Answer

Does Nokia SSL decryption raise security concerns for enterprises?

In light of the revelation that Nokia decrypts HTTPS data using SSL decryption on its Lumia and Asha devices, I was wondering if other mobile device manufacturers do the same thing, and how great a security threat does it pose? Should organizations reconsider supporting Nokia devices, including its latest Windows Phone 8 line, as part of bring-your-own-device policies?

    Requires Free Membership to View

Ask the expert

Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous.)

To briefly recap, according to an independent researcher, Nokia essentially conducts a "man-in-the-middle" attack on Nokia Browser Web traffic, decrypting it in a way that allows Nokia to access users' unencrypted data. In a nutshell, the Nokia browser diverts all SSL traffic to Nokia-owned proxy servers, where each packet is decrypted, then supposedly re-encrypted and forwarded to its intended destination. Nokia, however, has downplayed the findings, claiming its HTTPS decryption practices are minimally invasive and done only to speed up the loading of Web pages.

As of right now, no other mobile device is known to completely decrypt SSL traffic the way Nokia does. However, if your mobile device uses Opera Mini, a pseudo form of SSL decryption is performed. But this has more to do with the fact that Opera Mini understands Opera Binary Markup Language (OBML) as opposed to HTML, therefore some stripping down of encrypted packets is necessary in order to implement its markup language.

So, what type of security threat does this sort of device-maker-sanctioned man-in-the-middle attack pose? I don't think there's a cut-and-dried answer. From what I understand, Nokia did not fully disclose how it handles SSL traffic in its privacy statement; if this is true, it certainly deserves the criticism and should clarify its privacy statement. Beyond that, the security threat is relative.

I can see why some would take a cynical view of Nokia's response, and I completely understand the tendency to distrust. However, I would argue that anyone who engages in any type of e-commerce has to trust that the people on the server side who are processing credit card information will not act dishonestly. This same type of trust must be extended toward Nokia if your organization decides to allow Nokia devices in the enterprise. The most skeptical among us could perhaps theorize a way in which Nokia's servers would be compromised and hence an attacker could obtain unencrypted enterprise data via Nokia -- but frankly, targeted attackers have easier ways to go after what they want. In short, I wouldn't worry about this one.

This was first published in October 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: