Astrum, on 02 January 2012 - 22:27, said:
Safary on Ipod has the same issue, but Opera uses aparently a built-in transparent proxy (as I never set it up), and it works fine. Thanks anyway.
My ISP would not know how to spell careerbuilder.com
.
That's something I'm also trying to understand. I haven't seen any explanation on that yet. What's your source?
Good, good. Anand K. in Detroit, Michigan discovered something worrisome about Opera's Mini Browser. Mini Me. I use it. He says: I use a Blackberry Curve and dislike the default browser that comes with it, so I downloaded Opera Mini. I have, too. Got it right here on my Curve.
Steve: Keep listening, Leo.
Leo: Tried to run it. It won't connect to the Internet. So I had to do some debugging what was going on before I could get it to work. In this process I realized that Opera Mini actually talks to a transcoder server, which I assume is like a proxy to get its data. All requests go to this transcoder server. After searching for documentation on this behavior, I found that it's documented on the Opera Help site.
Steve: And we've got the URL also in the show notes.
Leo: OperaMini.com. In a nutshell, the mandatory use of this transcoder server makes it impossible to provide end-to-end SSL security for client connections. Oh.
Steve: Uh-huh.
Leo: So all of my cookies, userIDs, passwords, and other sensitive information I had so far assumed was secure going over SSL was actually going through this proxy server and getting decrypted there. Even though it's documented, I'm not convinced a browser should do this. I'm not, either. Hmm. Opera's site explains why they need to do this at the URL I referenced above. But I'm not convinced. They should have left the SSL connection alone, direct, with end-to-end security, and used this optimization for plaintext connections. Secondly, there's no indication given by the software for the user to know clearly that this is what's happening behind the scenes. Is this reasonable in your book? Thoughts on if/how they could have done it differently. Wow.
Steve: Well, this is a perfect example of something we have touched on many times in the last two and a half years, and that is the idea of a proxy server that is terminating the SSL connections itself. That is, essentially decrypting connections that you thought were encrypted in order to have access to the nonencrypted data that is inside the SSL tunnel. Now, the reason they're doing this is that this server that the Opera Mini browser connects to is really doing a lot of good work for the user. It is rewriting pages, web pages on the fly, rewriting JavaScript on the fly, essentially turning web pages that were never designed to be seen on a very small screen on a very lightweight and lower powered browser, making them work.
And so if they didn't do that, that is, if they did pass SSL through end to end, first of all, your browser, that is, that you're holding in your hand, running on presumably a lower power chip, it would need to be able to do SSL, which is a little compute intensive, although I would argue these days that could be handled easily enough. And they would then no longer be able to perform this filtering which apparently the Opera Mini Browser depends upon. On their security page where they address this, they're not quite as upfront as I wish they were. I mean, Anand K., who's a Security Now! listener, he's obviously astute enough to sort of read between the lines.
Leo: I know. I didn't. I didn't know, and I've been using this.
Steve: Yeah, you have to read between the lines to get what it is they're doing.
Leo: I'm mad.
Steve: And, yes, I know, I mean, this is not good for it to be less clear for people. Apparently they're providing some sort of tunnel encryption of their own, not SSL. But that, you know, so your data is protected itself going to them. But then it's completely open. I mean, it's as though you're trusting the Opera Mini server, proxy server. Everything you do, your passwords, your secure login, I mean, literally your username and login that you thought was over SSL...
Leo: Unbelievable.
Steve: ...is unencrypted. And finally, at the end of this FAQ page, someone asks the hypothetical question, well, what if I don't like that? And their answer is, well, then, you can't use Opera Mini. Go use, you know, the regular Opera non-mini browser, sorry. And so, I mean, I don't really have an opinion one way or the other, although I don't think I'm going to use it.
Leo: I just deleted it. I'm kind of stunned.
Steve: So that's annoying. And I really thank Anand for the...
Leo: Yeah. I would not have known. I'm looking at their website right now. It doesn't say that it's doing that.
Steve: No. I mean, again, in their FAQ it says, is there any end-to-end security between my handset and, for example, PayPal.com or my bank? Okay, first word, no.
Leo: First word, bye.
Steve: If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile. Opera Mini users a transcoder server, as they call it, to translate HTML, CSS, JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation the Opera Mini server needs to have access to the unencrypted version of the web page. Therefore, no end-to-end encryption between the client and the remote web server is possible.
Leo: You know, I understand why they're doing that. But they really should say - that should be very clear on the front page. Wow. I haven't used it much, so I feel all right. But...
Steve: For what it's worth, I mean, they say - another of their made-up questions. Can Opera software, Opera Software Company, see my passwords and credit card numbers in cleartext? What is the encryption good for, then? The answer, the encryption is introduced to protect the communication from any third party between the client, the browser on your handset, and the Opera Mini transcoder server, meaning - so they're talking about the encryption between your handset and Opera's server. If you do not trust Opera software, make sure - and I'll say, and everyone who works for Opera software - make sure you do not use our application to enter any kind of sensitive information. It's like, okay. As you said, Leo, bye bye.
0
