Browser/device manufacturers & MITMing/proxying HTTPS

Came across this today:

Nokia Admits Decrypting User Data But Denies Man-in-the-Middle Attacks
http://www.techweekeurope.co.uk/new...e-middle-attacks-103799?ModPagespeed=noscript

which also suggests that Opera Mini does a MITM of HTTPS connections. Elsewhere I saw contradictory information about whether Amazon Silk does this as well. Then stumbled across these:

http://www.igvita.com/2012/06/25/spdy-and-secure-proxy-support-in-google-chrome/
http://www.igvita.com/2011/12/01/web-vpn-secure-proxies-with-spdy-chrome/

which suggest Amazon Silk doesn't route the *HTTPS* traffic through their SPDY proxy. This is my first introduction to SPDY proxies and I find the scenario of tunneling SSL over an SSL connection to a SPDY proxy interesting. I think this passes target hostname/port to said proxy which may or may not be acceptable based on the situation.

Anyway, thought I'd post some of this as an FYI and reminder to check how browsers/devices actually operate.

 

This comes back down to the whole trusting of these special compression services. All of them pretty much work the same way. The server does the browsing and sends that data back to your mobile device in compressed form. That server could do anything with your data.

Personally, I wouldn't trust any of them. But I'm lucky enough not to live in an area where I'd need compressed web browsing.

 

Nokia has been caught doing this kind of stuff for awhile now, selling equipment to opressive regeims so it's no surprise they would do this.