 8 was released [b]maybe.[/b] Even now I'm not sure just how well Windows 8 Phones are selling but it's most defiantly an Improvement on the CE thing that was available previously. Where Nokia has a Issue is their tie in with Microsoft and their refusal to adopt any other Operating System for their devices. To my mind it sort of limits their potential customers but then again I suppose if someone wants a Windows Phone they also have very limited options. Either Nokia or a very limited range of Lower End Devices. As things currently stand I'm under the impression that the Lumia is currently the only High End Windows Phone available so it should be a good seller for the small % of the market who want Windows Phones. As 8 is still so new Nokia sales may increase but that all depends on how well the Windows 8 is accepted by the Phone users. As things stand both the HTC and Samsung 8 Phones are not beating the Market to [b]Death[/b] with their sales over the Droid Devices from the same makers. ;) Col