[ NNSquad ] Opera admits that "Opera Mini" also does Man in the Middle attack on SSL

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Opera admits that "Opera Mini" also does Man in the Middle attack on SSL

To: nnsquad@nnsquad.org
Subject: [ NNSquad ] Opera admits that "Opera Mini" also does Man in the Middle attack on SSL
From: Lauren Weinstein <lauren@vortex.com>
Date: Wed, 9 Jan 2013 13:46:20 -0800

Opera admits that "Opera Mini" also does Man in the Middle attack on SSL
http://j.mp/13hLgy4  (This message on Google+)

 - - -

Following up on the issue of phones and browsers that purposely
violate end-to-end SSL security via Man in the Middle attacks, it
should be noted that Opera explicitly admits this regarding Opera
Mini, claiming that "During development we found out that certificates
and implementations of secure sockets/SSL is an area where there is
little standardization, with many bugs and big differences between
different handsets and manufacturers. This is the current state of
J2ME/MIDP, so we found developing our own solution to be the only
viable option."

See their FAQ: http://j.mp/13hKyRz  (Opera)

To be sure, use of SSL MitM proxies was very common years ago, when
better solutions did not widely exist.  But nowadays, I believe it's
reasonable for most people to assume that their SSL connections are
not being pulled into the clear by invisible proxies and creepy
certificates.  If a firm is going to do this on a low end phone, at
the very least there should be a clear click-through warning on
*every* SSL access.

Really, this shouldn't be happening at all.  The fact that the PKI
permits this to occur so easily is no longer acceptable, if it ever
was in any situations.

--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
Founder:
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad

Prev by Date: [ NNSquad ] Nokia accused of Man in the Middle attacks on unencrypted and encrypted Internet traffic
Next by Date: [ NNSquad ] A Chinese Web censor snaps, goes on public rant
Previous by thread: [ NNSquad ] Nokia accused of Man in the Middle attacks on unencrypted and encrypted Internet traffic
Next by thread: [ NNSquad ] A Chinese Web censor snaps, goes on public rant
Index(es):
- Date
- Thread