Opera Software releases Opera Unite alpha

[Triple Zero]

http://labs.opera.com/news/2009/06/16/

Our computers are only dumb terminals connected to other computers (meaning servers) owned by other people — such as large corporations — who we depend upon to host our words, thoughts, and images. We depend on them to do it well and with our best interests at heart. We place our trust in these third parties, and we hope for the best, but as long as our own computers are not first class citizens on the Web, we are merely tenants, and hosting companies are the landlords of the Internet.

Social networking is important, but who owns it — the online real estate and all the content we share on it? How much control over our words, photos, and identities are we giving up by using someone else’s site for our personal information? How dependent have we become? I imagine that many of us would lose most of our personal contacts if our favorite Web mail services shut down without warning. Also, many of us maintain extensive friend networks on sites like MySpace and Facebook, and are, therefore, subject to their corporate decisions via “Terms of Service” and click-through agreements.

Of course, with Opera Unite it is Opera Software you are dependent on, but their active decentralized approach tries to minimize this dependency as much as possible. The Opera Unite feature is just a tool that turns your computer into a webserver, but the content remains on your machine, and in your control.

It's basically Peer-to-peer technology, but not with the focus on filesharing (although I imagine that will be a huge part of what it will be used for), but on developing any kind of service in a peer-to-peer fashion without the need of a middle man (such as a hosting/server company).

I'm very interested to see, if this takes off, it could turn the entire web upside-down. Example, add in some crypto, or simply build an adapter for an existing darknet service and you get what Tor wanted to be, instead of what it is.

[Cramulus]

woah - that's brilliant

and if executed properly, will turn the web upside down

[Bebek Sincap Ratatosk]

This has the potential for awesome. There are some advantages to using servers rather than peer services though. Particularly resource constraints (probably not an issue for most home user 'websites) and security. Security in this instance concerns me. This means more home firewall ports will be open, with more ports on a system listening and more possibility for bad things to spread fast.

However, that is the case with most new technology, so it may simply be a challenge to face, rather than a OMGZ! sort of thing. Particularly, I would hope this stuff had auto-updates for security patches, rather than relying on the fool running the app. Also, maybe some consideration around sandboxing the services/daemons to minimize risk from buffer overflow attacks. I'm also concerned about these cool apps the product guy is talking about. We have highly paid developers that leave gaping holes in web apps (which is why my team stays employed). So, I think some sort of security should probably be included in the app side to minimize the liklihood that the user will screw themselves with a guestbook app or similar nonsense. If the web server included some basic preconfigured safeties, like field validation or to kill off XSS, that could go a long way to help.

On one hand, this is an awesome project and I am downloading it now to play with it. On the other hand, I could see this easily becoming the next incubator for more zombies, worms and nastiness.

Now, to see what security exists in the app by default!

[Richter]

NEAT!

I can see this giving rise to some polarization to the eventual 2 (+) possible flavors of internet, a peer to peer homegown sort, and a sponsored, hosted, privatized sort.

[Kai]

I can think of hundreds of cool things I could do with this just off the top of my head.

[Bebek Sincap Ratatosk]

Running it now. First thoughts:

1. It appears to be using dynamic ports and UPnP protocols. Thus I just shared a machine from our secure internal network with the outside world. YAY, a new toy that just blew a hole in thousands of dollars of security tools!!

2. I can see people fucking up the configuration rather easily. This could lead to lots of LULZ when people accidentally share their home directory or their My Documents directory.

3. Thus far, it doesn't look like there is any code within the services to kill invalid form data or XSS attacks.

Next up... can it be exploited??

[Triple Zero]

This has the potential for awesome. There are some advantages to using servers rather than peer services though. Particularly resource constraints (probably not an issue for most home user 'websites) and security. Security in this instance concerns me. This means more home firewall ports will be open, with more ports on a system listening and more possibility for bad things to spread fast.

However, that is the case with most new technology, so it may simply be a challenge to face, rather than a OMGZ! sort of thing. Particularly, I would hope this stuff had auto-updates for security patches, rather than relying on the fool running the app. Also, maybe some consideration around sandboxing the services/daemons to minimize risk from buffer overflow attacks. I'm also concerned about these cool apps the product guy is talking about. We have highly paid developers that leave gaping holes in web apps (which is why my team stays employed). So, I think some sort of security should probably be included in the app side to minimize the liklihood that the user will screw themselves with a guestbook app or similar nonsense. If the web server included some basic preconfigured safeties, like field validation or to kill off XSS, that could go a long way to help.

On one hand, this is an awesome project and I am downloading it now to play with it. On the other hand, I could see this easily becoming the next incubator for more zombies, worms and nastiness.

Now, to see what security exists in the app by default!

check out the developer API documentation, they already got part of the security stuff covered.

that is:
- sandboxing of files
- official apps for download on the Opera site are manually security audited (as if it could be automated)
- it's not really a typical webserver, see the API docs, an app is written like an Opera Widget, which is kind of like a stand alone HTML5+JS webpage, except that you're supposed to return Response objects with HTML in them, as event listeners on URL access points. this would catch all GET-method XSS. the form stuff is also done via JS objects, wouldnt surprise me if they got some validation there as well. it both helps make it easier to develop apps as well as check security.
- the hosted sites appear via a proxy on their own subdomain, so given XSS they can' t leak cookies.
- you can restrict access to "private", "friends" or "public", so as long as you keep dangerous stuff out of "public"
- I don't think it opens any port excpt 80. Or maybe it can even use a random "high" port, since something is mapped via the computername.username.operaunite.com proxy address.

the service is still in alpha, so this is a test phase to find the problems (and Opera is not a company that makes eternal beta releases either)

I'm not sure whether auto update actually helps much. Opera does check for updates and notifies the user, but does not automatically download them. Compared to the security and reaction time of browsers that do, such as Firefox and IE, automatic updating does not have a very significant impact on the browser security. Taking independent security advisories seriously and quickly implementing patches, fortunately does

[Bebek Sincap Ratatosk]

This has the potential for awesome. There are some advantages to using servers rather than peer services though. Particularly resource constraints (probably not an issue for most home user 'websites) and security. Security in this instance concerns me. This means more home firewall ports will be open, with more ports on a system listening and more possibility for bad things to spread fast.

However, that is the case with most new technology, so it may simply be a challenge to face, rather than a OMGZ! sort of thing. Particularly, I would hope this stuff had auto-updates for security patches, rather than relying on the fool running the app. Also, maybe some consideration around sandboxing the services/daemons to minimize risk from buffer overflow attacks. I'm also concerned about these cool apps the product guy is talking about. We have highly paid developers that leave gaping holes in web apps (which is why my team stays employed). So, I think some sort of security should probably be included in the app side to minimize the liklihood that the user will screw themselves with a guestbook app or similar nonsense. If the web server included some basic preconfigured safeties, like field validation or to kill off XSS, that could go a long way to help.

On one hand, this is an awesome project and I am downloading it now to play with it. On the other hand, I could see this easily becoming the next incubator for more zombies, worms and nastiness.

Now, to see what security exists in the app by default!

check out the developer API documentation, they already got part of the security stuff covered.

that is:
- sandboxing of files
- official apps for download on the Opera site are manually security audited (as if it could be automated)
- it's not really a typical webserver, see the API docs, an app is written like an Opera Widget, which is kind of like a stand alone HTML5+JS webpage, except that you're supposed to return Response objects with HTML in them, as event listeners on URL access points. this would catch all GET-method XSS. the form stuff is also done via JS objects, wouldnt surprise me if they got some validation there as well. it both helps make it easier to develop apps as well as check security.
- the hosted sites appear via a proxy on their own subdomain, so given XSS they can' t leak cookies.
- you can restrict access to "private", "friends" or "public", so as long as you keep dangerous stuff out of "public"
- I don't think it opens any port excpt 80. Or maybe it can even use a random "high" port, since something is mapped via the computername.username.operaunite.com proxy address.

the service is still in alpha, so this is a test phase to find the problems (and Opera is not a company that makes eternal beta releases either)

I'm not sure whether auto update actually helps much. Opera does check for updates and notifies the user, but does not automatically download them. Compared to the security and reaction time of browsers that do, such as Firefox and IE, automatic updating does not have a very significant impact on the browser security. Taking independent security advisories seriously and quickly implementing patches, fortunately does

Looking through it now

I agree to some extent on the security advisories bit. For you and I that's a no-brainer. This however is aimed at the home user and security patching is not exactly high on the list of things to do for the average user... at least not yet, hopefully that will change over time.

[Requia ☣]

... at least not yet, hopefully that will change over time.

You have way too much faith in the monkeys.

[Requia ☣]

Also, why the hell is UPnP enabled on thousands of dollars of security software?