Nokia’s Xpress Browser is Criticized for Mishandling HTTPS Traffic
Nokia has been pushing the Xpress Browser on Asha phones and other feature phones. It is claimed that the web browser reduce data transfer by 90 percent through improved compression technology. However, a closer examination has brought the browser under criticism for possible security issues. Gaurang K Pandya, a security blogger first highlighted how the Xpress Browser handles HTTPS traffic.
Like Amazon Silk and Opera Mini, data passes through an intermediary server before being delivered to users. This allows Nokia to compress any data using proprietary compression technology. But outcry appeared when it was found that secure HTTPS traffic is routed through Nokia servers as well.
HTTPS is a more robust version of the standard HTTP protocol, which mandates strong encryption of data between two terminals. Communication with HTTPS requires certificates, which makes it safer for users to transmit critical information, including bank and credit card details.
HTTPS traffic that arrives to Nokia’s server is decrypted and the re-encrypted before being forwarded to end users. It is reported that the server may use its own certificate to trick the Express browser for accepting HTTPS data from it, instead of from the original website. Theoretically, Nokia can take a look at your confidential data, which violates web security standards.