Opera and Trusting Applications vs Trusting Servers

The Opera-Mini Dispute

I have just read an interesting article about the Opera browser [1]. The article is very critical of Opera-Mini on the iPhone for many reasons – most of which don’t interest me greatly. There are lots of technical trade-offs that you can make when designing an application for a constrained environment (EG a phone with low resolution and low bandwidth).

What does interest me is the criticism of the Opera Mini browser for proxying all Internet access (including HTTPS) through their own servers, this has been getting some traction around the Internet. Now it is obvious that if you have one server sitting on the net that proxies connections to lots of banks then there will be potential for abuse. What apparently isn’t obvious to as many people is the fact that you have to trust the application.

Causes of Software Security Problems

When people think about computer security they usually think about worms and viruses that exploit existing bugs in software and about Trojan horse software that the user has to be tricked into running. These are both significant problems.

But another problem is that of malicious software releases. I think that this is significantly different from Trojan horses because instead of having an application which was written for the sole purpose of tricking people (as is most similar to Greek history) you have an application that was written by many people who genuinely want to make a good product but you have a single person or small group that hijacks it.

Rumor has it that rates well in excess of $10,000 are sometimes paid for previously unknown security vulnerabilities in widely used software. It seems likely that a programmer who was in a desperate financial situation could bolster their salary by deliberately putting bugs in software and then selling the exploits, this would not be a trivial task (making such bugs appear to be genuine mistakes would take some skill) – but there are lots of people who could do it and plausibly deny any accusation other than carelessness. There have been many examples of gambling addicts who have done more foolish things to fund their habit.

I don’t think it’s plausible to believe that every security flaw which has been discovered in widely used software was there purely as the result of a mistake. Given the huge number of programmers who have the skill needed to deliberately introduce a security flaw into the source of a program and conceal it from their colleagues I think it’s quite likely that someone has done so and attempted to profit from it.

Note that even if it could be proven that it was impossible to profit from creating a security flaw in a program that would not be sufficient to prove that it never happened. There is plenty of evidence of people committing crimes in the mistaken belief that it would be profitable for them.

Should We Trust a Proprietary Application or an Internet Server?

I agree with the people who don’t like the Opera proxy idea, I would rather run a web browser on my phone that directly accesses the Internet. But I don’t think that the web browser that is built in to my current smart-phone is particularly secure. It seems usual for a PC to need a security update for the base OS or the web browser at least once a year while mobile phones have a standard service life of two years without any updates. I suspect that there is a lot of flawed code running on smart phones that never get updated.

It seems to me that the risks with Opera are the single point of failure of the proxy server in addition to the issues of code quality while the risks with the browser that is on my smart-phone is just the quality of the code. I suspect that Opera may do a better job of updating their software to fix security issues so this may mitigate the risk from using their proxy.

At the moment China is producing a significant portion of the world’s smart-phones. Some brands like LG are designed and manufactured in China, others are manufactured in China for marketing/engineering companies based in Europe and the US. A casual browse of information regarding Falun Gong makes the character of the Chinese leadership quite clear [2], I think that everything that comes out of China should be considered to be less trustworthy than equivalent products from Europe and the US. So I think that anyone who owns a Chinese mobile phone and rails against the Opera Mini hasn’t considered the issue enough.

I don’t think it’s possible to prove that an Opera Mini with it’s proxy is more or less of a risk than a Chinese smart-phone. I’m quite happy with my LG Viewty [3] – but I wouldn’t use it for Internet banking or checking my main email account.

Also we have to keep in mind that mobile phones are really owned by telephone companies. You might pay for your phone or even get it “unlocked” so you can run it on a different network, but you won’t get the custom menus of your telco removed. Most phones are designed to meet the needs of telcos not users and I doubt that secure Internet banking is a priority for a telco.

Update: You can buy unlocked mobile phones. But AFAIK the Android is the only phone which might be described as not being designed for the needs of the telcos over the needs of the users. So while you can get a phone without custom menus for a telco, you probably can’t get a phone that was specifically designed for what you want to do.

The Scope of the Problem

Mobile phones are not the extent of the problem, I think that anyone who buys a PC from a Chinese manufacturer and doesn’t immediately wipe the hard drive and do a fresh OS install is taking an unreasonable risk. The same thing goes for anyone who buys a PC from a store where it’s handled by low wage employees, I can imagine someone on a minimum income accepting a cash payment to run some special software on every PC before it goes out the door – that wouldn’t be any more difficult or risky than the employees who copy customer credit card numbers (a reasonably common crime).

It’s also quite conceivable that any major commercial software company could have a rogue employee who is deliberately introducing bugs into it’s software. That includes Apple. If the iPhone OS was compromised before it shipped then the issue of browser security wouldn’t matter much.

I agree that having the minimum possible number of potential security weak points is a good idea. They should allow Opera Mini users to select that HTTPS traffic should not be proxied. But I don’t think that merely not using a proxy would create a safe platform for Internet banking. In terms of mobile phones most things are done in the wrong way to try and get more money out of the users. Choose whichever phone or browser you want and it will probably still be a huge security risk.

Harald Welte is doing some really good work on developing free software for running a GSM network [4]. But until that project gets to the stage of being widely usable I think that we just have to accept a certain level of security risk when using mobile phones.

12 comments to Opera and Trusting Applications vs Trusting Servers

  • Uhm, not sure down under, but in Europe you *can* get phones without the Telco’s menus (for instance, I recently got a Motorola Milestone in the shop, no-brand, no-lock, quite expensive though). Similarly, Nokia (that is an European brand after all) while providing telco “branded phones” also sells non-branded ones, and the only difference between them and those branded is, well, a serial code of the model, and the firmware. Most of telco agents in Italy suggest unbranding their phones (which is different from unlocking).

    Just saying ;)

  • etbe

    Diego: How much did the phone cost? I should have thought of Mobicity before, they sell unlocked phones that are free of carrier software – but they aren’t particularly cheap. I’ve updated this post, while you are correct on the specific details regarding telco menus I still believe that my general point about phones not being designed for security holds.

  • I bought a Nokia N900 from Amazon in the US, not cheap but easily the best phone I’ve had so far (including Android on my OpenMoko Neo). Of course there is the USB Port of Death issue that some have, but given I already had it there wasn’t much I could do there.. :-(

  • The Milestone costed me €500 (plus insurance), the previous one, a Nokia E75 that had a bad accident (and IMHO, a too fragile design) was received through the telco for €150, and un-branded quite easily (there’s an application – Windows-only though – that changes the serial code to the generic one, then you just have to ask for a firmware update; goes the other way as well, as it can be re-flashed with the original telco firmware as needed).

    I didn’t try to undermine your general point though, the whole situation is indeed quite gruesome as almost all of them are still vastly black boxes, including the newly opened Symbian. Harald’s work is something I’m looking at, hopeful.

    By the way, LG (which is South Korean) ships the most telco-oriented phones I have ever seen. I have one of theirs here, very cheap, for H3G; you could probably call it Telcoservice (opposed to fanservice)… you cannot go worse than that, so maybe it’s not as obnoxious as you expect, at least around here ;)

  • Thanks Russell, another interesting item. And about the third “urgh why do they do that” moment with proprietary software this week for me.

    Server security is potentially a bigger issue because it is ongoing. The app can’t be weakened after release, except by upgrades, where as the servers could be compromised at any time, so it is may not be too irrational to be more concerned about the servers.

    But this points to the bigger “security” issue with the servers – what happens when Opera goes bust? Do those mobiles lose their “thin” browsers?

    I suspect a mandatory proxy between client and server is good for day to day security. Although I don’t like the idea for SSL. But I think we need to wean folks away from disposable mobile phones, and lock-in technologies.

  • Gregory Wild-Smith

    Umm, I say this with all due respect – because I think you have a point in there (that every bit of software is subject to a level of trust) – but have you actually used a modern cell phone in the last… 5 or so years?

    my Sony Ericsson s700 – hardly a high end smart phone in 2005 – was able to be used without Telco menus. I just installed the base software from the manufacturer (a quick download, and painless – all I needed was a data cable, the installer software did the rest).

    Likewise the Nokia I had after that, and the other Sony Erricson I had before.

    Now I have an iPhone and it’s hardly a static device, neither were my friends Treo’s several years ago, or RIM’s blackberry’s since.. well since I’ve ever seen one.

    Almost all smart phones – and many other phones – have been able (if not forced) to be updated. ALL phones can be unlocked, and most major manufacturers will let you update the software on them to the factory standard.

    All this is beside the point however – because the problem is in having a giant man-in-the-middle target server than is also a 3rd party proxy, storing who-knows-what. Will Opera abuse that server? I highly doubt it, but can they stop determined people from doing so? I also highly doubt it.

    But the real question is – why take the risk?

    Yes you must trust software, but why should I trust one brand MORE than another? The answer is: I don’t need to. Any product that requires more RISK (and so more trust) than an equal competitor is one that is fundamentally not as attractive.

    THAT is why there is a fuss.

  • etbe

    Simon: While an application can’t be weakened, new attacks can be discovered against libraries or algorithms that are used.

    Good point about Opera going bankrupt.

    Regarding proxies for security, there are some products that do such things. I wonder whether Opera is doing any such things, they could, but presumably they would have announced it if they did.

    Gregory: I’m using a phone that’s just under 2 years old right now. I know that there are a variety of services that charge moderate amounts of money to unlock phones. I haven’t tried them because during the contract period I don’t want to risk doing something that had the potential to cause expensive problems and after the contract period the phone wasn’t worth enough to justify the expense. I can buy a new Viewty now for $150, when my current one comes out of contract I might be able to buy one for less than $100 – which would be better than paying $40 to unlock and old scratched phone.

    I agree that Opera’s proxy is a giant MITM attack vector. But then I’ve worked for ISPs that had arrays of transparent web proxies for non-https traffic that could have been good for MITM attacks – and the customers of those ISPs didn’t know about them…

    For all I know my Telco could be proxying all the http traffic that originates from my mobile phone or 3G network device. When they assign me an IP address in the range I know that they are at least doing NAT.

  • etbe

    Gregory: One final thing that occurred to me is that I should have discussed the issue of who is to use the Opera installation in question.

    If it is to be used by someone like you or I then they could decide not to take any excess risks and use it for things that don’t matter much while another (slower) browser could be used for online banking, credit card purchases, etc. If it is to be used by a typical user (who in my experience can’t tell you which browser they were using when they file a bug report) then this is more of a problem.

    The same thing applies to phones. If I had a real need to update a phone then I know I could get it done, but my parents couldn’t even apply to a telco to have a phone unlocked at the end of it’s contract without my assistance.

    Then there’s the issue of application design. The programmers at LG and other phone companies are spending time on menu systems that the owner can’t bypass (without a base firmware update) instead of spending time on improving the security of the device.

    The discussion of this started with a blog post on the topic of whether Apple would approve Opera. I’m sure that whether people like you or I can use Opera properly isn’t an issue that Apple cares much about, it’s the millions of people who don’t even know which web browser they are using.

    It is handy to know that you can download software to re-flash phones. I may check that out some time when I have spare time and a phone that’s old enough that I don’t care much if I brick it.

  • > But then I’ve worked for ISPs that had arrays of transparent web proxies for non-https traffic that could have been good for MITM attacks – and the customers of those ISPs didn’t know about them…

    Speaking as a customer of an ISP who does this (at work), have to say that sometimes you suddenly become aware of them.

    But as I suggested I’d be less concerned that someone bad might do something to them, but that they might disappear for other reasons. I mentioned bankruptcy, but administrator cock-up is probably just as likely. Indeed you only need a key site, like urm Google, to start using a feature the proxy doesn’t support, or doesn’t support well, and lots of people will be inconvenienced.

    I think part of the issue is we don’t yet have in place ways off assessing cost of mass inconvenience. I saw a study recently pondering how long a traffic jam needs to be before you are stopping someone on a life saving mission – what with Ambulance going to car accidents and such like apparently it isn’t that long. I wonder what the “cost” of stopping a browser working on a million cell phones is?

  • etbe

    Simon: Good point. I think that Google however has a reasonable record of not breaking things. If we look at web compatibility issues it doesn’t seem to be major site vs major browser but slightly less popular site vs a browser that is not particularly popular or disliked by the people who run the site. But I guess that this is actually a worse problem, if Google broke Opera then not long after the first headline news article in the IT press at least one of Google or Opera would make changes – maybe both would. The fact that a little web store that sells a niche item you desire won’t accept your credit card when you use your favorite browser is something that you can expect to happen fairly often with no news reports and a low probability of a fix.

    Regarding the cost of inconvenience, I expect that there are significant corporate interests that oppose measuring such things. Imagine if all the inconveniences of DRM, toll roads, and other anti-features were assigned costs. It would probably inspire legislative changes…

  • Daniel

    Your statement about Android may be partially correct. The Nokia n900, which I own, may also fit the bill of “designed for the user.” I am not knowledgeable enough to conclusively state “it is so” but submit it for your review.