Thursday, January 01, 2009

Is Opera Mini on your Symbian phone secure?

I tweeted recently about loving the Opera Mini web browser I installed on my Nokia E71 smartphone.

Twitter user, e71nokia, says, 'Beware!'

One of the responses I received came from a Twitter user called 'e71nokia'. The response warns me that Opera Mini is supposedly not secure, and that only the Nokia browser should be used for sensitive information...



I'm deeply suspicious of a Twitter profile that has absolutely NO information about the person. Here's a screenshot of the profile page:



Note that 'e71nokia is following three people, and is being followed by four. There is NO information about this person. Nada. This leads me to believe that it's just some arbitrary person who may be a Nokia enthusiast. But certainly not an officially sanctioned Nokia spokesperson.

So I decided to check out this claim.

IS Opera Mini on my E71 secure? 

Am I in danger of having my details nabbed by hackers?

Here are my findings.

Using the search string, 'is opera mini secure', I Googled the issue.

Dev.Opera.Com says, 'You can trust Opera Mini to be secure'

The Dev.Opera.Com website, in an article dated 25 October 2007, explicitly states the following: 
Note: Security is an important matter, which Opera takes very seriously. The connection between the Opera Mini client and server is always encrypted, whether the original site is HTTP or HTTPS, therefore> you can trust Opera Mini to be secure.
Opera Mini Help says, 'Information is encrypted', but only in 'advanced versions of Opera Mini 3.0 and newer versions'.

Let's go next to Opera Mini itself... to the horse's mouth, so to speak.

In the 'Opera Mini Help' section, the FAQ has a section devoted to 'Security'. Here's what it says:
Q: Can I browse securely with Opera Mini?
A: Yes.
Q: Does Opera Mini support encrypted connections?
A: Yes. Information sent between your handset and the Web site is encrypted in the advanced version of Opera Mini 3.0 and newer versions.

In the basic version of Opera Mini 3.0, and in older versions, there is no encryption between your handset and the Opera Mini servers. See a more detailed explanation here.
That proviso is important. If you're NOT running a version of Opera Mini HIGHER THAN 3.0, your browsing is vulnerable to snooping. If you ARE running a later version, your browsing IS secure. Point blank.

Wikipedia says 'the connection [...] is always encrypted', but, Opera Mini 'does not offer true, end-to-end security'.

Finally, in the interests of being safe, I turned to the Wikipedia entry on Opera Mini.

Here's what section 3.2 Privacy and Security has to say:
Privacy and security

When using Opera Mini 4.0 or 3.0 Advanced, the connection between the mobile device and the proxy server is always encrypted for privacy and security. The encryption key is obtained on the first start by requesting that the user press random keys a certain number of times.[45] When using Opera Mini 3.0 Basic, the connection is not encrypted. Opera Mini has received some criticism because it does not offer true, end-to-end security when visiting encrypted sites such as PayPal.com.[46] When visiting an encrypted web page, the Opera Software company's servers decrypt the page, then re-encrypt it themselves, breaking end-to-end security.[47]


I'm certainly no authority on this. So my reading is open to question. As far as I can make out, what this means is that the connection between the information on my E71 and the particular website is ALWAYS intermediated by the Opera Mini servers.

This takes place through an encrypted connection AT ALL TIMES.

The one 'breaking' of security comes not in transit, but within the Opera Mini servers, between Opera Mini and the site in question... BUT this 'break' is merely to do with decrypting of the information for Opera itself to parse it. It remains encrypted to third parties.

My conclusion: Opera Mini IS safe, even though there are end-to-end security issues.

From my readings, I'm concluding that Opera Mini is indeed safe, and that the end-to-end issues don't render data vulnerable to attack, thanks to Opera Mini's data transfer being 'always encrypted'.

Is Twitter user e71nokia trustworthy?

Coming full circle to Twitter user, 'e71nokia', my guess is that his or her intentions are good. And that they're offering a conservative reading of the 'end-to-end' security 'break'. I'm suspecting that they're saying it's better to be safe than sorry. Which is a great bit of advice. 

However, I STILL don't trust an entity that offers no information about itself. I WANT e71nokia to offer proper details. A site to visit. Credentials. An explanation of why they're on Twitter. It's NOT good enough to have a blank profile doling out potentially harmful advice.

Is my understanding of the issue correct? IS Opera Mini safe for sensitive transactions?

Regarding the securty of Opera Mini... Is my understanding correct? Are there any Opera Mini boffs who can offer better clarity? This is a huge issue. If my Opera Mini transactions aren't secure, I need to know that. And I need to know about workarounds. Thoughts?

8 comments:

  1. Hi, Bruce from Opera here. Your understanding is correct, yes. Basically, we have to break the encryption on our end to send the data, but it's re-encrypted again before it's sent to the handset.

    Feel free to emaail me; my address is brucel [AT] opera [DOT] com

    ReplyDelete
  2. The fact that Opera breaks encryption, even if it is to review the data before passing it along, was enough to persuade me to remove Opera Mini from my E71. I don't want anyone cracking my secure connections. I don't regard Opera Mini as safe enough.

    ReplyDelete
  3. Example would be...You log into internet banking...your details go to opera, and then to your bank. While opera will do everything they can to ensure security, they are effectively executing a man in the middle attack, and breaking the chain of trust. As far as liability is concerned, if anything ever did go wrong/if your details were abused, and the bank figured out that it had been via opera, or that you had used opera, I would imagine they would have very little sympathy. Would you give your bank card and whisper your pin into the ear of the bank security guard and ask him to withdraw money? I doubt it. The bank goes to great lengths physically to ensure man in the middle is not possible (for e.g. some actions on your account require you pop your card into the teller's machine, and type your pin in).

    Even if communications were wrapped in cheese sausage it would not diverge from the fact that your are breaking the chain of trust between your browser and your bank.

    I wouldn't uninstall opera, but I would (and I do) avoid any 'secure' transactions, or sites you might consider information to be sensitive.

    ReplyDelete
  4. Wow! Thanks for the vivid, easy-to-understand explanation of the man in the middle, Brad.

    Is this something that Opera CAN'T solve? Or is there some other problem?

    Blue skies
    Love
    Roy

    ReplyDelete
  5. Not unless they change how they treat https connections (i.e. make them go straight through), but then you lose out on their html processing which makes sites magically work on all devices.

    ReplyDelete
  6. Bruce Lawson here again from Opera.

    It's a symptom of how Opera Mini works. Currently, we render the page on our servers and send you a highly compressed version of it. That way, less data is sent to you so it's cheaper and faster. That also allows us to show pages on phones that have no operating system so which ordinarily wouldn't have the processing power to show web pages (browsers are very sophisticated programs that need lots of CPU).

    The other side of the coin is that, yes, you do have to trust us with your information.

    Whether, to follow Brad's simile, trusting the oldest browser manufacturer on the market is the same as trusting a minimum wage security guard is something for you to determine yourself.

    Note that Barclays bank recommends using Opera Mini: http://www.barclays.mobi/mobile_banking.htm


    Using Opera Mobile is different; it doesn't use a proxy or compression system, so you're interacting straight with the bank.

    ReplyDelete
  7. It doesn't matter if you were the oldest fish in the sea, the only time encrypted communication should break out of encryption is when it reaches the recipient it was intended to reach. If the opera EULA, however, took on liability for the security of the information it would make it reasonable to trust opera as a third party.

    ReplyDelete
  8. Brad, you make it sound like we're not open about it; we are: see our FAQ http://www.opera.com/mini/help/faq/#security.

    In Opera Mini, everything is encrypted in transit.

    Whatever browser you use requires you to trust the vendor; if you use browser x on your machine on top of operating system y, you're trusting those vendors not to deliberately steal your information and not to have huge security holes that will allow malicious third parties to steal your information.

    ReplyDelete

Thanks for your comment!

ShareThis