Opera Unite security considerations

Posted on 2009/06/16

0


Opera Unite is a new concept that will let you add to your Opera Internet browser some web services that you provide to other Internet users. It means that your personal computer will become a small server.

Opera Unite front page says: “Take control of what you share online”, but it forgets to add “Just let us take control of your PC”. Opera United is closed source. Open source software lets anyone know everything about the program, so if you run an Apache web server you can peek at the source code and see how it implements, for example, the fact that Internet user can only see the files that you want them to see. This is not the case of closed source software like Opera United: you just need to trust Opera that the software does what they tell you it does. The average user, the one who wants to share his photos and his thoughts to anyone, and the one who wants to share his secret project to a couple of friends, will maybe install Opera and use it to open a door on the Internet. This is risky and I don’t think it is stressed well enough by Operaand even Opera spokesmen warned to “be a bit cautious”. It’s like leaving your baby with a nanny that comes from a respectable baby-care agency, you can give her orders on what to do with your baby, but you are not allowed to be present when she’s with the baby, you just need to trust her and the agency. Would you do that? I will accept the nanny only if she allows me to watch anytime what she is doing.

Opera Unite could be the best nanny available. I think that the idea to move my personal data from remote servers to my home is great, but it is a great idea because I can really take control on who accesses my files. This is not what is going to happen if I install a closed source program to do that: I’m entrusting Opera with my files. I can decide to do it or not to do it, but it’s a tough choice, and personally I will not do it.

Moreover, I will never recommend Opera Unite to a friend, simply because I don’t know what I am recommending, and if anything bad happens to my friend’s data, it will become my fault. Clearly it won’t be Opera’s fault, since the license explicitly states:

IN NO EVENT SHALL OPERA SOFTWARE ASA OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OR FOR ANY DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, PERSONAL INJURY, LOSS OF DATA, LOSS OF PRIVACY OR OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF USE OR INABILITY TO USE THE SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

If Opera Unite goes open source, I will gladly consider it and if it fits my needs I will use it everyday and recommend it.

Aside from this, an issue that I found the first time I opened Opera Unite:

The “Access Control” feature lets you choose a single password for the friends you want to share your files with. There is the possibility to input the password in clear text in the address URL. This has many security implications:

  • The password is sent in clear text on the Internet.
  • Any proxy between a user and your service can easily snoop the password.
  • The password stays in clear text in the history of the user’s browser.
  • The password is in clear text when the user types it.
  • If you use a URL shortener on it, then your secret URL will be present in the shortener site database.

With this in mind, the “Access Control” should not be considered a security feature, but merely a “soft lock” that prevents accidental access to your files and protects you from some robots, but it does not protect well against intentional intrusions.

I’m not saying that no one should use Opera Unite. I’m saying that anyone should be informed of the risks and of the fact that you entrust Opera of your private files and by installing Opera Unite you are hoping that there are no flaws that could compromise the privacy of your PC.

[EDIT] There was already an article explaining the security issue of having a distributed password on the URL: http://news.cnet.com/8301-17939_109-10265397-2.html

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

Posted in: Security