WMExperts Podcast Episode 92

Review: Ecolife Vitalit Case

Review: Evernote for Windows Mobile

WMExperts Podcast Episode 91

See all Featured Articles or Reviews

Opera Mini - Great Browser, So-So Security

Posted on Thursday, Jun 19, 2008 by Dieter Bohn

Filed Under: News; Tags: opera 9.5, opera mini

Articleimages 2007 11 Front-B3

Rene from our friends at The iPhone Blog must be feeling his oats -- it's not enough that they talk about Mobile Safari is better than PocketIE (it is), he has to point out that even some of our alternatives aren't quite up to snuff. Case in point: Opera Mini. It's a great little browser (though it does require you use a Java Virtual Machine) that keeps most of the work of rendering the pages on Opera's proxy servers -- meaning you get the pages pre-rendered for your screen very quickly. All in all, good stuff.

Good stuff, but not necessarily secure stuff. Take a gander at Opera Mini's security page:

Is there any end-to-end security between my handset and — for example — paypal.com or my bank?

No. If you need full end-to-end encryption, you should use a full Web browser such as Opera Mobile.

Opera Mini uses a transcoder server to translate HTML/CSS/JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation, the Opera Mini server needs to have access to the unencrypted version of the Web page. Therefore no end-to-end encryption between the client and the remote Web server is possible.

Also notable for folks who might be tempted to access very sensitive info via Opera Mini: since it uses a proxy server, technically you're giving any passwords you use in Opera Mini to Opera. Of course they promise not to keep them or use them (and of course we trust them not to, Opera's good people). But if you're the paranoid type, Opera Mobile might be the better choice. Once Opera Mobile 9.5 hits, well, we'll be telling you to use that regardless.

via Security Now!

« Sprint Motorola Q9c End-of-Lifed? | Home | Review: Spb Backup 2.0 for Windows Mobile »

Comments

iPhone people should not really talk, seeing how Apple is looking to intermediate themselves into every IM they ever receive with their "notification server"

Surur

Submitted by surur (not verified) on Thu, 06/19/2008 - 10:28.

Security is more important than punditry or trolling. There are no "iPhone people", just people, and if information is important, we should all share.

Far as I know the Apple demi-NOC only pushes badges and alerts, not the data itself, but who knows? If it does anything like Opera Mini, I would never use any sensitive information with it. (And would probably avoid it in general).

BTW- Come on over to the iPhone blog sometime, your perspective and discourse is always interesting...

Submitted by Rene Ritchie (not verified) on Thu, 06/19/2008 - 11:40.

Far as I know the Apple demi-NOC only pushes badges and alerts, not the data itself, but who knows?.

Actually I don't think that's true. According to the keynote the Apple server pushes three types of notification: badges (notifies number of messages etc), custom alert sounds, and custom textual alerts. It seems that the latter can contain user-specific data - the text alert shown in the keynote is for IM and has what appears to be the name of the sender ('Kate') and the message from Kate ('How about Blowfish Sushi?'). It seems that it will be up to the developer as to whether and significant user-specific data goes via Apple.

http://events.apple.com.edgesuite.net/0806wdt546x/event/index.html

- relevant bit starts about 57 mins.

It won't be available for use until September but will be seeded to developers next month so we should know more then I guess.

EDIT. Here's a pic:

Submitted by marcol (not verified) on Thu, 06/19/2008 - 12:31.

Thanks Marcol!

I think we're talking Apple's and oranges, however. If they're broadcasting names and messages in the clear, that would worry me. If its encrypted, then it would be similar to Gmail handling your email from source to destination via SSL. It'd be like any ISP.

What concerns me about Opera Mini is that they prevent secure transmission by re-writing everything. People using Opera Mini should be aware of that, should never try to log into their bank accounts with it, or otherwise share secure info via that browser.

Submitted by Rene Ritchie (not verified) on Fri, 06/20/2008 - 06:29.

LEO: OperaMini.com. In a nutshell, the mandatory use of this transcoder server makes it impossible to provide end-to-end SSL security for client connections. Oh.

STEVE: Uh-huh.

LEO: So all of my cookies, userIDs, passwords, and other sensitive information I had so far assumed was secure going over SSL was actually going through this proxy server and getting decrypted there. Even though it's documented, I'm not convinced a browser should do this. I'm not, either. Hmm. Opera's site explains why they need to do this at the URL I referenced above. But I'm not convinced. They should have left the SSL connection alone, direct, with end-to-end security, and used this optimization for plaintext connections. Secondly, there's no indication given by the software for the user to know clearly that this is what's happening behind the scenes. Is this reasonable in your book? Thoughts on if/how they could have done it differently. Wow.

STEVE: Well, this is a perfect example of something we have touched on many times in the last two and a half years, and that is the idea of a proxy server that is terminating the SSL connections itself. That is, essentially decrypting connections that you thought were encrypted in order to have access to the nonencrypted data that is inside the SSL tunnel. Now, the reason they're doing this is that this server that the Opera Mini browser connects to is really doing a lot of good work for the user. It is rewriting pages, web pages on the fly, rewriting JavaScript on the fly, essentially turning web pages that were never designed to be seen on a very small screen on a very lightweight and lower powered browser, making them work.

And so if they didn't do that, that is, if they did pass SSL through end to end, first of all, your browser, that is, that you're holding in your hand, running on presumably a lower power chip, it would need to be able to do SSL, which is a little compute intensive, although I would argue these days that could be handled easily enough. And they would then no longer be able to perform this filtering which apparently the Opera Mini Browser depends upon. On their security page where they address this, they're not quite as upfront as I wish they were. I mean, Anand K., who's a Security Now! listener, he's obviously astute enough to sort of read between the lines.

LEO: I know. I didn't. I didn't know, and I've been using this.

STEVE: Yeah, you have to read between the lines to get what it is they're doing.

LEO: I'm mad.

STEVE: And, yes, I know, I mean, this is not good for it to be less clear for people. Apparently they're providing some sort of tunnel encryption of their own, not SSL. But that, you know, so your data is protected itself going to them. But then it's completely open. I mean, it's as though you're trusting the Opera Mini server, proxy server. Everything you do, your passwords, your secure login, I mean, literally your username and login that you thought was over SSL...

LEO: Unbelievable.

STEVE: ...is unencrypted. And finally, at the end of this FAQ page, someone asks the hypothetical question, well, what if I don't like that? And their answer is, well, then, you can't use Opera Mini. Go use, you know, the regular Opera non-mini browser, sorry. And so, I mean, I don't really have an opinion one way or the other, although I don't think I'm going to use it.

LEO: I just deleted it. I'm kind of stunned.

STEVE: So that's annoying. And I really thank Anand for the...

LEO: Yeah. I would not have known. I'm looking at their website right now. It doesn't say that it's doing that.

STEVE: No. I mean, again, in their FAQ it says, is there any end-to-end security between my handset and, for example, PayPal.com or my bank? Okay, first word, no.

LEO: First word, bye.

STEVE: If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile. Opera Mini users a transcoder server, as they call it, to translate HTML, CSS, JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation the Opera Mini server needs to have access to the unencrypted version of the web page. Therefore, no end-to-end encryption between the client and the remote web server is possible.

LEO: You know, I understand why they're doing that. But they really should say - that should be very clear on the front page. Wow. I haven't used it much, so I feel all right. But...

STEVE: For what it's worth, I mean, they say - another of their made-up questions. Can Opera software, Opera Software Company, see my passwords and credit card numbers in cleartext? What is the encryption good for, then? The answer, the encryption is introduced to protect the communication from any third party between the client, the browser on your handset, and the Opera Mini transcoder server, meaning - so they're talking about the encryption between your handset and Opera's server. If you do not trust Opera software, make sure - and I'll say, and everyone who works for Opera software - make sure you do not use our application to enter any kind of sensitive information. It's like, okay. As you said, Leo, bye bye.

LEO: I deleted it.

What this conversation confirms is that Leo is an idiot. The whole community has known for years that Opera Mini worked this way.

If you dont trust the people who make your browser, who can you trust? If they really wanted to steal your password they still could, even with end to end SSL, because they would have local control of the data, to be able to render it onscreen. In this case they are just doing some of the rendering off-site (but still encrypted in transit).

Surur

Submitted by surur (not verified) on Fri, 06/20/2008 - 06:57.

I think we're talking Apple's and oranges, however. If they're broadcasting names and messages in the clear, that would worry me. If its encrypted, then it would be similar to Gmail handling your email from source to destination via SSL. It'd be like any ISP.

The ol' Apple's and oranges joke. Love it :) There are two questions here of course, what gets sent via Apple, and is any user data encrypted. I would guess (as it's just notifications) that the amount of data going via Apple would be limited. If you click the Reply button shown in the pic above for example, I'm pretty sure subsequent messages would go 'directly' between the iPhone and 3rd party server. Direct (iPhone to 3rd party server) connection was shown in the keynote. Encryption wasn't mentioned by Forstall and I guess we'll just have to wait for a definitive answer to that question.

Submitted by marcol (not verified) on Fri, 06/20/2008 - 07:15.

Post new comment

Home » Articles » News » Opera Mini - Great Browser, So-So Security

Recent Accessory Reviews

New in the Forums

Follow WMExperts

Subscribe via RSS

What is RSS?

Subscribe to the WMExperts Store Newsletter:



App Overload - Take control of the Android Market with AppBrain Latest in the Nexus One screen saga 3,000 tainted microSD cards to be replaced by Vodafone Spain Google denied Nexus One trademark AT&T commercials show off Backflip, poke fun at Verizon yet again	CrackBerry Reminder: What You May Have Missed This Week RIM Scheduled Maintenance: BIS 3.0 For North American BlackBerry Users Best CrackBerry Contest Prize Ever: Win a Trip Around the World Courtesy of Fixmo Tools!!! Friday Fun EyeCandy: More Sexy BlackBerry Pearl 9100 Photos Emerge Official Verizon BlackBerry Curve 8530 Update Coming on Monday?	Barriosquare Foursquare app now in Extras-devel, getting closer to Ovi Store Best of Smartphone Experts, 14 Mar 2010 JoikuSpot Premium for N900 1.0 available now for less than $10 Best of Smartphone Experts, 7 Mar 2010 Review: Proporta Screen Protector and Sync-Charge Cradle for Nokia N97 mini	Steve Jobs Helps Get Organ Donation Bill Passed Airtel Bringing iPhone 3GS to India, China Mobile Wants in on iPhone and iPad Apple iTunes App Store: Now Accepting iPad Apps! Square-Enix Shows Off New iPhone RPG ? Chaos Rings iPad Early-Access Developers Sworn to Secrecy

Elevation Partners Stand Strong With Palm Palm Sightings: FlashForward Analysts and investors drop Palm like a hot rock made out of death; stock ends day down 29% Palm Patent Application: Control Functions via Device?s Orientation Bell chops $10 off plans for Palm Pre	Palm's Q3 FY2010 Results... Smartphone News Bites 0317 Sprint Offers Virtual Test Drive YouTube Mobile Updated for Windows Mobile Teetering Palm...	WP7S Emulator highlights Office, Zune and much more Sprint Touch Pro 2 Windows Mobile 6.5 update is now available! HTC Responds to Apple Lawsuit: It disagrees T-Mobile HTC HD2 in NYC Party (Recap) Twikini already gearing up Twitter client for Windows Phone 7 Series

Review: Ecolife Vitalit Case	Review: Body Glove Landmark Case
Review: Mobi Products Touch Screen Stylus Pen	Review: Jawbone Icon Bluetooth headset
Review: Arkon Vehicle Mount Kit	Review: Mobi Products Cradle for AT&T Tilt2