On 7/01/13 14:33 PM, ianG wrote:
On 7/01/13 13:25 PM, Ben Laurie wrote:
This is a bizarre statement in the face of Diginotar.
http://wiki.cacert.org/Risk/History shows no real correlation in
attacks. There are many many possible attacks, so...
Just on that theme of multiple attacks from different vectors leading to
questions at the systemic level, another certificate failure just got
posted on slashdot:
http://mobile.slashdot.org/story/13/01/09/1910210/nokia-redirecting-traffic-on-some-of-its-phones-including
"On Wednesday, security professional Gaurang Pandya outlined how Nokia
is hijacking Internet browsing traffic on some of its phones. As a
result, the company technically has access to all your Internet content,
including sensitive data that is sent over secure connections (HTTPS),
such as banking credentials and pretty much any other usernames and
passwords you use to login to services on the Internet. Last month,
Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a
proxy, instead of directly hitting the requested server. The connections
are either redirected to Nokia/Ovi proxy servers if the Nokia browser is
used, and to Opera proxy servers if the Opera Mini browser is used (both
apps use the same User-Agent)."
Which Nokia apparently admits:
"When temporary decryption of HTTPS connections is required on our proxy
servers, to transform and deliver users’ content, it is done in a secure
manner."
http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/
Pictures above seem to indicate VeriSign as the CA, but whether that
means they know about the MITMing is not clear.
iang
Maybe they aren't the attackers that interest you, but they are
certainly attackers.
... when there are too many possible attacks, and they keep happening,
attention switches to the architecture, not the attacker.
(Is his focus.)
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
