lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8k03oeqVPoEWoWdhb6vs1RA-nE_wpt0LBAo0ohCA8sagg@mail.gmail.com>
Date: Fri, 7 Dec 2012 14:03:17 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Gaurang Pandya <gaubrig@...oo.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Nokia phone forcing traffic through proxy

On Fri, Dec 7, 2012 at 11:55 AM, Gaurang Pandya <gaubrig@...oo.com> wrote:
> It has been noticed that internet browsing traffic, instead of directly
> hitting requested server, is being redirected to proxy servers. They get
> redirected to Nokia/Ovi proxy servers if Nokia browser is used, and to Opera
> proxy servers if Opera Mini browser is used.
>
> More detailed info at :
> http://gaurangkp.wordpress.com/2012/12/05/nokia-proxy/
It sounds a lot like http://click-fraud-fun.blogspot.com/.

We know proxies can cause a lot of trouble in practice. For example,
http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-fail.html.

Proxies and data snatching are the reason to pin certificates when
using VPN and SSL/TLS if a pre-existing relationship exists (for
example, you know the host and its public key). Are you talking to an
Nokia/Ovi proxy, an Interception proxy (perhaps enabled by Trustwave),
or the host expected during a SSL/TLS negotiation?

We now have a much better body of knowledge. Its too bad most browser
don't offer the features for those who are security conscious. On
Android, Google went so far as to offer pinning as "opt-in" for sites:
http://groups.google.com/group/android-security-discuss/browse_thread/thread/f5898be7ee9abc48.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ