SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)

    No, Nokia. Bad Nokia. Bad.

    http://gigaom.com/2013/01/10/nokia-y...orry-about-it/

    Title says it all. It's ok that these browsers on Nokia decrypt HTTPS, because they need to for proxy-proxy... but I mean, then inform your users about it.

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    I don't understand the technical side of all this, but what really bothers me is that these parties can decrypt data sent over https. Doesn't that mean that https is not secure and that it's a waste of time?

  3. #3
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    No. The decryption is necessary if you want proxy-compression of HTTPS requests. Opera Mini is a proxy browser: everything you request goes through one of their servers (meaning, they know your every request and could read all of it) so those servers can do some compression and save you bandwidth. Sometimes only HTTP will get compressed, but here Nokia's browser will compress everything for you, including HTTPS. The issue isn't so much that they do it, but that this is a default browser and doesn't say this very obviously to users.

    If you trust that proxy, then you'd be as secure as before, though I suppose every time you add a party to a communication line, you increase security risks.

  4. #4
    SitePoint Enthusiast
    Join Date
    Dec 2007
    Posts
    33
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The next question would be, how secure are their servers and how long before they are hacked and passwords, credit card numbers etc, are hijacked?

  5. #5
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Exactly. I suppose any proxy browser has this extra security issue. Also of course how much you trust the proxy machine owners themselves.

  6. #6
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    As I'm sure we each understand, this practice is never secure. Most proxies have decent security but not total security. If their proxy services are breaking down HTTPS data then all of this data is insecure. I will not use opera to do anything secure, nor will I use skyfire. If I can shut the compression off for fast browsing I'll have to look into if the HTTPS data is kept intact.

    This is troubling.
    ictus==""

  7. #7
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Some proxy browsers only do HTTP, while others do both HTTP and HTTPS. You could choose which one you want.

    Quote Originally Posted by server
    I will not use opera to do anything secure
    It's not all Operas, it's specifically Mini. Plus any other Operas where you've chosen to turn on Turbo.

    Not that Opera matters anymore, seeings how they are gone gone gone. They are webkit now. The monoculture is now almost complete.

  8. #8
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Combining compression with encryption: offtopic but interesting https://bugzilla.mozilla.org/show_bug.cgi?id=779413

    This is referring to the HTTP "replacement" SPDY, developed by two dudes at teh googles. HTTP2 guys are now looking at something else for solving the compression problem because of these discovered these vulnerabilities.

  9. #9
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Some proxy browsers only do HTTP, while others do both HTTP and HTTPS. You could choose which one you want.


    It's not all Operas, it's specifically Mini. Plus any other Operas where you've chosen to turn on Turbo.

    Not that Opera matters anymore, seeings how they are gone gone gone. They are webkit now. The monoculture is now almost complete.
    Thanks... Then I'll be sure to turn off Turbo. Pisses me off though I wish they weren't gone, gone, gone as I liked them, but don't rely on them much any more
    ictus==""

  10. #10
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Combining compression with encryption: offtopic but interesting https://bugzilla.mozilla.org/show_bug.cgi?id=779413

    This is referring to the HTTP "replacement" SPDY, developed by two dudes at teh googles. HTTP2 guys are now looking at something else for solving the compression problem because of these discovered these vulnerabilities.
    @Stomme poes ; thanks for this interesting [ot] as it is interesting how one can exploit these vulnerabilities. Not so hard to exploit really!
    ictus==""

  11. #11
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    No, it's neat how it's just a wee bit of python!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •