The comment about a possible security threat due to a web server in the web browser got picked up by Opera and the Media. The CEO of Opera, Jon von Tetzchner, doesn’t see implied security risks with such a feature. It would be safe as it wouldn’t be worth to attack millions of computers. Those single computers wouldn’t be interesting because there isn’t much data lying around in a central place.
In order to explain where the security risks reside when having many computers registered in a central place, we have to describe the architecture of Opera Unite. Opera Unite implements the concept of a Peer To Peer (P2P) network in a different way than it was done so far.
We have P2P networks in two flavors: Using a central server where the shared resources are registered, also called centralized P2P network (e.g.: bittorrent, emule, etc.) and without having a central server for resource sharing, also called decentralized P2P network(e.g.: Gnutella). Opera Unite is implementing a little bit of both approaches: There is a central place where the computers are registered in order to get the Opera Unite name (http://sharename.myuser.operaunite.com/file_sharing/), but it doesn’t store the identifier of the shared resources (something like http://sharename.myuser.operaunite.com/file_sharing/admin/malware.exe).
We can see a couple of potential attack vectors here:
1. The Opera Unite central server(s)
containing the index of all the computers running the Opera Unite Software Once this server is compromised, all registered names are available and the attacker can access the user’s files. More information about the service’s architecture are presented here.
2. The Services of Opera Unite software running on user’s computer
3. The attacker is using the Opera Unite SDK and is building a malicious service for Opera Unite
If a malicious user is creating a service and is sharing it (on http://unite.opera.com/), he is able to create a controlled computer network, usually called by software security specialists a bot net.
Yes, there is an “Approval of Opera Unite Services” process described on dev.opera.com where, among other topics, the following issue is checked: “# The service must not contain malicious or destructive code”.
But how do you define malicious? Is downloading and executing a file malicious? It depends on the file. Is connecting to an SMTP server and send emails malicious? It depends on the content you’re sending and on how many emails you’re sending. There are a lot of scenarios which can be imagined.
We see attacks on millions of PCs on a daily basis. Whether these are from the web via drive-by-downloads, via email or directly on the network level against vulnerable services. Also, of course every single computer counts! A usual bot net consists of thousands of infected, remotely controlled PCs.
The new quality of this potential threat stems from the direction an attack would come from. Now, a user has to surf onto a hacked web site or to start the malware her-/himself after a successful social engineering attack. With a server built into the browser, the attackers can actively scan for victims and offload their malware onto vulnerable computers. Additionally, the other attacks still work, too.
But as Jon von Tetzchner also mentions, Opera takes security concerns seriously, and we don’t have a doubt about it. They will make sure to ship a well-tested, secure product. Anyway, now that the service is public, everybody in the security industry will keep an eye on it. We have already started.
Manager International Software Development