stomme_poes — 2013-02-08T06:40:11-05:00 — #1
Title says it all. It's ok that these browsers on Nokia decrypt HTTPS, because they need to for proxy-proxy... but I mean, then inform your users about it.
ralphm — 2013-02-08T23:18:03-05:00 — #2
I don't understand the technical side of all this, but what really bothers me is that these parties can decrypt data sent over https. Doesn't that mean that https is not secure and that it's a waste of time?
stomme_poes — 2013-02-09T10:40:14-05:00 — #3
No. The decryption is necessary if you want proxy-compression of HTTPS requests. Opera Mini is a proxy browser: everything you request goes through one of their servers (meaning, they know your every request and could read all of it) so those servers can do some compression and save you bandwidth. Sometimes only HTTP will get compressed, but here Nokia's browser will compress everything for you, including HTTPS. The issue isn't so much that they do it, but that this is a default browser and doesn't say this very obviously to users.
If you trust that proxy, then you'd be as secure as before, though I suppose every time you add a party to a communication line, you increase security risks.
winagain — 2013-02-09T13:39:44-05:00 — #4
The next question would be, how secure are their servers and how long before they are hacked and passwords, credit card numbers etc, are hijacked?
stomme_poes — 2013-02-10T05:35:56-05:00 — #5
Exactly. I suppose any proxy browser has this extra security issue. Also of course how much you trust the proxy machine owners themselves.
serverstorm — 2013-02-12T23:31:09-05:00 — #6
As I'm sure we each understand, this practice is never secure. Most proxies have decent security but not total security. If their proxy services are breaking down HTTPS data then all of this data is insecure. I will not use opera to do anything secure, nor will I use skyfire. If I can shut the compression off for fast browsing I'll have to look into if the HTTPS data is kept intact.
This is troubling.
stomme_poes — 2013-02-13T05:43:46-05:00 — #7
Some proxy browsers only do HTTP, while others do both HTTP and HTTPS. You could choose which one you want.
It's not all Operas, it's specifically Mini. Plus any other Operas where you've chosen to turn on Turbo.
Not that Opera matters anymore, seeings how they are gone gone gone. They are webkit now. The monoculture is now almost complete.
stomme_poes — 2013-02-13T09:49:58-05:00 — #8
Combining compression with encryption: offtopic but interesting https://bugzilla.mozilla.org/show_bug.cgi?id=779413
This is referring to the HTTP "replacement" SPDY, developed by two dudes at teh googles. HTTP2 guys are now looking at something else for solving the compression problem because of these discovered these vulnerabilities.
serverstorm — 2013-02-13T13:15:59-05:00 — #9
Thanks... Then I'll be sure to turn off Turbo. Pisses me off though :eek: I wish they weren't gone, gone, gone as I liked them, but don't rely on them much any more
serverstorm — 2013-02-13T13:23:29-05:00 — #10
@Stomme_poes ; thanks for this interesting [ot] as it is interesting how one can exploit these vulnerabilities. Not so hard to exploit really!
stomme_poes — 2013-02-13T14:33:35-05:00 — #11
No, it's neat how it's just a wee bit of python!