Friday, April 17, 2009

Nokia's statement about the Nokiagate

I just received Nokia's official statement about the case I reported earlier.

Nokia's statement begin.
A Finnish blogger recently posted on his blogsite that Nokia stores users' credentials in Nokia when they try to configure their email account on their Nokia device using direct IMAP/POP access.

For the mobile email account to be created and for the user to enjoy a seamless mobile email experience, his email credentials (namely email address and password) need to be sent to the mail provider's server. In some cases, the user's credentials are sent directly to the mail provider's server, but in other cases, they securely pass through the Nokia mail server, without actually being stored.

Nokia takes security seriously in all phases of the mobile communication systems development process, and will further investigate this case using our normal processes and comprehensive testing. Also, based on the feedback that we have received, we will look into the possibility of amending the on-device email set-up instructions to ensure that end-user information handling in our devices and services is accurate.
Nokia's statement end.

My comment on that statement:
  • I completely understand and accept the need to ease the email account creation. Despite that, I still feel that sometimes sending credetials to email provider and sometimes sending those to Nokia's server is not acceptable. I want to be in control who gets my credentials.
  • I haven't claimed that Nokia stores user's credentials. I have written that credentials are sent to Nokia - I don't have any idea what happens to credentials after that.
  • I asked if credentials are stored. Now we got a clear answer that credentials are not stored. That's good.

If I may suggest a solution to Nokia, would you consider a solution that
  • tells to user exactly what's going on during the account creation
  • allows user to decide wheter wizard is used or not
  • if wizard is not used, no communications is done to Nokia's servers
  • if wizard is used, only domain part (e.g. gmail.com) is sent to Nokia server

//Harri

30 comments:

Anonymous said...

wait...how is it secure when the credentials are sent in plaintext as a part of the HTTP/HTTPS request (aka...the "GET" method as opposed to the "POST" method in which the data within the POST are encrypted if on HTTPS).

Unknown said...

@mofoq: the entire HTTP protocol is tunneled through SSL when HTTPS is used. The use of GET or POST makes no difference.

Viraptor said...
This comment has been removed by the author.
Viraptor said...

for the user to enjoy a seamless mobile email experience [...] in other cases, they securely pass through the Nokia mail serverI don't get it. Why would they need these details only during the setup? If the IMAP communication on nokias is always direct, how can they do anything about the "seamless ... experience" later on?

If they really do something useful with that data, why don't they provide a technical explanation alongside the brief one? Right now their explanation doesn't seem to make much sense :/

Anonymous said...

so nokia doesn't keep any kind of webserver logs if they claim that they don't store passwords - webservers typically store requests... I also presume those logs aren't never backed up...

Akhilesh said...

@viraptor

I have an E71. The reason why the client sends information to nokia's server is to get information about account settings. The server presumably has database of imap/pop/smtp servers of lots of popular domains and ISPs. It might also be applying heuristics, but I don't know.

Thus, when the user enters example@gmail.com as username and the password, the client can query the server to find out the server info, which are sometimes just painful to enter by hand.

@harris, I appreciate your concern, but it seems you 'conveniently' omitted this crucial piece of info. Imagine typing all details that typical mail clients like Outlook as on a non-querty phone...

Anonymous said...

This is shocking and Nokia should fire the the developers that came up with this scheme.

1) Why don't they apply some kind of encryption to the URL - Hash it up so it isn't PLAIN TEXT.

2) If all they need is a list of settings for a specific provider they don't need the username and password

3) Can they legally AND officially confirm they have no record or retention of this information?

NotAC said...

@Akhilesh:

There is no need for passwords to be sent to retrieve server hostnames for an email service. Sending the email address itself is sufficient. If you believe otherwise, you are not technically proficient enough to comment, and should leave the issue to those who are (no offensive intended...).

SupaSexy said...

@NotAC

"No offensive intended" is not a valid English phrase. Saying "No offense intended" is sufficient. If you believe otherwise, you are not linguistically proficient enough to comment, and should leave posts to those who are (offense intended…).

NotAC said...

@SupaSexy

Haha, way to nitpick. While my comment about the other poster's remarks criticized an implicit lack of technical understanding, your comment just draws attention away from the real issue. Did your heart rate elevate at the fact that I mistyped? If so, I suggest you try to relax... stress like that will shorten the time you have left to dole out useless criticism ;)

Anonymous said...

@Harri: "I haven't claimed that Nokia stores user's credentials."

But actually don't you do it here? From your original posting:
"Clicking "Start" will continue the wizard, but was that answer also consent to store the personal information?"

Anonymous said...

Guys - back on topic! Nokia is sending the USERNAME AND PASSWORD IN PLAINTEXT TO AN UNAUTHORIZED SERVER LOCATED IN AN UNDISCLOSED LOCATION. This is borderline criminal.

Anonymous said...

"Guys - back on topic! Nokia is sending the USERNAME AND PASSWORD IN PLAINTEXT"

They are _not_ sent in plaintext, but encrypted via HTTPS.

Anonymous said...

"Thus, when the user enters example@gmail.com as username and the password, the client can query the server to find out the server info, which are sometimes just painful to enter by hand."

What mysterious information would that be? What information other than protocol, host, port, user, and password could there possibly be?

I think you're grasping at straws here. For Nokia to transmit my password to its servers without my consent or knowledge is outrageous, and it may constitute a felony in many countries. It's even more outrageous that they do so unencrypted, exposing my password to the rest of the world.

I have four Nokia phones. I consider this behavior outrageous and it destroys all trust I have had in Nokia. The company is dead as far as I'm concerned. People need to be warned about this inexcusable fault.

Anonymous said...

Big difference between GET and POST: The full URL usually goes to an access log of the webserver, and with it go the credentials... Somehow I don't believe them, when they claim that they don't store it. Maybe don't even know that they are storing (loggin) it...

NotAC said...

@AC

Yes, back to the issue. There are many incomplete ideas being tossed around. Let's summarize and try to clarify all the points both sides are making:

1. Transmission of credentials without express consent: User's should be made aware that their information is being sent somewhere regardless of whether it's encrypted or not, or whether it is just an email address or accompanying password.

2. If Nokia is sending credentials to their servers in order to determine the appropriate email service host names to use with the account (which is useful, as another poster noted), there is no need to include the password. The password does not help determine anything about the hosts required to access an email account with any service provider.

3. To continue on with the "useful" service Nokia is attempting to provide, @AC, this mystical information is the host names of the devices responsible for accepting client connections for the email service. Do you know this information off the top of your head? Example would be:
smtp.yourdomain.com
pop.yourdomain.com
mx.yourdomain.com
Also, depending on the service provider, SSL/TLS settings and port numbers are different for many of them.

To conclude, Nokia should be:

a) not sending passwords, regardless of encryption.
b) notifying the user that any of their information is being sent to a third party's server (technically inclined people will realize this, since they know they haven't entered the mystical settings ;)

It's a semi-complicated issue of UI design and service implementation, which has been exasperated by misunderstandings and misinformation.

Anonymous said...

@NetAC, You're not thinking your comment about needing the password through. There would be a legitimate reason technically.

They wouldn't need the password for popular providers. But I imagine they're doing some kind of automatic finding of settings if the domain isn't already known, and it wouldn't know the settings were good unless it could check them...

Besides, this thing is using HTTPS, and they've already said their service doesn't store any data.

What's the problem? They use this service to make it easier: e-mail address, password on a device. Especially without a qwerty keyboard, makes setting up e-mail easy peezy.

Should they tell you they're going to send your credentials over the network? Probably.

Still don't think it's a big deal.

NotAC said...

@AC

Yes, they could test the settings they find from their server, but why bother... just pass the settings back to the phone and test it from there. That is where the connection will be made from once setup is complete.

Another point to think on is whether you trust Nokia to test your settings accurately and securely. Perhaps they "test" using non-SSL POP/IMAP/SMTP? Then your credentials are being potentially revealed, even though the device sent them to Nokia over HTTPS.

Yet _another_ situation... with one central location testing so many accounts, I would pick that as an exploit target. An exploited server there could collect thousands of potential email account credentials... do you trust Nokia's security, or any third party for that matter? Secrets are best kept by telling only those who need to know, and Nokia doesn't _need_ to know.

Two cents from a vet of application and network security.

fotis said...

Being an otherwise happy owner of a N95, I can also have objections on this implementation. Nokia should be more explicit in its user consent request about BOTH that personal information is being exposed externally AND that an external service run by Nokia (or, perhaps, a subcontractor of theirs etc) is being employed. That would suffice. The mumbo-jumbo style clause and excuse response they provided is meaningless and does not help understanding the technical decisions taken behind the scenes. If I am the sysadmin configuring a N* for a third party, they make me look bad. In fact, we can already charge them with nasty implementation, regardless of good intentions. And I'm pretty sure a few many passwords are still stored in the /proc/kcore of a Nokia server as you read this...

Anonymous said...

@orospakr
I disagree.
It is still stored in the logs and per-EU/US and probably some obscure Finland laws require logs to be saved.

Anonymous said...

"Big difference between GET and POST: The full URL usually goes to an access log of the webserver, and with it go the credentials..."

...and the access log is used by log reporting tools which means any marketing assistant whose job it is to analyze web statistics can see those credentials using WebTrends or whatever system they use.

Henryk Plötz said...

@Anonymous: "I imagine they're doing some kind of automatic finding of settings if the domain isn't already known, and it wouldn't know the settings were good unless it could check them..."

No, you don't need the password to guess check STMP and POP3/IMAP servers, you simply start with the best choices (outgoing: port 587 at the primary MX for the domain with STARTTLS, incoming: port 993 at the same host) and then cycle through less favourable choices (ports 25, 995, 143, 110; guessed hostnames mail.domain, imap.domain, etc.) until you find a combination that lets you connect and speaks the right protocol. You don't need to actually log in.

@Anonymous: "They are _not_ sent in plaintext, but encrypted via HTTPS."

How, then, was Harri able to sniff the request? Obviously there was no encryption in place at that time.
(Plus the other points already made: The request *will* end up in the HTTP server logs, and probing might be done through unencrypted protocols.)

Henryk Plötz said...

Ok, I rescind part of my earlier remarks. I just tested it with my E71 and the phone *does* use HTTPS to connect to 62.61.69.104. So at least this part of the process is encrypted (though probably without proper certificate checking).

Jack said...

Henryk is absolutely right with the point that the wlan gateway won't be able to sniff the email address and the password unless they were sent plaintext in the http(s) request in the first place. So that means it's plaintext all the way to the Nokia servers thru public Internet. It doesn't really matter if Nokia isn't saving the data, but who knows on how many places the request will be logged on it's way there, like ISP stuff, local network, you name it.

northpole said...

That doesn't look like a responsible reply from a seemingly responsible largest mobile company.
Is Nokia trying to close this as an one-off incident or is actually subduing?
This is an instant where it shows how large companies completely ignores security and narrow on functionality, features and sales.
I have an older S60 phone, a Nokia E65; and use it access my official and personal mails 'directly'. I shall test this on my phone. Until this issue receives attention beyond Nokia's threshold they will not respond 'responsibly'.

Jack said...

Oh, Harri said he used proxy which obviously explains getting the get request in plaintext so nevermind what I just said earlier ;)

Anonymous said...

Do you guys have any proof that they are using Apache, or any other standard web server, that automatically can be assumed to log the request verbatim?

Other web servers have log behaviour that is customizable, and can be replaced by third-party modules. Or they can completely disregard the request and simply log from within the application. Yes, they might be logging the password there, or they might not.

I would give them more credit, though, than to assume that developers automatically disregard or are ignorant of privacy and security. People's fear of big business is getting almost fanatical.

Oh, and I just went to https://ccds.nokia.com as per the URL listed in the slashdot thread, and it appears that they have a valid certificate signed by a valid CA. Seems like Henryk's supposition "(though probably without proper certificate checking)" might be another presumption. Unless you meant something else, Henryk?

xNokia said...

Hello ,
I would like to ask does it have any relate to this website بوابة نوكيا - بلوتوث - برامج - اغاني - العاب - فوركس - أخبار - حواء - جوال - فيديو - أفلامThanks ,
xNokia

Anonymous said...

Not much changed :( I've bought a Nokia C7 recently. Now they declare this: (translated from Hungarian by me):

"During the activation process the system sends to Nokia your email address, username and password, along with some technical data, for example the phone identifier."

Anonymous said...

I was looking for a way to disable this damn nokia email wizard and found your blog. It is very dissapointing they still done nothing about this matter. The only thing i can say is that i will never buy nokia again, and will encourage people to buy other brands.