User: Password:
|
|
Subscribe / Log in / New account

HTTPS interception in Nokia's mobile browser

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 19:33 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
In reply to: HTTPS interception in Nokia's mobile browser by nim-nim
Parent article: HTTPS interception in Nokia's mobile browser

> ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication
Actually, they do. TCP/HTTP proxies used to be all the rage about 5 years ago, but now almost nobody uses them. And I worked as a network engineer in a telecom company (a while ago). Proxying breaks too much stuff for too little benefit and besides the limit right now is the air interface, not the backbone networks.

> Besides: mail already works hop-to-hop. I don't see the defenders of https purity complain smtps and imaps are unsecure
Transparently doing smtps proxying would be.


(Log in to post comments)

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 20:20 UTC (Mon) by nim-nim (subscriber, #34454) [Link]

> Actually, they do. TCP/HTTP proxies used to be all the rage about 5 years
> ago, but now almost nobody uses them. And I worked as a network engineer
> in a telecom company (a while ago). Proxying breaks too much stuff for
> too little benefit and besides the limit right now is the air interface, > not the backbone networks.

The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)> Besides: mail already works hop-to-hop.

>> I don't see the defenders of https purity complain smtps and imaps are
>> unsecure
> Transparently doing smtps proxying would be.

No one legitimate would do https proxying transparently if there was another choice. People condemning transparent https proxying also refuse to give another choice (because that would be 'unsecure') even while the other choice works everyday with smtps (an smtp relay is just a mail proxy under another name)

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 21:54 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)
Yup, and provider-level proxying doesn't do a squat in these cases.

>Besides: mail already works hop-to-hop.
And interhop transport is definitely not proxied.

>No one legitimate would do https proxying transparently if there was another choice.
There is another choice - secure your damn endpoints and stop pretending that an edge-level firewall can protect against anything more trivial than an employee browsing Facebook.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 9:41 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

>> The air interface also benefits from more compact traffic (see why Nokia
>> or Opera set up their system, see why Google is working on SPDY now)
> Yup, and provider-level proxying doesn't do a squat in these cases.

Please explain why. Because there is zip technical differences between

website (badly optimized traffic)→ Akamai → smartphone and
website (badly optimized traffic)→ proxy → smartphone

> There is another choice - secure your damn endpoints

Anyone who pretends he is able to secure thousands of endpoints (especially end-user endpoints where the user will actively work against any securing to get the latest shiny stuff) is a damn liar. The best you can do is to try to secure them, and that includes securing their network accesses too (which is infinitely easier as there are less nodes to take care of, they don't have en-users connecting locally)

>> Besides: mail already works hop-to-hop.
> And interhop transport is definitely not proxied.

Do you realise how meaningless your sentence is? You can't have an intermediary without another hop

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 17:21 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

>Please explain why. Because there is zip technical differences between
Then perhaps you should study networking? Nokia's browser (and Opera Mini) decompress traffic using specifically modified client. They do NOT need (or want) proxies on the provider level.

> Anyone who pretends he is able to secure thousands of endpoints (especially end-user endpoints where the user will actively work against any securing to get the latest shiny stuff) is a damn liar.
And anyone who presents an edge firewall as something except a window dressing is a fraudster.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 18:42 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

The 'specially modified client' just plugs into a proxy that compresses the traffic before hitting the air interface. As do all the spdy-capable proxies which are starting to hit the market. So what is your point exacly?

HTTPS interception in Nokia's mobile browser

Posted Jan 28, 2013 22:44 UTC (Mon) by anselm (subscriber, #2796) [Link]

People condemning transparent https proxying also refuse to give another choice (because that would be 'unsecure') even while the other choice works everyday with smtps (an smtp relay is just a mail proxy under another name)

If you want mail that is end-to-end secure you need something along the lines of PGP or S/MIME, which happens in the MUA and amounts to HTTPS. The hop-by-hop »proxying« that SMTP servers do does nothing for message security because, even with SMTP-over-TLS (SMTPS is no longer a thing), while the traffic between the various servers may be encrypted the messages are processed and queued on the servers themselves in clear text.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 9:48 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

The point is, there is zero technical reason https could not follow the same security model as e-mail. That would make proxy MITM-ing un-necessary.

You send your traffic to the relay, it can inspect and modify it, if the relay operator wants to inspect it and you send a crypted message, it can refuse to carry it, the rest is negociation between the operator and you, no need for SSL breaking like on HTTPS.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:16 UTC (Tue) by khim (subscriber, #9252) [Link]

The point is, there is zero technical reason https could not follow the same security model as e-mail.

Sure. That's why it works in exactly the same way: HTTPS does not care about intermediate steps. But if text is not signed by a correct key then it refuses to work. The same way as PGP and S/MIME always worked.

The only difference is that mail is send-and-forget thus it's harder to enforce S/MIME and/or PGP (if you refuse to read unencrypted mail then you often lose the important info). But still a lot of confidential docs where I work are sent encrypted so what's the difference between mail and HTTPS?

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:43 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

It does not work exactly the same way.

With mail you can say 'you are on a restricted network, use smtp server foo as relay, everything else will be blocked' (and then the user can choose to use the relay or not, and the relay can choose to relay or not depending on its settings)

With http you have to MITM to get the same result.

HTTPS interception in Nokia's mobile browser

Posted Jan 29, 2013 13:49 UTC (Tue) by khim (subscriber, #9252) [Link]

With http you have to MITM to get the same result.

If you don't want to open encrypted message then simple routing rule will be enough and there are proxy autodiscovery mechanisms, if you do want to open encrypted message then you must somehow convince me to replace key in my PGP or S/MIME client - the same as with HTTPS.

So I can not see the difference. Well, except for one: you need to specify relay for the mail, while proxy can be autodiscovered. I don't think it such a big difference.

HTTPS interception in Nokia's mobile browser

Posted Feb 7, 2013 19:44 UTC (Thu) by Jandar (subscriber, #85683) [Link]

> The air interface also benefits from more compact traffic (see why Nokia or Opera set up their system, see why Google is working on SPDY now)> Besides: mail already works hop-to-hop.

Altering any data without consent is a criminal act in my country.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds