on
CVE-2011-0228 and the Opera Mini UI-Design
Recurity Labs received user reports, followed by our own tests, that Opera Mini is affected by the CVE-2011-0228 X.509 certificate validation issue, orginially reported for Apple iOS.
Upon filing a bug with Opera Software (ID SKIRNE-136848), we tried to contact them directly. With some external help, we managed to get in contact with security people at Opera and received the following interesting statement:
Thanks for reporting an issue with Opera. While you are correct that Opera Mini does not display a certificate warning about chains with unknown Root certificates, there is, however, a significant difference between what happened in iOS and what happens in Opera Mini. Opera Mini will not indicate that such pages are secure, that is, no padlock or similar indication is displayed for the web site affected by this, giving the same security indications as it would for an unencrypted site, which is the same as would have been displayed if the user manually accepted the certificate. Not showing a dialog was a design decision by the Opera Mini team, due to the transcoder architecture of Opera Mini, and in part the complexity of having the transcoder (proxy) server display a dialog at the device and the obtain the result before continuing. For more about Opera Mini security see http://www.opera.com/mobile/help/faq/#security.
Reviewing the provided
FAQ URL,
we can learn
that Opera Mini will show a padlock (at the top right corner) if the connection
to the web site was secured. No padlock is shown for unsecured sites using
HTTP.
When testing Opera Mini with
https://iSSL.recurity.com, no padlock is
shown. However, the URL in the address bar still says https:// with no
indication that anything might be wrong with that. Judging from the user
feedback we received, it is not clear to the users that the absense of the
padlock means that the certificate validation failed.
In our emulation environment, we also discovered that on small screen devices,
the padlock might not even be on-screen when loading a site.
Opera could easily display the failed certificate verification using other means
than dialog boxes, e.g. through a red background in the address bar, similar to
Internet Explorer.
Given the current approach, we recommend to not use Opera Mini for
anything requiring a secure connection to a web site, especially considering
that Opera Mini does not provide end-to-end encryption in any case.