Opera Mini MITM attack

Today I was doing some tests with someone's iPhone, I used various browsers to access this website using HTTPS. One of the tests I did was with Opera Mini. What shocked me was that with Opera Mini there were no certificate warnings at all. That's odd as my certificate is self signed.

A quick glance at the server logs shows: 141.0.8.173 - - [08/Jul/2013:21:14:57 +0200] "GET /blah/ HTTP/1.1" 200 7619 "-" "Opera/9.80 (iPhone; Opera Mini/7.0.5/30.3389; U; en) Presto/2.8.119 Version/11.10" The IP 141.0.8.173 is registered to Opera Software, that is the IP that visited my website, not the IP of the computer-phone.

Opera Mini browser is programmed to use Opera Servers as a proxy for all your web traffic. This is the case for HTTP and HTTPS. With Opera Mini all your web requests are sent to Opera servers which then exchange data with the website you are trying to reach.

This is a MITM attack, or at least it acts exactly like one. All data transmitted between you and the website goes through Opera's servers and is readable to them. Your connection is not encrypted from your computer to the server (though it may be between you and Opera servers). You also cannot verify the website's certificate as you never see it. As a bonus, self signed certificates are considered valid, which means that a further MITM is also possible.

comments:
avatar

Andrew

Nokia did the same thing at one stage, until it got in the news:
http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/

It's interesting that some people I know think that Opera are the "good guys". After reading a post on a mailing list I frequent about whether it's okay to use Opera on GNU/Linux, I decided to read the Opera EULA. Besides all the usual nasty proprietary software stuff, I found some other interesting bits. Users of the software agree that Opera reserves the right to censor and re-route any internet traffic going through their "Turbo" network. Their privacy policy has some objectional parts to it, such as their Android browser using Google Analytics to track installations.
avatar

Nux - http://www.nux.ro

It is known Opera Mobile tunnels traffic through their servers and not only do they tunnel the traffic but also modify it so it's very easy on the bandwidth and rendering capability of the mobile device. This is a feature and to be honest I appreciated it a lot when I used it, it makes a big difference, on 3G but especially on slower links.
If people are bothered with Mini they can use Opera Mobile (or any other browser really).

The irony of it is that I'm currently using a Firefox OS device, which is the most open of the open, but I'm still missing Opera Mini. :)

Also, to play the devil's advocate a bit more, Opera's turbo feature (not in the Mini version, but in the Desktop one) is very popular in certain countries, like the *stans where traffic is heavily monitored and/or restricted and going "out" with a Norwegian IP address can open certain "doors".

It's a trade-off. Actually it's such a popular trade-off that Nokia has enabled a similar feature in their new Nokia Xpress browser installed on devices for emerging markets (eg. the Asha range, or at least Asha 501).
avatar

manu - http://manurevah.com

I get the benefits you're talking about, basically it's like using a proxy that manipulates data. The biggest problem is that your SSL is broken. Completely broken. You can never trust Opera Mini for SSL.
avatar

Nux - http://www.nux.ro

Manu, I thought we already decided the CA system cannot be trusted anyway.. :)
I do get your point though and it is a valid one.
avatar

manu - http://manurevah.com

Haha, Indeed the CA system is quite a broken mess. However, it is possible for users to manually verifiy a certificate (click on the lock, get details, etc).

For example, when I visit this site I use HTTPS, because I know what the certificate looks like, I can verify it is the correct website (without 3rd party verification). I can also verify other sites I frequently use, without relying on the "Authority" aspect.

This also means, because Opera Mini intercepts your connection and manipulates content, you know for a fact that they intercept your private data (in the case of a private access web page).

So when you log in and access a private space and load content, Opera Mini intercepts, copies and manipulates. It's probably illegal.
avatar

Nux - http://www.nux.ro

Don't know about the legality of it, but consider whatever information passes through Opera Mini compromised. If it's BBC News or any other public information, it doesn't really matter that much, but I wouldn't check my email with it. :)
Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).