It was not very long ago when HTC’s dream came true in the
form of first ever Android Operating system based smart phone.
Initially it was
a battle to beat the iOS that later gave us “Android” as the most popular smart
phone OS (thanks to a timely acquisition by Google).
Most popular! . . . Agreed,
Very Convenient! . .
. Fine,
But can you compromise your security at the cost of
convenience?
Definitely Not!
When it comes to accessing the internet through Mobile Web
Browsers, one must understand the risks involved with using these browsers for
accessing the websites that contain secure content.
At the moment at least two web browsers Nokia’s OVI and
Opera’s Mini browser for mobile devices are using their own proxy servers to
decipher the secure communication transmitted over HTTPS protocol.
These browsers are pre-configured to send all the traffic to
their own proxy servers instead of directly sending to the actual destination.
The secure content is stripped to make an examination and
changing accordingly. All such companies claim there is no human intervention,
access or involvement in inspection and alteration of content.
On the other hand it is a reality that all our secret
information transmitted/received through such browsers is visible to one
additional entity “The Browser Software Provider” and that is if mentioned in
lengthy terms and conditions document somewhere, not a very healthy sign to our
privacy.
What Is at Stake?
Personal information including account passwords and pin
numbers are the most common examples and potentially most dangerous too.
Why Do They Need to Strip the HTTPS Traffic?
Mainly there are two reasons,
- To make the web page look more suitable to mobile phone’s smaller screen by re-organizing them
- To share the work load on a compact browser by doing the rendering on application provider’s proxy servers.
How Do they Do That?
All such browsers are pre-configured to send all traffic to
a certain set of proxy servers.
These servers receive the information, send to original
website and receive from the server. Upon receiving the information, the
secured bits are decrypted using the public key and adjusted to give user an
acceptable browsing experience with limited usage of resources. Here they are
doing something good for the user in a way but it has its cost in the form of an
elevated data exposure risk.
Now question is, when HTTPS traffic is ripped off, why users
are not getting any security certificate warning?
Since the browsers are configured to accept all certificates
that contain their respective proxy server’s issued certificate so users do not
receive a certificate warning.
How to Avoid this Issue?
- Apparently if a website’s content is opening differently on your mobile device compared to laptop, it is using a man in the middle.
- Use a full version instead of compact version wherever possible.
- Never use mobile browsers to access Email and online bank account portals. Otherwise you have an extra hop which if compromised can never be held responsible for any loss, thanks to the privacy policy document containing 1 million words having a big “I AGREE” button which we press eagerly during installation.
- Consider using proxy services
