Nokia confirmed to GigaOM that its XpressBrowser decrypts HTTPS traffic when these requests pass through their servers from an rom an Asha or Lumia handset. Despite a report pointing out the problems with this practice, Nokia claims there is no need for concern.
According to GigaOM, Indian security researcher Gaurang Pandya of Unisys Global Services detailed in two blog posts how he discovered this decryption. He writes:
“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.”
After these reports made headlines, Nokia provided GigaOM with a statement that confirmed it exposes this encrypted stream to hasten the passage of data through its servers. Nokia doesn’t look at the data that is exposed and this decryption is done in a secure manner.
“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.
“Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”
The Finnish company doesn’t plan to change its practice, but it would review the information it provides to the user to make sure it is up front about this on-the-fly decryption.