Opera and security disclosure
Tuesday, 24. July 2007, 14:15:02
Note: this post is expressing personal opinion. The official policy is here.
The five wishes for Opera meme is still going strong and Asa chimes in with some criticism. Some good feedback, I do in particular share the request for automatic updates.
However, I noticed that Asa is speculating on whether we have changed our security issue disclosure policy. I guess the advisories without credits that he noticed are this on data: urls and this on HTTP authenticate dialogs. They are not credited because vendors don't usually credit researchers who disclose issues before an agreed date.
So Asa, there is no need for speculation - Opera's policy on security issues is clearly spelled out, and it hasn't changed. Regarding your specific question about disclosing issues found internally, we do believe in responsible disclosure of real security issues and you'll notice the policy says
So, there you go. This clearly translates to: no, we do not disclose all issues we find internally, only those we think it is appropriate to disclose. There is no need for guesswork, that's the policy.
And this policy is IMO justified and well considered: Whether or not to disclose issues we discover internally is a complex question.
Asa is rightly proud of Firefox's automatic update feature, but he probably forgets that Opera runs on a large number of platforms and devices where automatic updates is impossible. If Opera runs on a mobile phone where the user pays data charges, regularly fetching some megabytes of software behind the user's back just isn't doable. (Doesn't mean we should not do it for desktop, but it does mean we'll always have a long tail of users with outdated versions.)
This means full disclosure might expose a lot of users on various platforms to risks.
Yes, this is security through obscurity. When a target group is small, I think it makes a lot of sense: penetrating the obscurity isn't going to be worth it for hackers. Do you think some hacker really will travel to Japan, buy a specific handset from a specific network and vendor and start testing it for exploitable security issues to exploit the users that a) have this handset, b) actually browse the web on it and c) happen to go to an infected website?
In the comments, Asa has some other arguments for a disclosure policy:
Yes, it would. This is IMO Asa's best argument for full disclosure. Nevertheless, if I find an issue with Opera I usually test it in a few other browsers too, for comparison, and any issues in other browsers we find internally are reported to the respective vendors. As a very recent example I can mention a security issue with version 7 of the Flash plugin for Linux/Solaris that was reported to Opera by Mark Hills, one of our users. While developing test cases internally we noticed that Konqueror had the same problems and contacted them about it, and helped Adobe eventually publish a Flash player upgrade that adressed the problem. I believe we're being good citizens within the given restrictions.
Sorry, not at the cost of putting other users at risk. Updates with security fixes should always be labelled as such, but beyond that I'm afraid users will have to take our word for it.
The five wishes for Opera meme is still going strong and Asa chimes in with some criticism. Some good feedback, I do in particular share the request for automatic updates.
However, I noticed that Asa is speculating on whether we have changed our security issue disclosure policy. I guess the advisories without credits that he noticed are this on data: urls and this on HTTP authenticate dialogs. They are not credited because vendors don't usually credit researchers who disclose issues before an agreed date.
So Asa, there is no need for speculation - Opera's policy on security issues is clearly spelled out, and it hasn't changed. Regarding your specific question about disclosing issues found internally, we do believe in responsible disclosure of real security issues and you'll notice the policy says
If issues are discovered, they are fixed, and the fix is released in a new Opera version. Where appropriate, the release changelog will mention the security fix, and an advisory may be issued.
So, there you go. This clearly translates to: no, we do not disclose all issues we find internally, only those we think it is appropriate to disclose. There is no need for guesswork, that's the policy.
And this policy is IMO justified and well considered: Whether or not to disclose issues we discover internally is a complex question.
Asa is rightly proud of Firefox's automatic update feature, but he probably forgets that Opera runs on a large number of platforms and devices where automatic updates is impossible. If Opera runs on a mobile phone where the user pays data charges, regularly fetching some megabytes of software behind the user's back just isn't doable. (Doesn't mean we should not do it for desktop, but it does mean we'll always have a long tail of users with outdated versions.)
This means full disclosure might expose a lot of users on various platforms to risks.
Yes, this is security through obscurity. When a target group is small, I think it makes a lot of sense: penetrating the obscurity isn't going to be worth it for hackers. Do you think some hacker really will travel to Japan, buy a specific handset from a specific network and vendor and start testing it for exploitable security issues to exploit the users that a) have this handset, b) actually browse the web on it and c) happen to go to an infected website?
In the comments, Asa has some other arguments for a disclosure policy:
It would be good for the browser industry as a whole, allowing other vendors to share the work Opera did and address similar issues in their own products
Yes, it would. This is IMO Asa's best argument for full disclosure. Nevertheless, if I find an issue with Opera I usually test it in a few other browsers too, for comparison, and any issues in other browsers we find internally are reported to the respective vendors. As a very recent example I can mention a security issue with version 7 of the Flash plugin for Linux/Solaris that was reported to Opera by Mark Hills, one of our users. While developing test cases internally we noticed that Konqueror had the same problems and contacted them about it, and helped Adobe eventually publish a Flash player upgrade that adressed the problem. I believe we're being good citizens within the given restrictions.
would give users confidence that Opera is actually finding and fixing more than just those bugs they're forced to fix because third parties threaten public disclosure if they don't
Sorry, not at the cost of putting other users at risk. Updates with security fixes should always be labelled as such, but beyond that I'm afraid users will have to take our word for it.
