Opera Mini MITM attack

Today I was doing some tests with someone's iPhone, I used various browsers to access this website using HTTPS. One of the tests I did was with Opera Mini. What shocked me was that with Opera Mini there were no certificate warnings at all. That's odd as my certificate is self signed.

A quick glance at the server logs shows: 141.0.8.173 - - [08/Jul/2013:21:14:57 +0200] "GET /blah/ HTTP/1.1" 200 7619 "-" "Opera/9.80 (iPhone; Opera Mini/7.0.5/30.3389; U; en) Presto/2.8.119 Version/11.10" The IP 141.0.8.173 is registered to Opera Software, that is the IP that visited my website, not the IP of the computer-phone.

Opera Mini browser is programmed to use Opera Servers as a proxy for all your web traffic. This is the case for HTTP and HTTPS. With Opera Mini all your web requests are sent to Opera servers which then exchange data with the website you are trying to reach.

This is a MITM attack, or at least it acts exactly like one. All data transmitted between you and the website goes through Opera's servers and is readable to them. Your connection is not encrypted from your computer to the server (though it may be between you and Opera servers). You also cannot verify the website's certificate as you never see it. As a bonus, self signed certificates are considered valid, which means that a further MITM is also possible.