No Glove, No Love - Opera: The Online Prophylactic - Making Sweet Love to Secunia

| | Comments (2)

As I mentioned, I had wanted to do a piece on Opera's very conscientious handling of security - on all fronts, especially the way they handle their relationships with security firms. The new (admittedly minor) phishing exploit that just popped up, seems as good a catalyst as any.

I was surprised to find, and perhaps even more annoyed that most "news" organisations failed to mention, that Opera has this already fixed in 8.01. Presumably, as I think most of these things go, the various vendors had been informed of this some time ago, but most figured it was too small an issue to be addressed like there's no tomorrow. And obviously Opera was already issuing a security release in the form of 8.01 for 3 other vulnerabilities, so the fact that they plugged the release before it was even publicised could well be seen as coincidence.

That's not how I see it.

Opera takes security seriously. There's hardly been a case where they haven't released an update in prompt anticipation of the security company publishing the exploit. With most other browser vendors, it's normally the other way around, the exploit gets published and then the company/foundation is shamed into fixing it - even though they would have been told about it for some time previous (that's how Opera can time their updates). Everyone should be able to do it as quickly and simply and conscientiously as Opera does - but they don't, and that's one of the many reasons why Opera is a safer browser - it's produced by a good company who takes these things seriously.

And really, it doesn't seem as if the fixes are that difficult, or rather they just shouldn't be. The exploit is simple, all that's involved is that the javascript popup (available on the Secunia proof of concept page) hides the small window that launches the popup - so that you think you're otherwise at google.com. All 8.01 does is ensure that the malicious window is made very evident (did I err? - see edit below). Personally it doesn't seem like the most superb of fixes - but then it's not the most superb of hacks either - and people who fall for it might not know what's happening, unhidden window or otherwise. But those people are just stupid anyway.

Regardless my point is this: Opera manages to maintain a superb relationship with the people whose job it is to find flaws in their software, a relationship you might otherwise think inimical. Opera are not coy about the fact that software (not least their own) is inevitably insecure (though they could do a better job of communicating that). And even when the flaw isn't the most earth-shattering, they make the effort to get the good report card that they so assiduously maintain. As opposed to *ahem* other browsers.

But I wouldn't be me if I didn't also point this out - that Opera's very cordial and productive relationship with Secunia just makes their inability to make things work with the browser stats companies all the more frustrating.

And so remember kiddies, even though Opera is your online prophylactic (I didn't use contraception, since you're not getting anyone pregnant online), it isn't 100%. The only way you can be really safe is to not be online. But no one will keep your browsing safer than Opera will (cue Trojan Man jingle). But as with all condoms, online or off, best to use one that's fresh (ie: update your software/browser).

Opera - not 100%, but at least it won't tear, and it won't make your hands sticky.

Edit: I stand very much corrected (by myself no less). News.com.com.com (and all CNut related appendages) managed to get it right that Opera 8.01 is not vulnerable - though it was naughtily saying that Opera "claimed" this to be case, whereas it's as plain as day on the Secunia site.

More importantly though, Opera's fix is much more elegant than I realised - they not only maintain the window so it's not blocked by the javascript, but they put the url of the script's page on the popup itself - in this case www.google.com.secunia.com - so if you can spot the classic signs of getting pwned, Opera gives you an extra leg up. How spanky Opera really is. I hadn't noticed it, mainly because I took it for granted - till I saw how the exploit worked in FireBadger.

But despite the Opera spokesperson saying (charitably I'm sure) that people supposedly scramble to fix these things - I don't see much hustle except from Opera (oh, snap/oh no you di'n't).



2 Comments

It's interesting you bring up this point.

Earlier today I spoke with a reporter from the Inquirer who told me he'll be writing about this tomorrow.

I don't think you should be calling them names; from what I know the politically correct term they prefer is "hack", or perhaps "GeeCee" :). I'm sure they'd find the term "reporter" rather a bit quaint, in the context.

Hopefully whoever it is uses (at least the fun parts of) my headline. Though I suppose Inq-dotted isn't quite the same :P (not that I'm saying they'd be linking to me, blah blah).

Knowing them I wouldn't put it past if they made hay out of how cosy the relationship between Secunia and Opera appears to be.

Leave a comment

About this Entry

This page contains a single entry by subtitles published on June 22, 2005 2:25 PM.

Opera Editorial: Crimes, Misdemeanors, and Browser Statistics was the previous entry in this blog.

The Holy Grail - IE Only Websites Lose Customers And Revenue - And Still No Mention of Opera is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Opera web browser - downloadOpera Mini - Mobile Web Browser