This morning I reposted a Download Blog intro to Opera Unite; here now is an attempted summary of an article by Betanews on possible security issues arising from using Unite as your browser based web server.
The main question is whether the Unite APIs expose users file systems. Opera’s security documentation indicates that no Unite user can access another user’s file system directly because each user acting as a server creates a virtual image of his/her file system on Opera’s proxy servers, generating so-called mount points to which other users are given access.
Right now Unite capable apps work as widgets; question: can they expose these mount points. A widget’s config.xml file includes a reference to the File I/O API and that reference contains a parameter pointing by default to a designated shared folder. This folder could be be a safe one if designated by the widget and the widget itself being safe. But even then, according to the Opera documentation the parameter includes shortcuts leading directly to system folders in Windows, Mac, and Linux (e.g. My Documents in Windows) – how safe is that?
Exposing system files via the mount point is one thing – another is access rights. According to the Opera documentation, the end user’s level of access to the virtual file system is determined by the corresponding level of access in the Unite server’s physical file system, and the job of securing them is left to the developer. The documentation says:
WARNING: Once mounted, the mount point will be read-write unless the underlying file system defines it to be read-only,” the documentation reads. “Be careful to protect your data by controlling how data gets written to them. You should supply some sort of authentication of users who access these directories and be careful to not leave code open to exploitation.
So, it sounds like the developer has to offer the user clear access rights options and the user has to be aware of them, understand their importance and then make use of them accordingly. Whether all developers will be that conscientious or benevolent is doubtful.
Next question is: can the config.xml file be altered by third parties? The answer according to Opera is no: “The config.xml … is hidden away from the Unite protocol and other Web protocols that the browser responds to. It cannot be altered by any unsolicited requests.”
But: can a widget be designed to deliver malicious payloads or otherwise wreck havoc on a user’s file system? Again Opera plays down this security risk by saying that it will ‘pre-screen’ all developer widgets and certify the developer’s claims. This of course would only be the case for widgets downloaded from their http://unite.opera.com repository. But we know from Mozilla how many extensions are being downloaded directly from developers’ sites. Will Opera allow the same for Unite widgets? Can it actually prevent this from happening? And if clients use non-approved widgets, how will Opera servers distinguish between them and the accredited ones? And what about developers running their own malicious widgets from their sites – how can Opera’s servers detect them?
Opera says that the communication between the widget and its servers is not based on SSL but its own protocol. “The authentication between the Opera Unite client and the Opera proxy happens via http://auth.opera.com which is our secure authentication server. This is the same server that is used to authenticate all our services, like Opera Link.” Link is currently being used to synchronise data like bookmarks and other browser data between desktops and mobile platforms, and it is the communication between these platforms that is encrypted; what is not though is the access to the system. What risk will that pose?
Many of the comments to the Betanews post show that that current beta users of Unite seem to have little concern about these and other security issues. That in itself could already be a problem, making the whole system vulnerable. But I guess as Unite grows out of beta, hopefully security fears will be laid to rest. In the meantime I certainly will wait with using Unite.