Two days ago, security professional Gaurang Pandya made an interesting discovery about the browser that comes bundled with the Nokia Asha 302, or pretty much any Nokia feature phone. The browser uses a proxy to route its traffic instead of hitting the requested server directly. This led many people to believe that Nokia is performing a MITM attack on their connection. Now, it would be wrong to refute those claims, because this indeed is a MITM technically. However, it is too early to jump to conclusions here.
Nokia uses its Nokia/Ovi proxy servers pretty much the same way any other browser manufacturer uses its proxy servers — for transcoding, resulting in data compression and faster browsing. Amazon’s Silk browser does it, Opera Mini does it, but with a slight difference. Others, who do it, are not handset manufacturers. Nokia, on the other hand, is a handset manufacturer and this allows it to proxy HTTPS connections as well. So, how does this work?
Nokia has control of your device (at least during the manufacturing process), and it cunningly includes a fake certification authority (CA) on your device. With this fake certificate issuer on your device, the proxy server can now decode your data because it is signed with a public key for which, the proxy server will have private key [Public Key Cryptography]. The proxy server in turn sends the data to the actual server, only this time, signing it again with a certificate issued by a proper CA. The outcry in this case was that HTTPS connections could also be hijacked by the proxy servers at Nokia, which is not possible with Opera Mini or other browsers that use proxy servers.
So, is there reason to be worried? Of course there is. However, is there reason to blame Nokia? No. There is just reason enough to ask better questions, like how secure are these proxy servers?