What are people doing with the risks of SSL proxies with Cell carriers?

[James H Moore <jhmfa () RIT EDU>]

We are in the process of developing a standard for handheld devices.  We
had a risk surface in one of our meetings.  With PocketPC smartphones,
and Exchange, we have long had a requirement for SSL encryption.  

 

I naively assumed that it was end-to-end.  I hadn't really looked at the
technology.  But it seems that some carriers proxy the SSL, with a
essentially a contractual man-in-the-middle.  I was wondering how others
viewed that.  The second question had to do with risk management
techniques (does anyone with smartphones have business associate
agreements with their carriers

 

Jim

 

P.S. There was also interest in using Outlook Mobile Access (text based)
so that not-so-smart phones could be used.  But the information that I
get is that OMA will connect either http or https, and there is a way to
force this, but if there is an SSL proxy, then the Cell carrier may
connect to the phone http (if that is all that it supports) and then
connect into OMA with https.

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio