lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Dec 2012 18:39:04 +0100
From: Kim Henriksen <kh@...mp.at>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Nokia phone forcing traffic through proxy

Opera has done this for quite some time now. They translate and compresses
the website into their own language called OBML:
http://dev.opera.com/articles/view/opera-binary-markup-language/


On Fri, Dec 7, 2012 at 9:01 PM, Philip Whitehouse <philip@...uk.com> wrote:

> On 7 Dec 2012, at 19:03, Jeffrey Walton <noloader@...il.com> wrote:
>
> > On Fri, Dec 7, 2012 at 11:55 AM, Gaurang Pandya <gaubrig@...oo.com>
> wrote:
> >> It has been noticed that internet browsing traffic, instead of directly
> >> hitting requested server, is being redirected to proxy servers. They get
> >> redirected to Nokia/Ovi proxy servers if Nokia browser is used, and to
> Opera
> >> proxy servers if Opera Mini browser is used.
> >>
> >> More detailed info at :
> >> http://gaurangkp.wordpress.com/2012/12/05/nokia-proxy/
> > It sounds a lot like http://click-fraud-fun.blogspot.com/.
> >
> > We know proxies can cause a lot of trouble in practice. For example,
> >
> http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-fail.html
> .
> >
> > Proxies and data snatching are the reason to pin certificates when
> > using VPN and SSL/TLS if a pre-existing relationship exists (for
> > example, you know the host and its public key). Are you talking to an
> > Nokia/Ovi proxy, an Interception proxy (perhaps enabled by Trustwave),
> > or the host expected during a SSL/TLS negotiation?
> >
> > We now have a much better body of knowledge. Its too bad most browser
> > don't offer the features for those who are security conscious. On
> > Android, Google went so far as to offer pinning as "opt-in" for sites:
> >
> http://groups.google.com/group/android-security-discuss/browse_thread/thread/f5898be7ee9abc48
> .
> >
> > Jeff
>
> BlackBerry does this, Amazon Kindle Fire almost certainly does it, for
> caching purposes. I'm not sure whether that's why the Nokia phone is doing
> it though - you need a good infrastructure to support it.
>
> Regards,
>
> Philip Whitehouse
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Mvh.
Kim Henriksen

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists