Opera and security disclosure

Note: this post is expressing personal opinion. The official policy is here.

The five wishes for Opera meme is still going strong and Asa chimes in with some criticism. Some good feedback, I do in particular share the request for automatic updates.

However, I noticed that Asa is speculating on whether we have changed our security issue disclosure policy. I guess the advisories without credits that he noticed are this on data: urls and this on HTTP authenticate dialogs. They are not credited because vendors don't usually credit researchers who disclose issues before an agreed date.

So Asa, there is no need for speculation – Opera's policy on security issues is clearly spelled out, and it hasn't changed. Regarding your specific question about disclosing issues found internally, we do believe in responsible disclosure of real security issues and you'll notice the policy says

If issues are discovered, they are fixed, and the fix is released in a new Opera version. Where appropriate, the release changelog will mention the security fix, and an advisory may be issued.

So, there you go. This clearly translates to: no, we do not disclose all issues we find internally, only those we think it is appropriate to disclose. There is no need for guesswork, that's the policy.

And this policy is IMO justified and well considered: Whether or not to disclose issues we discover internally is a complex question.

Asa is rightly proud of Firefox's automatic update feature, but he probably forgets that Opera runs on a large number of platforms and devices where automatic updates is impossible. If Opera runs on a mobile phone where the user pays data charges, regularly fetching some megabytes of software behind the user's back just isn't doable. (Doesn't mean we should not do it for desktop, but it does mean we'll always have a long tail of users with outdated versions.)

This means full disclosure might expose a lot of users on various platforms to risks.

Yes, this is security through obscurity. When a target group is small, I think it makes a lot of sense: penetrating the obscurity isn't going to be worth it for hackers. Do you think some hacker really will travel to Japan, buy a specific handset from a specific network and vendor and start testing it for exploitable security issues to exploit the users that a) have this handset, b) actually browse the web on it and c) happen to go to an infected website?

In the comments, Asa has some other arguments for a disclosure policy:

It would be good for the browser industry as a whole, allowing other vendors to share the work Opera did and address similar issues in their own products

Yes, it would. This is IMO Asa's best argument for full disclosure. Nevertheless, if I find an issue with Opera I usually test it in a few other browsers too, for comparison, and any issues in other browsers we find internally are reported to the respective vendors. As a very recent example I can mention a security issue with version 7 of the Flash plugin for Linux/Solaris that was reported to Opera by Mark Hills, one of our users. While developing test cases internally we noticed that Konqueror had the same problems and contacted them about it, and helped Adobe eventually publish a Flash player upgrade that adressed the problem. I believe we're being good citizens within the given restrictions.

would give users confidence that Opera is actually finding and fixing more than just those bugs they're forced to fix because third parties threaten public disclosure if they don't

Sorry, not at the cost of putting other users at risk. Updates with security fixes should always be labelled as such, but beyond that I'm afraid users will have to take our word for it.

10 thoughts on “Opera and security disclosure

  1. Thanks for the follow-up on disclosure. I'm a tad bummed out that I was wrong about those few bugs and it makes sense to me that you wouldn't want to give credit to someone that 0day'd you. I had my hopes up. It's now clear to me that you all have basically the same policy as Microsoft and Apple: "What users don't know won't hurt them." I first want to point out that this is already a failed strategy. See http://www.securityfocus.com/news/11235 for how easy it was, even two years ago, to find specific fixed flaws with simple tools like BinDiff and IDA Pro. The only people that are actually being kept in the dark about your fixes are the good guys and your users. Now, to address a few of your specific points. As you note, the official policy says, "If issues are discovered, they are fixed, and the fix is released in a new Opera version. Where appropriate, the release changelog will mention the security fix, and an advisory may be issued."When, exactly, is it appropriate to mention a security fix in the changelog? When a third party has the leverage to force disclosure? I've read over most of the changelogs and I don't see any mentions where this wasn't the most likely case. What are the actual criteria here, and how do the criteria further the security concerns of your users?"Opera runs on a large number of platforms and devices where automatic updates is impossible."That's unfortunate. So if you didn't have this longtail, you'd disclose more? The Opera desktop users are paying the price for Opera's further expansion into mobile? Given the point above about binary diffing, how does opacity help mobile users? And given your own suggestion that hacker's wouldn't go through the trouble of chasing mobile users, why not take better care of the desktop users with a disclosure policy and more serious security participation with other vendors like Mozilla?"any issues in other browsers we find internally are reported to the respective vendors."That sounds great if you don't think about it very long. I wonder, though, if your team is actually going to spend the resources to look for variations on a flaw that might impact other browsers and not Opera's. If you disclosed the flaw, we could do that. Would your team test all currently supported versions of other Major browser vendor's application? If you disclosed the flaw, we could do that. I've been watching our security process for about 9 years now and I can say with some confidence that bugs often manifest quite differently across different operating systems, much less different products. And security bugs are often just one of several variations on a theme. Are Opera developers and QA actually going to develop and test variations that don't impact Opera just to test in other browsers? If you disclosed the flaw, we could do that. You all may turn over the occasional exploit to others, and that's better than nothing. And so, yes, maybe "within the given (self-imposed) restrictions" you all are being good citizens. But the industry as a whole could move much faster to securing all of our users against the bad guys if Opera, Apple, and Microsoft would become much better citizens. Opera could help lead the way here in the same way that Opera is helping to lead the way in web standards by joining with Mozilla and Safari on HTML5. But it's actually not just the exploits I'd like shared. What about tools? What about best practices? What about security features? The web is suffering, and while at least some vendors are working hard to make it better for their users, collective action around security would be a lot more effective. Why isn't there a working group on security, where we all take off our vendor hats and actually figure out how to make the web a safer place. We're doing it for web standards with efforts like the WHATWG? Mozilla's basically already on board with our security process and open source policies. Disclosure of all fixed vulnerabilities would be a great first step, especially if we could get all of the browser vendors on board. But the real strides would come with serious cooperation. What's stopping this? – A

  2. Rijk, I'm actually talking about something more, and different. (And, btw, Window was hired for a lot more than spokespersonship.) Is your view of security really so narrow that it only includes user features and trust decisions? Or are you just jumping in to point out that Opera participates with others in one of the many areas?I'm talking about sharing bug reports. I'm talking about sharing tools. I'm talking about sharing avenues of investigation. I'm talking about sharing threat modeling. I'm talking about sharing code (where applicable.)Most importantly, though, I'm talking about sharing what we've all learned from patching exploits over the last decade. Sure, user interaction with security/privacy/identity features is a great place to work together and any cooperation there is great. That was _one_ area that I mentioned, almost casually, out of many areas. Where Opera is not participating, as far as I can tell, and where Mozilla is, I'm quite certain, is in sharing code, sharing designs, sharing flaws, sharing flaw analysis, building and sharing critical security tools, and more and more sharing best practices and policies for developing and maintaining secure code. You've come into this discussion late, so I understand how you could have missed the central point (and failed to follow links back through what's been an ongoing discussion) about disclosing fixed security flaws. Next time, with a little more context, you might not be so quick to the snark.- A

  3. I did read the context, and I still felt the need to be snarky (even though it was fact-based.) Your remarks can usually elicit snarky responses, but I mostly manage to control myself 🙂

  4. Hi Asa,thanks for responding – I think we can have quite a constructive discussion on how collaboration on security can improve, particularly if you don't let your marketing gene take over :-p If this becomes a spin competition, I'm not in.. and I think you're getting close at times. For example, our users are not "kept in the dark" when upgrades are correctly flagged as containing security fixes, I didn't say "hackers won't chase mobile" but merely pointed out that there is a trade-off and diminishing returns on effort for hackers too (so if obscurity can help raise the bar it is pragmatically a good thing), and collaboration on security is already happening and not being "stopped" merely because we don't have a full disclosure policy. I also want to see Opera move towards more openness and sharing and collaboration but completely dismissing the work that is already taking place is not going to get us any closer to that.

  5. Rijk. OK. So you're saying my snark elicits snark? I can believe it. :)BTW, in case any of you haven't read it elsewhere, I've been an Opera user (not exclusive, though) since Opera 3 when I had a big fat Opera banner up on my homepage. Though it may not always come across in my commenting, I am a fan, I'm rooting for Opera to improve, and I really would like to see Opera moving towards a more transparent and participatory security process (along with the other 4 suggestions I made in this meme started by Daniel — and all of the other suggestions I've made going back through the years.)- A

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s