The fast-loading default
browser used on most Nokia mobile handsets, including its ‘Asha’ range,
appears to be a double-edged sword.
While
the ‘Xpress’ browser is quick and used on resource-constrained devices
that cannot run a full-fledged web browser, it appears that it decrypts
data that flows through its ‘HTTPS’ connections – giving the company the
ability to peep at connections set up for banking session, encrypted
email and the like.
“From
the tests that were performed, it is evident that Nokia is performing a
‘man in the middle attack’ for sensitive HTTPS traffic originating from
their phone – and, hence, they have access to information which could
include user credentials to various sites such as banking and social
networking,” said Gaurav Pandya, a security analyst at Unisys Global
Services India.
Nokia,
in a statement, however has rejected claims that it might be spying on
its user’s encrypted Internet traffic but admitted that it temporarily
decrypts secure HTTPS connections for the benefit of customers.
“The
compression that occurs within the browser means that users can get
faster web browsing. When temporary decryption of HTTPS connections is
required by our proxy servers, it is done in a secure manner. Claims
that we would access complete unencrypted information are inaccurate,” a
company spokesperson said.
No comments:
Post a Comment