Security @ Opera

[Note: This is a updated version of the Opera Labs article from 2006]

A large number of people are looking for security problems and vulnerabilities in Opera and other applications. Some people do not like this, but we think it is fine. When done responsibly, this can increase security for the application and is thus of great benefit to users. However, when done irresponsibly, the activity can cause needless alarm, wasting the time of application vendors and end users.

An example of irresponsibility is how they report and classify the issues they find, and how the issues are communicated to the application vendor.

The primary problems we see with some of the reporting is that:

• Many reports are about problems that may be bugs, even significant stability issues, but they are not really security issues.
  
• Some reports exaggerate the severity of the problem.
  
• Some reporters do not give us an opportunity to check the problem, verify that it is indeed a security issue, and release a patched version before they publish their findings.
  

The terms "security issue" and "vulnerability" cover a large number of serious problems within an application.

Security real issues list:

• A real issue makes the application reveal the user's protected information, such as file system information, user name, passwords, etc., without authorization.
  
• A real issue makes the application mislead the user about what is going on.
  
• A real issue makes the application execute arbitrary code.
  
• A real issue uses weak protocols when it is possible to use stronger protocols.
  

Those are just some of the possibilities. As important is what should NOT be called a security issue.

Security non-issues list:

• A non-issue involves crashes that do not prevent the restart of the application, and do not lead to an execution of arbitrary code.
  
• A non-issue involves attacks that permanently disable the application.
  
• A non-issue states that users are not able to access or use their online banking sites, shopping sites, etc. due to site specific problems
  
• A non-issue states that Web sites claim cookies do not work.
  
• A non-issue states that the application uses stricter security protections than another competing application.
  

Sometimes, reporters incorrectly classify instances from the non-issues list as issues from the real issues list.

The two main severity concerns prone to be exaggerated are allegations that a problem "can be used to execute arbitrary code" or is a "Denial of Service" (DOS) attack.

It seems that the combination of a very large input and a crash leads some people to automatically think the problem may be used to "execute arbitrary code", that is, take over the user's computer. That is not always the case, and is usually only possible for what is called a stack buffer overflow, even though it is also sometimes possible for heap (allocated) buffer overflows. However, we have seen this phrase used even for ordinary "NULL pointer" crashes that had no possibility whatsoever to be
abused.

Another exaggeration is calling any crash that can be triggered by a Web site a "Denial of Service" attack. In our opinion, crashing a server which could potentially be running an important or critical service can rightly be called a Denial of Service, as long as the server is not able to automatically recover. This is because bringing down the server will deny service to all users.

Crashing a client, while it is an undesirable event and one we want to fix quickly, can only be achieved by enticing the user into accessing a document that crashes the client. Even then it will usually only inconvenience the user long enough to restart the application. That is not sufficient cause to call it a Denial of Service; in most of these cases it is a stability issue.

The only way, in our opinion, that a crash in a client can be called a Denial of Service is if the attack causes the client to crash again when it is restarted, and when fixing the problem requires more than changing the immediate startup configuration (previous session or blank page). Consequently, this requires editing of the configuration files or a complete re-installation.

In our opinion, calling a normal crash problem in a client a "Denial of Service" vulnerability is a devaluation of the meaning of the term "Denial of Service", which eventually may rob it completely of its correct meaning. Much in the same way, the word "hacker" is now considered to mean "computer criminal", not "highly skilled computer specialist", which was its original meaning. Please see http://en.wikipedia.org/wiki/Hacker_(computing). One may ask if an attack that disables the client really is a
security problem. After all, it does not compromise the user's information security, privacy, or the system's integrity. Generally, we do not consider ordinary crashes, freezes, and other so-called "Denial of Service" attacks security problems; they are stability issues.

Other browser developers have also seen this kind of exaggeration, and Gerv of Mozilla apparently shares our opinion about calling crashes Denial of Service. While we think Microsoft is stretching the definition of Denial of Service, their situation is a bit more complex, which may justify using the definition in their case.

We would like to use this opportunity to ask the security research community to revisit and update/clarify the meaning of their classifications for the various contexts where they are used. In particular, those who maintain vulnerability databases should consider the actual severity of a reported problem before posting the information.


"I think I have found a security issue in Opera. What should I do?"

We recommend: Report it to us before you publish it, so we can fix the problem and release an updated version as soon as possible. We take security seriously, and will investigate all reports.

You should file the report at https://bugs.opera.com/wizard/, with the severity "Security Issue" and you should fill in all information you have, or suspect, about the problem:

* Give a clear and concise explanation of the problem, as complete as possible, including why it is a security issue if that is not obvious.
* Identify which version(s) of Opera you have tested, including which operating system versions. At least one of the tested versions should be the most recent release for the affected platforms.
* Document what is needed to replicate the problem with a step-by-step procedure which includes the source code or command line operations.
* Provide an e-mail address where we can contact you in case we need more information, and to keep you updated about our progress.
* Provide actual test cases. The test cases should contain only the minimum complexity required to reproduce the problem.
* Provide references to previous discussions about the problem area, and if it has occurred in other software.

You should always file a bug report about the issue, even if you are going to send information to the Security Group via e-mail (see below). The report will be filed in our system, and it will remain in the system even if your e-mail should go astray.

Unless they are very short, the test cases should be attached to the bug report by using the e-mail address you get after you submit the bug report.

Server-side test cases should, if there are no special reasons to use other formats, be written in Perl, PHP, or Python. Aside from using standard libraries, they must be self contained.

To protect the data integrity of the test cases, you should PKZip/WinZip (.zip) or Tar/Gzip (.tar.gz) the test cases, even if they are single files.

If you further wish to protect the test cases you may PGP encrypt them to security (at) opera dot com using the public key below, before attaching them to the bug report.

We recommend that if you are planning to publish your report, the information you submit to us must at least include all the information you are going to publish, preferably more. We have occasionally received reports that contained very limited information as compared to what was eventually published, and therefore it was only after publication we were able to understand the true severity of the problem.

Allowing the application vendor to fix the issue before publishing the advisory is good for the users of the application. There is no point leaving end users vulnerable to attack. We at Opera will cooperate and verify the advisory; we can also point out if the issue is not exploitable, helping to increase the quality of the advisory. As a matter of principle we always try to give due credit to responsible reporters in our changelogs or press releases.

Happy, and responsible, hunting!


To contact the Opera Security group, send an e-mail to security (at) opera dot com , whose PGP key is below. As noted above, we prefer that Security Issues are reported via our Bug tracking system, even if you do send an e-mail about the issue.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.1
 
mQGiBELOLzkRBADVw74D8uj9bPNzgmfgf9tC72ckgqnxGHrRTMMK9y42XiLXiIYp
B66OjYpPiwgWzNqivcuyhc0HUGHZeezyE1wK4qGZ0cvxYuWrod2B0xyIXcDg6jTt
Vr/KgbfZy1RhLb9CPW3ngH28wbKAGud7dOsCjqvC+RWXAqPzN9ZXT6S3AwCg/+q6
pzhHdFMjvWrmRuWnypwO3mcD/iDbfiKe7c4nJs+yUveVjEkP+2f/zNg/3lSNUjBO
sg9CaXQlC7QCsTLEmDWAmjlebTI/DVlOfnGYa22myj1KLZdx5/uUG0aZUWDMOkKn
MjqLSyFRqb4VwSjetoojGcHob5zJQUeZ3+q4fSt66kWRwxARmnP3fyeHtdt+ddWa
KkMlBACkj3ZjnORHkyFQDru88IcZKgzTuQzhMcYmCp9vd+gMAy4+r3vUEq5EnXeg
ydBVBzReI4bDizjvpwUwbCEOn+ei8n95x2n7DHEjpn2THasb1ENkVfZ1iHi4OnO3
DaqvnXwNhnobEfEEcLjQDvMEjfWx/T1fZ6I1FwXJZr7TzwvJIrQpT3BlcmEgU2Vj
dXJpdHkgR3JvdXAgPHNlY3VyaXR5QG9wZXJhLmNvbT6JAF0EEBECAB0FAkLOLzkH
CwkIBwMCCgIZAQUbAwAAAAUeAQAAAAAKCRB2h/HMa2j6eQKoAKCv6+UWqdumoTjy
bYL5fzdVlUm8BgCdFX2FFnsyd1O9tSszh7JQ20is1065Ag0EQs4vORAIAPZCV7cI
fwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ
+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm
/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1F
HQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzh
sSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZ
Jrqrol7DVekyCzsAAgIH/1nn7DeOo79hX8V3cgGRbHDyw/CC251salCt5gislPdV
RaUAyAC24m2MprPUr6JV6QfmmXgt/FYYbdscREPkbGplXkZFSDlcH8PKfzDDaewG
dApQhOCg4bsFNUX46l/kcooAjlihLZbb9XUJ0IqIvbxJze0NtHD6o7ABTQeEagK+
dL/CBlYxMWG4SvCCol88IjsdkwpCrpIMcnh1lGPMEfvCt86hk96Y1jUouve1sLGx
zx9QbCqo8TkJyi5bJhCGEHS90nEQsdHmaS+Grvm3eep9dTLxhn+Aj/WTpdUy8VD0
rwPAEKWOo4V4HdNEgGjSNOV8LSp8/2wZR0z7zZc3vYeJAEwEGBECAAwFAkLOLzkF
GwwAAAAACgkQdofxzGto+nnZ1ACg9xn8tVb99DfZsC6wRGzr7dtfMU0An1aY3FZ7
k3eRlyzdgO2F+WOHux4J
=w+QX
-----END PGP PUBLIC KEY BLOCK-----

A few weeks ago, just before New Year, news arrived that a group of security researchers had managed to create a fake intermediate CA certificate that was accepted by all browsers, because it was, to all appearances, signed by a Root Certificate Authority (CA) trusted by those browsers.

The fake intermediate CA certificate was, however, not signed by the Root CA. What the Root CA had signed was another certificate based on a completely valid request from the researchers, but the researchers had managed to craft that request -- and a second certificate -- in a way that the digital signature for the certificate signed by the Root CA could also be used by the second certificate.

The Root CA had two problems with their issuing procedure, and the researchers would have failed in their attack had only one of the problems been present.

The first problem was that they signed new certificates using the MD5 algorithm to generate the signature of the certificate. MD5 has been showing signs of stress for many years, although it has not been broken yet. MD5 has, therefore, been on the short list for replacement for many years.

The second problem was that the Root CA was issuing certificates with a predictable serial number, not one that appears to be random (it might still be predictable, but only to the issuer), and almost all the other information in the relevant part of the certificate was either easy to predict (such as expiration date), or controlled by the researchers. In combination with the use of MD5 this meant that the researchers could create two certificates that would have the same signature.

Digital signatures have two components, a relatively short checksum (a hash/digest) calculated over the document that is to be signed -- MD5 is one such digest algorithm, SHA-1 and SHA-256 are others -- and that checksum is then encrypted using the signer's private key, usually an RSA key, and the resulting signature is stored with the document. During verification, the checksum is calculated over the received document and compared against the signed checksum decrypted with the signer's public key (which is known to all).

Digest functions are called one-way functions because they are easy to calculate one way (calculate the checksum of a document), but it is very difficult to reverse the calculation (calculate the document that produced the checksum). These functions also have a second required attribute: changing a single bit in the document must produce a wildly different checksum; that is why these function are called hash-functions, because they slice, dice and generally make a hash of the bits in the document.

One way to attack a digest function is to find easy ways to calculate two documents that produce the same checksum. The very nature of digests, that the checksum is of finite length, means that there will always be an infinite number of documents that have the exact same checksum, known as collision.

It is "relatively" easy to find such collisions by using a method called the "Birthday attack", after the fact that there is a 50% chance that in a room of 23 people you will find two people having their birthday on the same day of the year. The problem with the "Birthday attack" has always been creating messages that have meaning, such as a certificate, that will be accepted by a reader (human or machine).

In recent years, such collision attacks on MD5 have become better, and in the recent incident mentioned above, the researchers were able to make the necessary breakthroughs that allowed them to calculate two documents (certificates) that would be accepted by browsers verifying certificates, using "just" 3 days of calculation (bit tweaking, really) on 200 Playstation 3s. Essentially, they calculated two documents "ABC" and "XYC", by changing B and Y, so that the signature for "ABC" would also verify "XYC".

The researchers got an ordinary certificate from the Root CA, and were in possession of a second certificate, for which the same signature was valid. This second certificate was something we call an intermediate CA certificate, meaning it has the authority to sign yet new certificates. The intermediate CA certificate was then used to create a Web site certificate, and that certificate was accepted by the browsers, because the signatures verified all the way to the Root CA's certificate. However, neither the intermediate CA certificate, nor the Web site certificate had ever been authorized by the Root CA. The intermediate CA certificate, controlled by the researchers, was now in a position to create fake certificates for any Web site on the net.

Fortunately, the intermediate CA certificate they created was intentionally configured so that it expired several years ago, so you will always get a certificate warning when accessing a site using a certificate issued by this "CA".

The first consequence of this is that MD5 should not be used when issuing new certificates. Existing certificates, including Roots that are signed with MD5, are still secure and cannot be faked because the attacker needs to control the data of the certificate, and portions of the data sent to the issuer have to contain random data that are chosen as part of the calculation process; otherwise the attack becomes much harder.

The CA in question have already stopped issuing certificates using MD5, and have AFAIK implemented other countermeasures, such as random serial numbers, so the attack is no longer possible. There are currently no indications that what the researchers did had been duplicated by anyone before they published their results, and considering the (as yet unpublished) new theory they had to develop, it is unlikely that anyone has.

Given the steps that have been taken, this proof of concept is unlikely to affect the security of users.

The second consequence is that use of MD5 (and the weaker MD2 function) in protocols, including certificates, should be phased out as quickly as possible. "Attacks always get better, they never get worse", to quote Bruce Schneier and the NSA, so it is only a question of time before attacks that are currently unfeasible will become feasible.

That is a much larger task, one that cannot be done overnight.

Certificates: A large fraction (30% according to the researchers, 14% according to Netcraft) of
certificates used by Web sites are still signed using MD5, and then we are probably not counting the certificates that chain to a MD5 or MD2 signed root. Disabling MD5 and MD2 in certificate verification today would, almost quite literally, break the Internet. Most certificates today are signed using the more secure SHA-1 function, but steps are being taken to start using the even more secure SHA-256 function for signatures. Opera 9.0 and later are able to handle certificates signed using SHA-256, as are a number of other modern browsers, but there are quite a few browser users out there with browsers that cannot handle SHA-256, and the problem of how to migrate to SHA-256 without breaking the Internet has not yet been solved.

Please note that Extended Validation (EV) certificates are not affected by this. EV site certificates and intermediate CA certificates cannot be signed using MD5, and no Root using 1024 bit keys are accepts for EV in Opera.

SSL v3: SSL version 3, the oldest version of the SSL/TLS protocol that Opera supports, uses MD5 directly as part of several functions, including key calculation; however, due to the design of the protocol, for most purposes, MD5 is combined with another more secure method, SHA-1, even a complete break of MD5 should not compromise the security of SSL v3. Considering that SHA-1 is also showing signs of stress, though considered to be secure for several more years, Web sites should move away from using servers that only support SSL v3 (such servers are also, usually, more than 8 years old). While it is currently not practical to disable support for SSL v3, it may become necessary in a few years.

TLS v1.0 and v1.1: These two versions of TLS both use MD5 in combination with SHA-1, like SSL v3, but use these functions indirectly in a multistep "keyed" operation called HMAC, where the input data is combined with other data, and the result is then recalculated a second time -- a procedure that foils several types of attacks on these functions. Unless there are problems with the HMAC construction, TLS v1.0 and v1.1 are likely to remain secure for quite some time, but Web sites are encouraged to adopt TLS v1.2 as soon as it becomes available in servers.

TLS v1.2: This is the newest version of TLS, and one first available in Opera 10.0 alpha (Opera Presto 2.2). This version of TLS no longer use MD5 or SHA-1 as part of the protocol, but has changed to using the more secure SHA-256 function for the operations for which MD5 and SHA-1 have been used in SSL v3, TLS v1.0 and TLS 1.1. The only functionality for which MD5 and SHA-1 (together with HMAC) are still used is in the checksums for each encrypted record, but these are still considered reasonably secure. TLS v1.2 also has encryption specifications that use SHA-256, and those are the preferred ones.

While the SSL/TLS protocols versions should be secure for several more years, server vendors should add support for TLS 1.2 and SHA-256 as soon as possible. Web site administrators should start using TLS v1.2 servers as soon as they become available, and in the meantime migrate to servers using TLS v1.1. This will provide their customers with the best available security.

Web surfers should of course at any time use the most up to date version of their browser.

What steps are Opera planning?

We have considered blacklisting the fake intermediate CA certificate, but currently we are leaning towards not doing so. In the new online certificate repository, we can tell all 9.50+ installations not to trust specific certificates, and we will do so if it is necessary, particularly if a Root is compromised. However, in this case we are dealing with a single demonstration Web site and an expired fake intermediate CA certificate created by a group of researchers that have stated that they will keep the private key for that certificate safe. Marking the certificate untrusted in all installations will, under the circumstances, be a bit of an overkill.

We are, however, planning some changes to the blacklist functionality to make it scale better and be more targeted. Primarily we would like the blacklist to be updated only when the user actually encounters a potentially blacklisted certificate.

In the long term we are very likely going to require all Web site certificates chained to a Root (that is, except self-signed site certificates) to be validated using online validity checks, based on OCSP and CRLs, and refuse to connect if some of the non-Root certificates in the chain cannot be checked against either of those validation systems. One of the things the fake CA in this case did not provide was a URL to a CRL that could be used to validate it. Such a step is unlikely to cause disruption for Web sites using a certificate issued from one of the CAs in the Rootstore, but it might cause problems for certificates created by system administrators that roll their own Root certificates. It might also cause problems at Wi-Fi hotspots and ISP networks that restrict external access before payment have been accepted. The benefit of such a policy would be that all certificates would be checked frequently.

We are not going to disable MD5 in certificates for some time. We have asked some CAs to provide information about their phase out plans, but I would be surprised if we can do that within a year. However, all of the affected Roots are using 1024 bit RSA keys, which means that they are no longer recommended for use past 2010. Therefore, the CAs are already in the process of migrating customers away from those Roots over to Roots with stronger keys.

Another possibility that we are considering regarding MD5 is to add a remote updatable preference to Opera that allows us to turn off MD5 in certificates in all installations at some time. This would mean that, when MD5 is no longer considered secure, or necessary, users would not have to install a new version to disable MD5.

We are also considering, just to be on the safe side, whether or not to disable the single remaining SSL/TLS cipher suite using MD5, the 128 bit ARC4(RC4) with RSA key exchange and MD5 for integrity checking (128 bit ARC4-RSA/MD5). Before we decide on that, we need to check how many servers that support only that method (there is a SHA-1 variant that is preferred by Opera). My guess is that all servers support at least the 128 bit ARC4-RSA/SHA-1 variant, meaning that there will be no significant disruption if we do this.

The process we are seeing, of ever better attacks on MD5, is part of life for encryption algorithms. All encryption algorithms have a use-by date, although it may not be easy to find, which is why most protocols allow the algorithms to be changed or can be updated to use new ones. Changing from one method to another, more secure method is a process that usually takes several years, particularly in the case of the Internet, due to the number of installed servers and clients that have to continue to work without disruption. This concern is often the reason why disabling of unsecure protocols and methods take longer than one could wish.


More information about the MD5 certificate problem can be found here:

• The researchers' report
  
• Eric Rescorla, co-chair of the TLS work group and author of the TLS 1.1 and TLS 1.2 specifications
  
• MIT Technology Review