the APN config had no Web proxy configuration so I guess it is the “Internet” configuration.

Kind regards,
Martin

I can actually quite believe that the bank is being whitelisted by the transcoder, however I doubt Bugzilla is. Do you know which network settings your browser was using – Wap or Internet? I believe that only one of these (Wap?) uses the Novarra transcoder, the other does not.

As I said I’m going to plan some more research of this and will post up the results, but all interesting to know!

Tom

I have checked with a Vodafone UK prepaid SIM (APN: pp.vodafone.co.uk), a Nokia N95 and the S60 browser and the mobile banking portal of the German postbank (https://mobile.postbank.de). The https connection was established end to end and the certificate shown in “tools – page info” showed the correct owner (mobile.postbank.de, Deutsche Postbank AG) and the correct Issuer (VeriSign Trust Network).

I cross-checked with Firefox on the PC and the certificate information including the fingerprint were the same. So if the prepaid connection uses a transcoder, it doesn’t brake into this connection. Also, it seems unlikely, Voda UK “whitelists” the German postbank. Not impossible, but unlikely

I also tried with https://bugzilla.mozilla.org and the https certificate in the S60 browser was also o.k. so the connection was end to end.

Do you know specific operators who break into HTTPS connections?

Cheers,
Martin

I think the sad truth here is that you are absolutely right, a mobile browser *should* make the user aware of a man in the middle attack and a transcoder. However we know a number do not actively do this (the user has to know to check the certificate).

I am going to do a follow-up post after looking into this in more detail, hopefully showing what browsers do show with and without transcoders on mainstream handsets.

Tom

Very interesting post, thanks for that! I have one question which you might be able to answer:

In case a transcoder would try to put itself in the middle of a HTTPS connection, doesn’t the mobile web browser issue a certificate warning? If not then how can it differentiate between a transcoder and a man in the middle attack?

Thanks,
Martin