Home » Articles

Opera Mini - Great Browser, So-So Security


Articleimages 2007 11 Front-B3

Rene from our friends at The iPhone Blog must be feeling his oats -- it's not enough that they talk about Mobile Safari is better than PocketIE (it is), he has to point out that even some of our alternatives aren't quite up to snuff. Case in point: Opera Mini. It's a great little browser (though it does require you use a Java Virtual Machine) that keeps most of the work of rendering the pages on Opera's proxy servers -- meaning you get the pages pre-rendered for your screen very quickly. All in all, good stuff.

Good stuff, but not necessarily secure stuff. Take a gander at Opera Mini's security page:

Is there any end-to-end security between my handset and — for example — paypal.com or my bank?

No. If you need full end-to-end encryption, you should use a full Web browser such as Opera Mobile.

Opera Mini uses a transcoder server to translate HTML/CSS/JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation, the Opera Mini server needs to have access to the unencrypted version of the Web page. Therefore no end-to-end encryption between the client and the remote Web server is possible.

Also notable for folks who might be tempted to access very sensitive info via Opera Mini: since it uses a proxy server, technically you're giving any passwords you use in Opera Mini to Opera. Of course they promise not to keep them or use them (and of course we trust them not to, Opera's good people). But if you're the paranoid type, Opera Mobile might be the better choice. Once Opera Mobile 9.5 hits, well, we'll be telling you to use that regardless.

via Security Now!

« Review: Spb Backup 2.0 for Windows Mobile Home | Sprint Motorola Q9c End-of-Lifed? »

Comments (6)

iPhone people should not really talk, seeing how Apple is looking to intermediate themselves into every IM they ever receive with their "notification server"

Surur

Posted by surur | June 19, 2008 11:28 AM

Security is more important than punditry or trolling. There are no "iPhone people", just people, and if information is important, we should all share.

Far as I know the Apple demi-NOC only pushes badges and alerts, not the data itself, but who knows? If it does anything like Opera Mini, I would never use any sensitive information with it. (And would probably avoid it in general).

BTW- Come on over to the iPhone blog sometime, your perspective and discourse is always interesting...

Posted by Rene Ritchie | June 19, 2008 12:40 PM

Far as I know the Apple demi-NOC only pushes badges and alerts, not the data itself, but who knows?.

Actually I don't think that's true. According to the keynote the Apple server pushes three types of notification: badges (notifies number of messages etc), custom alert sounds, and custom textual alerts. It seems that the latter can contain user-specific data - the text alert shown in the keynote is for IM and has what appears to be the name of the sender ('Kate') and the message from Kate ('How about Blowfish Sushi?'). It seems that it will be up to the developer as to whether and significant user-specific data goes via Apple.

http://events.apple.com.edgesuite.net/0806wdt546x/event/index.html

- relevant bit starts about 57 mins.

It won't be available for use until September but will be seeded to developers next month so we should know more then I guess.

EDIT. Here's a pic:

Posted by marcol | June 19, 2008 1:31 PM

Thanks Marcol!

I think we're talking Apple's and oranges, however. If they're broadcasting names and messages in the clear, that would worry me. If its encrypted, then it would be similar to Gmail handling your email from source to destination via SSL. It'd be like any ISP.

What concerns me about Opera Mini is that they prevent secure transmission by re-writing everything. People using Opera Mini should be aware of that, should never try to log into their bank accounts with it, or otherwise share secure info via that browser.

Posted by Rene Ritchie | June 20, 2008 7:29 AM

Thanks Marcol!

I think we're talking Apple's and oranges, however. If they're broadcasting names and messages in the clear, that would worry me. If its encrypted, then it would be similar to Gmail handling your email from source to destination via SSL. It'd be like any ISP.

What concerns me about Opera Mini is that they prevent secure transmission by re-writing everything. People using Opera Mini should be aware of that, should never try to log into their bank accounts with it, or otherwise share secure info via that browser.


LEO: OperaMini.com. In a nutshell, the mandatory use of this transcoder server makes it impossible to provide end-to-end SSL security for client connections. Oh.

STEVE: Uh-huh.

LEO: So all of my cookies, userIDs, passwords, and other sensitive information I had so far assumed was secure going over SSL was actually going through this proxy server and getting decrypted there. Even though it's documented, I'm not convinced a browser should do this. I'm not, either. Hmm. Opera's site explains why they need to do this at the URL I referenced above. But I'm not convinced. They should have left the SSL connection alone, direct, with end-to-end security, and used this optimization for plaintext connections. Secondly, there's no indication given by the software for the user to know clearly that this is what's happening behind the scenes. Is this reasonable in your book? Thoughts on if/how they could have done it differently. Wow.

STEVE: Well, this is a perfect example of something we have touched on many times in the last two and a half years, and that is the idea of a proxy server that is terminating the SSL connections itself. That is, essentially decrypting connections that you thought were encrypted in order to have access to the nonencrypted data that is inside the SSL tunnel. Now, the reason they're doing this is that this server that the Opera Mini browser connects to is really doing a lot of good work for the user. It is rewriting pages, web pages on the fly, rewriting JavaScript on the fly, essentially turning web pages that were never designed to be seen on a very small screen on a very lightweight and lower powered browser, making them work.

And so if they didn't do that, that is, if they did pass SSL through end to end, first of all, your browser, that is, that you're holding in your hand, running on presumably a lower power chip, it would need to be able to do SSL, which is a little compute intensive, although I would argue these days that could be handled easily enough. And they would then no longer be able to perform this filtering which apparently the Opera Mini Browser depends upon. On their security page where they address this, they're not quite as upfront as I wish they were. I mean, Anand K., who's a Security Now! listener, he's obviously astute enough to sort of read between the lines.

LEO: I know. I didn't. I didn't know, and I've been using this.

STEVE: Yeah, you have to read between the lines to get what it is they're doing.

LEO: I'm mad.

STEVE: And, yes, I know, I mean, this is not good for it to be less clear for people. Apparently they're providing some sort of tunnel encryption of their own, not SSL. But that, you know, so your data is protected itself going to them. But then it's completely open. I mean, it's as though you're trusting the Opera Mini server, proxy server. Everything you do, your passwords, your secure login, I mean, literally your username and login that you thought was over SSL...

LEO: Unbelievable.

STEVE: ...is unencrypted. And finally, at the end of this FAQ page, someone asks the hypothetical question, well, what if I don't like that? And their answer is, well, then, you can't use Opera Mini. Go use, you know, the regular Opera non-mini browser, sorry. And so, I mean, I don't really have an opinion one way or the other, although I don't think I'm going to use it.

LEO: I just deleted it. I'm kind of stunned.

STEVE: So that's annoying. And I really thank Anand for the...

LEO: Yeah. I would not have known. I'm looking at their website right now. It doesn't say that it's doing that.

STEVE: No. I mean, again, in their FAQ it says, is there any end-to-end security between my handset and, for example, PayPal.com or my bank? Okay, first word, no.

LEO: First word, bye.

STEVE: If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile. Opera Mini users a transcoder server, as they call it, to translate HTML, CSS, JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation the Opera Mini server needs to have access to the unencrypted version of the web page. Therefore, no end-to-end encryption between the client and the remote web server is possible.

LEO: You know, I understand why they're doing that. But they really should say - that should be very clear on the front page. Wow. I haven't used it much, so I feel all right. But...

STEVE: For what it's worth, I mean, they say - another of their made-up questions. Can Opera software, Opera Software Company, see my passwords and credit card numbers in cleartext? What is the encryption good for, then? The answer, the encryption is introduced to protect the communication from any third party between the client, the browser on your handset, and the Opera Mini transcoder server, meaning - so they're talking about the encryption between your handset and Opera's server. If you do not trust Opera software, make sure - and I'll say, and everyone who works for Opera software - make sure you do not use our application to enter any kind of sensitive information. It's like, okay. As you said, Leo, bye bye.

LEO: I deleted it.


What this conversation confirms is that Leo is an idiot. The whole community has known for years that Opera Mini worked this way.

If you dont trust the people who make your browser, who can you trust? If they really wanted to steal your password they still could, even with end to end SSL, because they would have local control of the data, to be able to render it onscreen. In this case they are just doing some of the rendering off-site (but still encrypted in transit).

Surur

Posted by surur | June 20, 2008 7:57 AM

I think we're talking Apple's and oranges, however. If they're broadcasting names and messages in the clear, that would worry me. If its encrypted, then it would be similar to Gmail handling your email from source to destination via SSL. It'd be like any ISP.

The ol' Apple's and oranges joke. Love it :) There are two questions here of course, what gets sent via Apple, and is any user data encrypted. I would guess (as it's just notifications) that the amount of data going via Apple would be limited. If you click the Reply button shown in the pic above for example, I'm pretty sure subsequent messages would go 'directly' between the iPhone and 3rd party server. Direct (iPhone to 3rd party server) connection was shown in the keynote. Encryption wasn't mentioned by Forstall and I guess we'll just have to wait for a definitive answer to that question.

Posted by marcol | June 20, 2008 8:15 AM

Post a new comment

Post a new comment
Close
Cases
Chargers & Cables
Bluetooth
Batteries
Cradles 		Screen Protectors
Car Kits
Memory Cards
Headsets
more...

1350 mAh Standard Battery OEM
HTC 1350 mAh Standard Battery OEM for AT&T Fuze / HTC Touch Pro
Just $39.95
More Batteries
Mini USB Stereo Adapter
SPE Mini USB Stereo Adapter
Just $5.95
More Music & Video
Car Charger
HTC Car Charger
Just $19.95
More Chargers & Cables
Mobile Companion
Redfly Mobile Companion
Just $199.95
More Accessory Deals
Standard Battery Door
HTC Standard Battery Door for HTC P4351 / T-Mobile Wing
Just $9.95
More Battery Covers
Skin Case
Mobi Products Skin Case for Samsung BlackJack II
Just $14.95
More Cases
Mini USB to 3.5mm Adapter
Seidio Mini USB to 3.5mm Adapter
Just $9.95
More Music & Video
2400 mAh Battery
Mobi Products 2400 mAh Battery for Cingular 8125 / HTC Wizard 110
Just $4.95
More Batteries
1000mAh OEM Sized Extended Battery
Seidio 1000mAh OEM Sized Extended Battery for HTC Touch Diamond
Just $34.95
More Batteries
3-in-1 USB Adapter
HTC 3-in-1 USB Adapter
Just $14.95
More Music & Video
Galaxy Leather Case
Krusell Galaxy Leather Case for iPAQ 910 / Motorola Q, Q9m, Q9h Global, Q9c / T-Mobile Dash
Just $24.95
More Cases
Apollo Leather Case
Krusell Apollo Leather Case
Just $34.95
More Cases
Hector Leather Case
Krusell Hector Leather Case
Just $29.99
More Cases
Cradle w/ Spare Battery Slot
Mobi Products Cradle w/ Spare Battery Slot for Alltel Touch Diamond / Sprint Touch Diamond
Just $24.95
More Cradles
Hector Leather Case
Krusell Hector Leather Case for Motorola Q / Treo Pro, Xperia X1 / Samsung Epix, Omni
Just $29.95
More Cases
H15 Bluetooth Headset
Motorola H15 Bluetooth Headset
Just $109.95
More Headsets
Top Pouch
Smartphone Experts Top Pouch for Treo Pro
Just $24.95
More Cases
Side Pouch
Smartphone Experts Side Pouch for Treo Pro
Just $24.95
More Cases
Spring-Clip Holster
Seidio Spring-Clip Holster for Treo Pro
Just $29.95
More Cases
Vehicle Power Charger
Palm Vehicle Power Charger for Motorola Q9h Global / Treo Pro, Treo 800w
Just $29.95
More Chargers & Cables
Subscribe to WMExperts:
RSS feed Add to Google Reader or Homepage
Tip Us On News
Subscribe to the
WMExperts Store Newsletter:

Featured Articles

All featured articles

Advertise on WMExperts


Recent Entries

More Entries

Popular Tags

HTCTouch vs. iPhone
Windows Mobile 6.1
Smartphone Round Robin     Full YouTube
Reviews
Customize Tilt
Sprint Touch

See All Tags or Search Tags here:

Smartphone Experts Network