[2Curious]

I've been reading through the Opera Faq about encryption and security features. I need some help learning more about it, so I can fully understand how it (or any other mobile web service) can be truly secure.

FAQ info: http://www.operamini.com/help/faq/#encyption

1. I think the piece that I'm most fuzzy on is the Opera Mini Server itself.

True or false: We as users must trust that they will not store any secure information. But, they could. So, in the end it's up to us?

2. With the Advanced version (not Basic) of Opera Mini 3.0 the Complete End-To-End connection is secure and encrypted.

Just double-checked the downloaded file I installed for the Pearl as being the Advanced version for (MIDP 2)

3. Since they keep track of cookies set by the remote web servers, it would be up to us to be sure that we didn't choose "remember me" and such during loggins for banking and other sensitive sites? Mainly to avoid problems if we ever lost our phones. Even though we can clear all history using the menu/tools/history/clear all.

Any advice, or guidance would be appreciated. Even just a link so I can read up on it myself. I've been reading everything I can find on proxy servers as well. Just trying to learn so I can make educated decisions.

(8100 Pearl, running OS 0.64, Provider TMo US)

[kyububba]

In general since they control the entire path from your client to the server, you must trust that they don't store any secure information.

I'm pretty sure Opera Mini can store all sorts of stuff about your content on their servers (cache, cookies, as well as security certificates needed for SSL). This is because it's their servers that ultimately acts as the HTTP client to the external sites.

Note, this is different from the traditional HTTP proxy server model in that the proxies are not able to view your content in a SSL/TLS session, as they don't have the private key required (which is stored in your browser). Also, traditional proxy servers generally will not parse any of the http body content. In order for Opera Mini to work and optimize a regular HTML page for the phone they have to parse the content and send down optimized rendering info.

So whether you trust them or not is up to you. Personally I have no problem using it for non-encrypted content. Yes, they can cache and use the information, but anyone with a packet sniffer can also do the same with your desktop browser. My browsing patterns aren't that interesting anyway...

I wouldn't use it for any secured https traffic though, based on the reasons above. Plus, most half-way decent secure sites (e.g. banks) probably won't accept any https sessions coming from Opera Mini.

[madmarvcr]

I am able to log in fine to 2 online Bank Accounts and 2 online Stock trading accounts using Opera Mini 3. Also, I can now login to my works Intranet using Opera Mini. To login to the work intranet I have to use a RSA SecurID kefob token generator, and I could never do that with any BB brower until Opera Mini 3

IMHO, Opera is doing some serious stuff right.

[Stinsonddog]

Agreed - if you are a security hound, don't do anything important on Opera. There's a server in the middle, and they should be at the bar I just left.

Quote:

Originally Posted by kyububba

In general since they control the entire path from your client to the server, you must trust that they don't store any secure information.

I'm pretty sure Opera Mini can store all sorts of stuff about your content on their servers (cache, cookies, as well as security certificates needed for SSL). This is because it's their servers that ultimately acts as the HTTP client to the external sites.

Note, this is different from the traditional HTTP proxy server model in that the proxies are not able to view your content in a SSL/TLS session, as they don't have the private key required (which is stored in your browser). Also, traditional proxy servers generally will not parse any of the http body content. In order for Opera Mini to work and optimize a regular HTML page for the phone they have to parse the content and send down optimized rendering info.

So whether you trust them or not is up to you. Personally I have no problem using it for non-encrypted content. Yes, they can cache and use the information, but anyone with a packet sniffer can also do the same with your desktop browser. My browsing patterns aren't that interesting anyway...

I wouldn't use it for any secured https traffic though, based on the reasons above. Plus, most half-way decent secure sites (e.g. banks) probably won't accept any https sessions coming from Opera Mini.

[2Curious]

Thanks so much kyububba and Stinsonddog!

Banking and other https sites are specifically what I was getting at.

I love Opera to view many many sites that otherwise are difficult and cluttered to read with the BB Browser. And I agree, this browsing isn't that interesting, they can store whatever they want.

But to login to my banking site, or buy something by credit card online via Opera Mini?
I think I'll pass. None of it is that urgent that I can't wait till I'm home, or at work. And last time I checked, if it is urgent enough, I can always bank by phone.

I just wanted to learn as much as I could. Thanks again.