Opera is giving users the standard upgrade advice after a successful attack on its network allowed evil-doers to copy a software-signing certificate. As a result, they would be able to craft malware that would authenticate as coming from Opera. In this blog post, Opera's Sigbjørn Vik explains that the software company …
Access to network
This seems to be a lot more serious than they are letting on. If they had access to a code-signing certificate that must have had access to some pretty secure places on the network, and then being able to upload binaries back up to distribute to end users is very worrying (I'm presuming the updates were actually sent from the Opera network, or how else would they know how many users might be infected?)
For a company who makes a few products that proxy for all you web communications, that could be a significant problem. If they had access to those servers they would've inserted themselves directly in the path of that user's browsing.
Re: Access to network
" If they had access to a code-signing certificate that must have had access to some pretty secure places on the network,"
That's a dangerous assumption. How do you know someone didn't either accidently, or deliberately just send the key?
Re: Access to network
Not really a dangerous assumption as it has already stated they were able to put infected binaries on their network and if someone deliberately sent the key then that is an even worse issue.
As for accidentally sending the key? Well I can't see that happening, the keys would/should have very restricted access and no-one who understands what a key is would accidentally be in a position to send it.
If that "upgrade" is in any way related to the new "broken" version of Opera where they slice off Mail, tear out the rendering engine and replace it with WebKit (or whatever it is, certainly not Presto), and remove almost EVERY feature going for it in one feel swoop, then I'll stick with the "insecure" version and make a workaround, thanks.
Why do we need an upgrade to revoke what I heard was an expired certificate anyway?
Opera has gone SERIOUSLY downhill in the last year, and I was one of the few that have been using it since the paid-for versions.
Opera Next @Lee
I for one am happy to see the email portion (=bloat) ripped off into a separate download. I'm sure that a minuscule number of users have even tried to this Opera side-project and its development has taken resources from the browser projects which far out-weights the IRC / Mail portion.
Replacing Presto with Chromium/Blink isn't a negative deal for me at all. Opera has been marketed as a light-weight, fast, and standard-compliant web browser. It still is, but Chrome et al. have equaled or surpassed it in the speed department for some time especially on the JS department. Chromium is a top project for Google and its excellence shows.
I've used Opera since version 6 and never paid for it.
Re: Opera Next @Lee
"its development has taken resources from the browser projects"
I've seen no evidence of mail development in the last half-decade or so and it's what I use as my mail client, so I think I would have done.
"Opera believes the impact is limited to “a few thousand Windows users” who may have automatically received and subsequently installed the malware."
That must be the amount that are actually still using Opera.
Opera is irrelevant, especially now since it is currently nothing more than a theme for chromium.