[Top] [All Lists]

Re: Security issues

Subject: Re: Security issues
From: Chris Salter
Date: Wed, 14 Jan 2009 01:03:29 +0000
Newsgroups: opera.general

In message <[email protected]>, dated Tue, 13 Jan 2009 at 19:24:55, Robin Zalek <[email protected]> writes
On Tue, 13 Jan 2009 13:53:36 -0000, Chris Salter <[email protected]> wrote:

The question in all this is, in real world terms, how much consideration should we give to Opera's 'additional' security validation? If the site is new to me and Opera says it's insecure I'm not going to action any transactions in that session. However, what do you do when the site is one you access daily and only Opera suddenly reports security issues with that site?

Firefox checks CRLs/OCSP revocation systems, but if they can't be contacted or return an invalid result Firefox will mark the connection as OK - I had a site recently whose certificate was pointing to a malformed CRL and Firefox didn't raise an eyebrow. The basic difference is that Opera is checking that the certificate hasn't been revoked (and thus if it can't confirm that errs on the side of caution) whereas Firefox's approach is to check if the certificate has been revoked, only returning a failure if they get a definitive yes to that question; for what it's worth Chrome appears to follow Opera, Safari and Internet Explorer take Firefox's approach. If the only problem is a failure to get revocation information (i.e. Opera's security info dialog still lists encryption methods for a connection) and it's a site you know then you're /probably/ OK - revocations are rare, and since it's only become common for all browsers to actually check revocation status in the last year or two problems with CRLs and OCSPs are more common. In the end because I knew the site I ended up trusting the connection that one time.

Regarding your specific problems I have no trouble currently accessing PayPal. The Barclaycard site failed first time, but worked on a reload. Both Barclay sites point to the same CRL [http://crl.verisign.com/Class3InternationalServer.crl] which if your computer is unable to download in 15 seconds (the timeout Opera offers for getting CRLs) that would explain your problem there.

Thanks for the above as it a makes it all a little clearer. As I have reported in another response, I have been unable to replicate the problem, at elast as far as the Barclaycard site is concerned, on a 2nd system attached to the same router. The original system still exhibits a significant response delay which could either be the cause or symptom of the 'validation failure' and I am in the process of investigating that further.

I see Opera's approach as the more sensible one, definitely the more secure.

I'm of two minds on that. When Opera states 'the connection is not secure' and 'the server attempted to apply security measures but failed' does that mean that in terms of validating the certificate (e.g. the timeout you describe) the connection is not secure or does it mean the session is not encrypted? If the latter, the connection is certainly not secure but if the former, the connection *might* not be secure.

Chris Salter

<Prev in Thread] Current Thread [Next in Thread>