Nokia has been pushing its Xpress Browser, found in feature phones and the popular Asha series of phones, at every opportunity. The company claims the browser offers up to 90% savings in data costs by compressing data before transmission. Now, the browser is under criticism after the way it handles HTTPS traffic was brought to light.
Security blogger Gaurang K Pandya first wrote about the browser in December, highlighting that it was forcing traffic to go via Nokia's proxy server. No surprises there. All browsers which compress data - including Opera Mini and Amazon Silk - employ the same technique. In fact, Nokia's page linked above includes this nifty little image clearly depicting the same.
The outcry started when Pandya highlighted that Xpress Browser was routing secure HTTPS traffic via Nokia servers as well.
When you visit a website using your PC or mobile, the request is sent to the website's server, which responds with the data present on that page. The communication doesn't happen directly between your PC and the website's server, and the request as well as the response are sent via multiple intermediate servers.
Most traffic on the Web is sent over the insecure HTTP protocol (e.g. http://gadgets.ndtv.com), which means that it can be 'seen' by any one of these intermediaries. The HTTPS protocol (e.g. https://www.google.com) adds a secure layer on top of HTTP that mandates encryption of data exchanged between the two machines, which prevents any intermediaries from snooping in. Another important element of the HTTPS protocol are certificates, which are used to confirm the identity of machines. HTTPS is used for anything that requires secure communication, like transmitting credit card information or bank details.
Nokia's Xpress Browser, and indeed Opera Mini (which talks about the topic in detail in its FAQ) redirect all HTTP and HTTPS communication via their proxy servers. All your HTTPS requests are decrypted by their proxy, and re-encrypted before forwarding them to the secure site. The server's response is then intercepted by the proxy, decrypted and re-encrypted before sending back to the browser. The apps reportedly use pre-installed certificates to 'trick' the browser into trusting the data that is being sent by the proxy instead of the original site.
Nokia was forced to issued the following statement, clarifying it does not collect any data.
We take the privacy and security of our consumers and their data very seriously. The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans. Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner.
Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.
We aim to be completely transparent on privacy practices. As part of our policy of continuous improvement we will review the information provided in the mobile client in case this can be improved.
Meanwhile, Pandya claims that Nokia has issued an update to its browser that means it is no longer decrypting the data on its servers, but the traffic is still flowing via its servers.
While that, along with Nokia's statement, should calm the nerves of most users, we believe a bit more time spent in educating users and having "sensible defaults" would go much farther in preventing such controversies from erupting in the future. Browsers like Amazon Silk leave
HTTPS communication untouched even when they compress HTTP communication, and we believe that is a sensible way to go.
Amazon Silk routes secure (SSL) web page requests directly from your computer to origin servers so they do not pass through Amazon servers.
Even if companies like Nokia and Opera want to offer the ability to compress HTTPS data as a genuine benefit to users, they should have it as an application preference that is turned off by default. The users should be told exactly what this option entails before they flip that switch on.