[3684] in Privacy_Forum
[ PRIVACY Forum ] Opera admits that "Opera Mini" also does Man in the
daemon@ATHENA.MIT.EDU (PRIVACY Forum mailing list)
Wed Jan 9 17:03:26 2013
Date: Wed, 9 Jan 2013 13:47:29 -0800
To: privacy-list@vortex.com
Message-ID: <20130109214729.GB15180@vortex.com>
MIME-Version: 1.0
Content-Disposition: inline
From: PRIVACY Forum mailing list <privacy@vortex.com>
Reply-To: PRIVACY Forum mailing list <privacy@vortex.com>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: privacy-bounces+privacy-forum=mit.edu@vortex.com
Content-Transfer-Encoding: 8bit
Opera admits that "Opera Mini" also does Man in the Middle attack on SSL
http://j.mp/13hLgy4 (This message on Google+)
- - -
Following up on the issue of phones and browsers that purposely
violate end-to-end SSL security via Man in the Middle attacks, it
should be noted that Opera explicitly admits this regarding Opera
Mini, claiming that "During development we found out that certificates
and implementations of secure sockets/SSL is an area where there is
little standardization, with many bugs and big differences between
different handsets and manufacturers. This is the current state of
J2ME/MIDP, so we found developing our own solution to be the only
viable option."
See their FAQ: http://j.mp/13hKyRz (Opera)
To be sure, use of SSL MitM proxies was very common years ago, when
better solutions did not widely exist. But nowadays, I believe it's
reasonable for most people to assume that their SSL connections are
not being pulled into the clear by invisible proxies and creepy
certificates. If a firm is going to do this on a low end phone, at
the very least there should be a clear click-through warning on
*every* SSL access.
Really, this shouldn't be happening at all. The fact that the PKI
permits this to occur so easily is no longer acceptable, if it ever
was in any situations.
--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- PRIVACY Forum: http://www.vortex.com/privacy-info
- Data Wisdom Explorers League: http://www.dwel.org
- Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
privacy mailing list
http://lists.vortex.com/mailman/listinfo/privacy
