Opera 10.10 released

I like large fonts and clear buttons on the browser,thats why i use AEON BIG theme ,and NOSQUINT 2.0.4 extension set for 125% on firefox.The result is perfect for me.However I use vista so not sure whEther these are compatible with W7?
ellison

 

I don't particularly fancy Unite, but in Opera's defense (and in defense of realism) with regard to all the talk of Unite security...

One rather important thing is being ignored here. Apparently the argument is that "malware could enable Opera's Unite feature and this would be very bad." There's a problem with that argument.
1) Where would this malware come from? It can't materialize from thin air, so either the user has to install it himself or the malware has to be installed via a remote code execution exploit, such as the ones that occasionally surface in any web browser. If the user is a fool and installs the malware, then there's nothing Opera or anyone else can do about that. If the malware infects the system via a remote code execution exploit, then we come to the problem with the argument.
2) After the malware has been installed by a remote code execution exploit that allows it to run arbitrary code on the system or by the user willingly giving the malware admin privileges, why on earth would the malware bother to enable Unite when it could do far worse things? You know, things like kernel mode or user mode rootkits depending on the user's privileges, setting up a real server instead of the very primitive Unite that requires Opera to be running to work, installing keyloggers, and so on, ad nauseam.

In short, why would any malware, after it's already infected a system and has the freedom to do anything it pleases, bother to mess with something like Opera Unite that is present on relatively few systems and doesn't offer anything that the malware couldn't do itself, without Unite? I don't think it's exactly very likely that we'll ever see ITW malware that tries to enable Unite for its own ends...


The real security issue with Unite is that it's just more code, and more code means more vulnerabilities. The same problem would exist if Unite wasn't a kind-of web server, but a simple local media player instead.


As far as bloat is concerned, I think it rather depends on one's definition of the word. One might note that Firefox without any extensions takes practically as much hard disk space as Opera, but Firefox has far fewer features than Opera out of the box - no mail client, no BT, no mouse gestures, nothing. Personally, using my definition of the word bloat and my experience with the browsers, Firefox by far is the more bloated browser, being pretty much as large as Opera on the hard disk but having far less features out of the box, and still being slower to start, browse and taking more memory.

 

Thanks, i may try it, but i just installed FF and didn't like it much. Too much CPU, font size too small (i mean in webpages, not the GUI)...

I installed Opera 10.10 over Shadow Defender. Upgrade installation.


Yeah, Opera Unite is "disabled", huh?

http://img100.imageshack.us/img100/2017/52339325.png

This alert from Windows Firewall comes only when you have server application running. Normal Opera prior to Unite never had this alert. I only have this for Torrent and EMule. So much for disabled.


Then i go to about:config, in webserver section:

http://img685.imageshack.us/img685/4291/12441275.png

Doesn't sound very disabled to me. It's set to even use UPnP to auto-open the router ports. Not to mention the "always on".

These are defaults, nothing touched.

I may go back to Opera 9.64... FF seems too much CPU hungry, although quicker for me, but also the font sizing is horrible and i tried the speed dial plugin and i didn't have a clue how to configure it. You must be a rocket scientist to use that compared to easyness of Opera.

Probably i 'll put Opera 9.64 and hope the vulnerabilities didn't apply there... I 've a friend that was using for years IE 5. He even said that he was feeling more secure because nobody cared to make exploits against such an outdated version. Maybe i should do the same with Opera and bet on 9.64.


This is what i am talking about fonts. When i was in XP, IE was great in that and same as Opera. FF was always weird, i always had to increase font size.

In 7, again using 125% DPI, IE is worse than Opera, for my taste.

Opera: perfect fonts, nice bold on the left column, photo crisp.

http://img692.imageshack.us/img692/5129/33918876.png

Default IE (125% zoom). Seems too stretched, photo blurred from the zoom:
http://img685.imageshack.us/img685/633/70259629.png

IE set at 100%: Fonts too small, photo crisp.
http://img504.imageshack.us/img504/1680/94420416.png


FF at default is more like IE at 100%, only worse.

In XP IE was just like Opera. In 7 it's all messed up...

So i will prolly stay with 9.64

 

No squint will sort the web page font size (and images) for you
https://urandom.ca/nosquint/
Cant help you with the cpu problem though
ellison

 

Yes. Mentioned vulnerability previously.

Because enabling unite would be more sneaky? Because i have Unite enabled without getting an UAC alert even if i have max setting?

But, the kernel mode rootkit would have to pass Win7's x64 patchguard and UAC , right?

Because i just installed Opera 10.10 and Unite was asking from Win7 firewall server rights, which if i were "joe Doe" i would happily grant, laying the way for the exploit.

I don't think ITW malware would try to make different things, including taking advantage of my Utorrent, but you know how they say that p2p for example are a risk.

The issue here is. Utorrent, i want it, so it's an accepted risk. A local server i don't want it, so why run the risk, based on the probability that most likely i won't encounter a malware that will try to take advantage?

It's the same reasoning with fixing most of browser vulnerabilities, including the one in 10.01. Is there a proven malware ITW for that vulnerability? No, it's a POC. So why fix it? Because if it doesn't remain a POC, you let your users vulnerable.

Well, to FF's defence, on my PC is notably faster than Opera. For me bloat is adding features that are 1) not related to the main purpose of the program , 2) are not needed. For me , FF may be more inefficient in the way that is coded and thus eats more CPU (i don't care about disk space). I don't consider that bloat. It's "heavy". I consider bloat making for example a registry cleaner and then adding defragmenter, system optimizer, calendar, password manager, etc.

 

Well, since i m still at Shadow Defender, i may as well try that too. Thanks.

 

Dear Ellison, you saved me! This NoSquint is awesome! Basically i 've set no zoom for photos, 120% for text and it's pretty close to Opera. The rendering isn't always identical , after all they have different engine, but it feels very "natural". Actually Wilders' is the most "strange" site till now. All fonts seem "bigger" than normal. But, i guess one gets used to it.

This and "mouse gestures" could be all i need. I am not fond of too many addons.


A question. Once you install Firefox plugins (addons) from the web, is the a way to save them for an offline installation for the future?

 

It wouldn't be very sneaky at all. Especially not when the user could easily see that Unite is enabled in the menus and a possible software firewall may ask for server rights for Unite and other such things. Now, obviously the malware could try to hide these things by for example killing the firewall and manipulating Opera's GUI, but that would require doing things much worse than enabling Unite, which begs the question why they would bother with Unite when they could just install a real server that would also work better, be easier to hide and would not depend on Opera running on the system. (What if the user uninstalls Opera? There goes malware's server? More importantly, what if the user does not have Opera installed, like most internet users don't?) Quite frankly, it don't make any sense for malware to go enabling Unite if it already has that kind of system access. If it has that kind of access, it can do anything it pleases without Unite.

It's not exactly difficult to bypass UAC. Or PatchGuard. They're not security boundaries. UAC is for limited user compatibility, and PatchGuard for stability. They are not very effective as security features. People that do rely on them as security features are likely to be disappointed sooner or later.

And whereas x64 driver signing requirement can make kernel rootkits more difficult to install, a kernel rootkit is not required to do things that are much worse for the user than somehow abusing Opera Unite. You can keylog without kernel mode rootkits, you can hide things without kernel mode rootkits, you can set up a server without kernel mode rootkits, without UAC ever uttering a word...

If you grant server rights to Unite, it's no different than granting server rights to any other software. You open a port, and expose the app holding that port open and listening to traffic to possible attacks. That's how it always goes.

As for P2P being a risk, it's that because of the sharing of files of questionable content (many are malware infected), adding yet another potentially vulnerable software on the system, and opening up ports. It's not considered a risk because some malware might enable a P2P program that you've installed but are not using yet. If malware could do that, it could already do far worse things. Aren't we concerned that malware could use Windows disk tools to format our hard drives? I'm not, because to do that, the malware would have to get access to the system, and at that point, it doesn't need Windows' own tools to format the drive.

I'm not saying you should run the risk. If you don't like Unite, don't use it. I don't use software that I don't like, neither should anyone else (unless they have a really good reason, like being forced to do so). Any fans of Opera that hate Unite should send feedback to Opera devs if they really care about the subject so strongly. I'm only saying that malware turning on Unite isn't exactly something worth worrying about. If you've got malware on your system that has enough access to turn on Unite, you have far bigger problems than just Unite. Like rootkits, keylogging, and basically everything.

Fixing vulnerabilities is a rather different case. Those are coding mistakes - something is working in a way it was never supposed to work, and this is causing a security weakness. In Unite's case, there is no vulnerability that has yet been discovered. Unite exists in Opera by design, and can be turned on by design.

 

Yes with another addon called FEBE.
https://addons.mozilla.org/de/firefox/addon/2109

 

Unite is off by default:

 

But upon installation it already is enabled and already asked for server rights! A not so suspicious user would reply "Yes" to the Win7 firewall prompt, since he was just installing Opera, Opera was giving prompt, why not allow it!
As for the menus, i see nothing different than my previous Opera version by looking the interface, yet it tried to get server rights.

No, you are "Bob", not techie, and you already gave firewall server rights when you first installed Opera. The malware has already server rights. BTW, firewall alert is an issue with your hypothetical kernel malware too. Only it may raise more suspicion.

The "attacker" could use unite as a more sneaky road and since he has complete control over the PC, he can then proceed to plan B if something goes wrong with Opera? What if the user doesn't have Opera? He isn't vulnerable... I guess with the mentality "what if the user doesn't have Opera", no vulnerabilities that have ITW exploit should ever be fixed...

The question isn't whether it is difficult. It is whether it is easier to use a ready server, rather than trying to bypass the UAC and Patchguard. Or rather, why bypass UAC and patchguard when as first option you can have to use what's already there...

The question again is, why try to bypass the driver signing, to avoid to the infamous "compatibility mode", when you can use unite without having to bypass anything?

1) Unite , actually Opera, asks for server rights immediately. A "normal" user, will grant them. He just installed Opera, why not!

2) Having a webserver running is not just like any other software that can act as server. It is much easier to exploit the Unite , for which "joe doe" already gave probably access when he installed , because it's a webserver, than to exploit for example Torrent. Because in that case, you will have to make a specific exploit for Torrent.

It's not just what you download. There also "trojanised" versions of p2p programs as well as remotely exploitable vulnerabilities of the p2p software itself, which is why in all p2p comunities is always adviced to update your client regularly.

Quick example here:

http://marc.info/?l=bugtraq&m=113838669027765&w=2

http://torrentfreak.com/soulseek-p2p-application-vulnerable-to-remote-takeover-090530/

I am concerned in general about risks. I don't say "Since this risk is bigger, i shouldn't worry about lesser ones". That's my mentality. Since i don't have use for a webserver, why have it "onboard"? Isn't that adding yet another risk?

It's what i intend to do. The problem is that it's part of Opera, so i can't use Opera either...

If they have some easy to find email , i will be happy to mail the devs.

I think a malware actually needs less access to turn on unite , than to bypass the signed drivers of Win7x64 and UAC. That's what worries me. And since it's a possibility, why leave it... I mean, i 've used p2p always. It's a risk. When i read about a vulnerability, i make sure i have the newest fixed version. You could say "How probable is that someone makes a malware to exploit remotely your p2p client?" Very low. But, the devs fix it, because very low isn't zero. I think that's in general why browsers fix vulnerabilities even if there is no ITW malware.

Is there ever, any vulnerability in any software and specially browsers, before it gets discovered? All code in a browser, exists there by design. The problem is when the code is "bad", allowing vulnerability, not whether it's was there by design. I mean, i don't understand that.

If a vulnerability on Unite exists, say, being exploited remotely , will it matter if Unite was there by design What will matter is that it is exploitable!

Anyway, No Squid is nice, but fonts in Wilder's are way too big, i will put back 9.64.

 

Hmm, this was what made me leave FF for Opera in the first place. Why don't they put some basic features by default? Like mouse gestures...

It's always "another addon"...

Off by default, but asks for server rights on Win7 firewall and on about:config shows always on? That's a non configured server maybe. But doesn't sound completely off.

Anyway, i m not going to use it.

 

My concern with Unite isn't as much about security as bloat.
It's a tool that I don't want or need.

 

This one is excellent
http://mozbackup.jasnapaka.com/
You can choose whether to back up addons, cookies, bookmarks etc
A fine utility

 

Thanks, but unless i figure out something else about the fonts, i will go back to Opera 9.64. Text at 120% with no squid, works perfectly for most sites. But in Wilders' things are desperate.

With Opera:

http://img522.imageshack.us/img522/7469/84730835.png

With FF:

http://img688.imageshack.us/img688/4696/74258722.png

I guess i could use "per site" settings, but i hate even the idea of that. I ll see if i can find something in actual type of fonts used that is different.

 

That is always the case at the Opera forum. It is heavily populated by fan-boys. Ergo, anyone with a discouraging word is flamed &/or exiled very quickly.

So I'm in trouble if I stay with 10.01, & I'm stuck with unwanted bloat if I move to 10.10. Oh well... back to K-meleon.

 

Wait, I'm a tad confused here. You're clearly saying that malware could enable Unite without the user knowing it, but apparently you're also saying that Unite is enabled upon installation? ... How can malware secretly enable Unite if it's already enabled by default? Either Unite is enabled by default and malware can't sneakily enable it (because it's already enabled), or it's not enabled by default and malware could enable it, but probably won't, since that wouldn't be very useful for anything.

As far as the menus are concerned, 10.10 has a new entry in the Tools menu "Opera Unite Server" that did not exist before, and that says whether Unite is enabled or not. There's also a new Panel that does the same and more.

No, malware doesn't have server rights. Opera does. Opera is not the malware, and the malware has to come from somewhere and infect the system before it can do anything at all to Opera. If you get your system infected with malware, it does not need Opera to do what it wants. Sure, it could use Opera for traffic, or it could use IE, Firefox, or any of dozens of Windows' own executables. Or it could just use its own functionality or third party software that does it much better than Opera's unite.

As for firewall alerts being an issue for kernel malware, the answer is simply no. Any malware that has gotten in the kernel can easily bypass a software firewall without the firewall ever seeing the traffic or warning the user about it.

Except that Unite is not a more sneaky road, especially not for a malware that has complete control over the PC. You do realize, do you not, that if you've got complete control of the PC, you can setup a kernel or user mode rootkit hiding a real heavy duty web server software of your choice on the system? Or malware could use Windows' own BITS service to sneak data out. That would be a million times more sneaky than playing with Unite.

You're completely missing the point here. All vulnerabilities should be fixed. But what we're talking about here is not a vulnerability. It's a very odd scenario where a malware that already has complete control over a system uses Opera Unite for some incomprehensible reason, even when it has far better options. Realize that if you got infected by malware, and it got full control over the system, then even if you don't have Opera or Unite on the system, the malware can still set up a file server if it wants to. Unite, like any piece of code, potentially has security issues. But those issues aren't "malware could maybe enable this feature, even though there's absolutely no reason to when it could do the same things better without enabling this feature".

You don't need to bypass UAC or PatchGuard to run a file server. The malware can do that without PatchGuard or UAC doing anything. Malware can also perform keylogging without UAC or PatchGuard doing anything. Malware can delete user files without UAC or PatchGuard doing anything. And so on, ad nauseam. You need to do some reading on UAC and PatchGuard to understand what they do and what their limitations are. They prevent only a very select few things and can't hold up against an attack by someone who knows about them.

And it is easier for a malware to use its own component for serving files, because Unite is very primitive, unlikely to be present (most people don't use Opera) and dependent on Opera. Unite is simply a poor choice for malware purposes.

You don't have to try to bypass anything, because you can run a file server without bypassing anything, UAC, PatchGuard, or without using Unite. That's why I'm saying that it's pointless to consider malware possibly enabling Unite as a threat.

A server is a server. If you run a web server, then you open yourself up to the vulnerabilities in that web server software. If you run a torrent application, you open yourself up to the vulnerabilities in that torrent application. Whatever server software you're going to exploit, you're going to have to make a specific exploit for that software or at least any server software it shares the same vulnerability with (that can happen). Of course, different server programs in different configurations carry different risk. If you're doing a one-time direct file transfer with some IM program and opening a random port for that for one single other IP for about five minutes, that's quite a bit different than keeping Apache running for 24/7 serving a complex web site where users can upload content.

I don't recall saying it's just what you download. I'll just quote myself: "As for P2P being a risk, it's that because of the sharing of files of questionable content (many are malware infected), adding yet another potentially vulnerable software on the system, and opening up ports."

As far as trojanized version of P2P programs are concerned, I don't consider that a risk of P2P, I consider it a risk of using software from untrusted sources. You can just as easily create trojanized browsers, email clients, or text editors as you can P2P applications.

My mentality is "Understand the risks, and don't worry about those things that are not risks." It is pointless to worry about malware that already has full access to your system enabling some features in software you've already installed. You should worry about the malware that has full system access. Stop the malware, and you stop the problem. If you start thinking about what malware could do when it's got full system access, then you're in a hopeless situation if you intend to solve the problem by removing features from installed software so that malware can't enable them. The reasons are obvious: 1) the very operating system itself has tons of features that malware could use if it wanted and you can't even delete those features or uninstall them in any way, 2) if malware has full access, it can just install anything it likes, so if it really wants to play with Unite, it'll just download it from the net if you don't have it installed and even if Unite comes in a separate installer. In short, if you let your system be infected with malware, then it's game over, and it doesn't matter at all what software you have installed or haven't. The malware can do what it wants. Unless your head or some security software or feature can prevent it from infecting the system.

If you don't want a webserver, don't install one. That is certainly wise. The less software you have on the system, the less vulnerabilities you have on the system. This can cut down on the number of vulnerabilities that could be exploited to infect the system in the first place. If the problem is that your favourite browser has a webserver that you don't want, then there is no other solution than deciding whether you like the browser more than you dislike the webserver. At least, that's how it is unless you can convince the makers of the browser to stop including Unite.

They certainly have developer blogs, and there's an Opera forum. http://my.opera.com/desktopteam/blog/ I would imagine that an email address should be easier to find than writing long posts on message boards would be.

Things that malware can do on your system without doing anything to bypass UAC, PatchGuard or driver signing, or even requiring admin privileges:
- hide files and processes and anything with a user mode rootkit
- keylog passwords and other sensitive data and send them to the attacker
- destroy or steal any file the user has write access to, like the user's profile folders
- set up a spam bot, DDoS bot or a web server
- use the computer as a proxy server for shady activities
- redirect your web traffic to malicious or obscene pages (for example, by loading a malicious DLL into your browsers to do this)
- or malware could hope you have Opera 10.10 installed and secretly enable Unite, and be really, really evil...

I repeat, malware can do all of this, and more, without UAC or PatchGuard ever doing anything to stop it or to inform the user. This is why Unite being enabled by some malware isn't a problem. If malware has enough access to enable Unite (which, by the way, requires you to have an account at Opera or it won't work) it has enough access to do things a million times worse without Unite.

It's not about probabilities. It's about logic. If your system is already compromised, the issue is not that the malware could use your installed software for malicious purposes. The issue is that your system is compromised by malware. Fix the real problem.

All vulnerabilities exist before being discovered. How could they be discovered if they did not exist? The problem is that you don't know what vulnerabilities do exist, if any. If you knew, then they would be already discovered and known to you.

Whether something is by design or not is critically important. Unite exists by design, and can be enabled by design. But if Unite had a vulnerability that for example allows anyone who connects to a Unite file sharing service to execute arbitrary code on the system, that is not by design - unless the developers made it intentionally as a secret backdoor. The "by design" thing is important because it dictates the response to any perceived issue with the software. If Unite has some vulnerability that is exploitable, then that vulnerability will be fixed when discovered, if possible, because Unite was not designed to work that way, the vulnerability was created by a coding mistake, not by intentional design. On the other hand, if Unite was not in Opera by design, but somehow got in accidentally, then they'd just fix any vulnerabilities by removing Unite entirely, since it's not there by design.

The point here: Unite is not a vulnerability. It's a piece of software that most likely has vulnerabilities. What we are discussing here is not a vulnerability that has been discovered. It is a very contrived scenario where a malware that already owns the system starts playing with Unite when it could do the same thing better without playing with Unite.

When and if real vulnerabilities in Unite are found, those are security issues. But the ability for malware to enable Unite after malware has owned the system is not a security issue.

Long post, but perhaps it hammers in the point.

 

You know, how about actually USING Opera, and then come and try to engage in debate? That courtesy would save people the trouble of having to correct the most basic of mistakes with your statements, such as not knowing that Opera asks for server rights regardless of whether Unite is enabled or not.

And why would Opera Unite be "not very useful for anything" to a hacker? You have the potential of transforming the attacked machine into a web server. I don't know if there's anything more useful to a hacker than that.

I didn't bother to read the rest of your post, which was irrelevant drivel. The simple fact is that Unite introduces an extra - and VERY powerful - mechanism for malware to take advantage of, lowering the bar for a successful attack and elevating the potential severity of the payload. How the hell is that a good thing?

 

I took the plunge and read Windchild's post. It was good reading.

What I took from it, if people are worried what malware will do once it has infected a system, and if it will use Opera Unite for malicious purposes... people should be more worried about the malware being on the system in the first place and what it could do by itself (without the aid of what it will do with Opera Unite).

Also there are far better ways for malware to cause damage to a user's system or extract information from a user (keylogging - using windows services), than for malware to rely on Opera Unite to do its dirty work (in a browser which has almost an insignificant small market share).

Also any problems will most likely be rectified by developers. I understand the concerns by users here, but nothing has actually happened to any users, so for the time being, I wouldn't worry (there is more chance of Windows posing a security risk than Opera).

 

I have used Opera (yes, also 10.10), and I do know that Opera asks for server rights whether Unite is enabled or not. But then, it also asks for server rights when you use the built in BT client, and that ain't Unite's doing. I did not claim otherwise. What I did claim is that you can't have it both ways: you can't secretly enable something that is already enabled, or the other way 'round. By default, Unite is not enabled, and I sure don't know of any way to remotely enable it. Do you? If a malware running locally enables it, that's one thing - but that malware could just as easily start a real web server instead of silly Unite.

Because Unite is a pretty primitive thing, because most people don't use Opera, and because using Unite to transform the attacked machine into a web server in your control most likely requires the attacker to have the kind of system access that would allow him to do the very same thing and worse things without using Unite. If you believe I'm wrong about this, please do explain the mistake in my thinking.

I have not said that Unite is a good thing, have I. Please feel free to quote where I said so, if you think I did. As I remember it, I said that I don't fancy Unite, and that it, like any software, is likely to have vulnerabilities of its own. My point in this thread has been that malware or a human attacker can't just magically jump on the system and enable Unite. It has to get access to the system first, exploiting either user stupidity or a software vulnerability. Either way, it's highly likely that a successful exploit of either will give the attacker system access that allows for doing far worse things than enabling Unite. Therefore, I don't see how malware enabling Unite on a system is a threat or security issue. If malware has that kind of access, what's stopping it from downloading and installing a better, more effective server software and hiding that with rootkit? Which, by the way, is something that attackers have already been doing for a long while, without Unite.

I don't think I like Unite much more than you do, and it's not something I would use. But I try to maintain some level of realism. Unite can be an issue because more code means more vulnerabilities. But malware enabling it in secret really isn't something you should spend your days worrying about. It might be wiser to stop the malware from getting on your system in the first place.

 

I'll give these a go.

 

Thanks for the tip on the firefox theme. I know a few people that have always wanted a large theme, and Aeon Big Theme would work along with nosquint. Good stuff.

 

Wrong again. Unite-enabled builds automatically request server rights upon startup.

"Just as easily"? Oh, come on. Which is easier: writing your own web server while trying to keep the code compact, or simply turning on and configuring one that is already there?

Security via obscurity is a broken model. It does nothing but provide you with a false sense of security, and that's the best-case scenario.

It's also easier because there's already a web server - produced by a legitimate company, and most likely trusted by the user - installed on the target computer

Which is irrelevant in this thread because everyone already knows that. We're not idiots who need to listen to you rambling on and on for pages stating the obvious. People don't like Unite not because they're paranoid and worried about the sky falling on their heads or monsters popping out of thin air, they don't like Unite because of the legitimate and inherent security risks of having web server software installed on their PCs. And to that you have (as of yet) nothing useful to say.

 

I really do fail to see where I was wrong about that. Perhaps you ought to read my post again. I did not say anything about whether Unite will cause server rights to be requested on browser startup or at some other point in time. But if you're interested in that, sure, in my experience Opera's BT asks for server rights only at the point in time when you actually try to use that feature, whereas Unite seems to ask either 1) on browser startup or 2) if you turn Discover Local Opera Unite Users off, less predictably and sometimes not at all if you don't leave the browser running for hours. I don't see what this has to do with whether Unite is enabled by default or not, though. Asking for server rights does not equal Unite's web server being enabled and serving your files for the whole wide interweb.

They don't have to write their own web server. Unite is not quite the only web server software in the world, and the bad guys could use one of those that aren't Unite, like they've been doing so far. The problem with using Unite instead of your own or borrowed server code is that Unite won't be on all systems, even on most systems. So, yeah, "just as easily", in the sense that Unite is a weaker solution (less stable, requires Opera that isn't present on most systems, poorer performance, and so on) and that if you've got local access to enable Unite, you've got access to run a different web server that doesn't need Opera. Wait, scratch that. Actually, it's easier to set up a server that isn't Unite for your malicious purposes, since code that does this already exists, but so far I haven't seen code designed to use Unite for malicious activity out there to be borrowed and therefore you'd have to waste time writing it yourself.

But sure, if we go for a really contrived scenario where someone knows that you're running Opera and writes a malware specifically for you that does nothing but secretly enable Unite, then that can be done in pretty compact code. Doesn't make much sense, though. If they can convince you to run their malware, why not make it a better malware. You won't even have to code it yourself, so it'll save your time and give you better control over the target system... But I guess, if you just want to be silly, you could use Unite.

Obscurity can add security, without requiring that the entire security model is based on obscurity. Running a server on a non-standard port will prevent some automated attacks for example and therefore have a positive security impact, but it would be insanity to rely only on the non-standard port for security. Obscurity can serve a useful purpose in a security policy, as long as it's not the whole policy. In Opera's case, the attacker would be somewhat strange if they were interested in owning systems to use as web servers, but only decided to attack those with a relatively rare browser that ships with a built-in disabled web server. Especially when it's quite possible that the average Opera user is more of a computer hobbyist than the average IE user for example, and could be a harder target in addition to being a rarer one.

And still, to turn it on, it requires the kind of local access that also allows you to set up a server without Opera, and also hide that server, so the user doesn't have to trust the browser with the right to act as a server (some users wouldn't do that, you know). Doesn't sound easier to me.

It seemed to me that everyone did not understand that to enable Unite, malware has to have local access that allows it to do even nastier things, which would make worrying about Unite being enabled a rather weird way to pass one's time.

I'm not saying that people should just love Unite or that they should not dislike it. I'm saying that you can dislike it all you want, but at least dislike it for the right reasons (more code generally equals more vulnerabilities and Unite is more code, and any server is a risk in itself). Don't dislike it because someone might get malware on your system and then use it to turn on Unite. If you're going to worry about that, you should start worrying about stuff like Windows' own file sharing, BITS, Remote Desktop... If malware can access your system so easily, it can turn all that stuff on with the config of its choice, and Opera isn't required.

 

A few older articles:

Opera CEO Claims Unite is Secure, But That's Not Its Real Problem - 7 July 2009
http://www.readwriteweb.com/archives/opera_ceo_claims_unite_is_secure_but_thats_not_its_problem.php

How secure is Opera Unite? - 16 June 2009
http://www.betanews.com/article/How-secure-is-Opera-Unite/1245176152

And something more 'extreme'.

Pwning Opera Unite with Inferno’s Eleven
http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/

And then this in news - new version more secure than previous versions - 24 November 2009:

"Opera has fixed three potentially nasty security vulnerabilities with the release of a major new version of its web browser software."
http://www.theregister.co.uk/2009/11/24/opera_revamp/