In my previous post, highlighting the latest Washington Post security article by Brain Krebs, one reader asked "Why no statistics for other browsers? How about... surprise... Opera?"
Today I came across a short article at Heise Security that might go some way toward explaining why Opera flaws aren't discussed in the same way that flaws in the mainstream browsers, Firefox and IE, are.
Opera Software hides security vulnerabilities from their users, and from the public and the press.
Nearly as bad, when they do announce security vulnerabilities, nearly three weeks after shipping the new release, they're dramatically downplaying the severity of the problems and masking the true risk that their users face.
Now, let me make this clear up front. I am not claiming that they should be releasing the explicit details of their fixes or specific information about how to exploit the unfixed versions of the browser. But not telling the user that an update is a critical security update and that the unfixed versions of the browser are vulnerable to remote attack is just wrong.
By adopting this practice, Opera is doing their users a great disservice. If Opera has fixed any serious security flaw, the only responsible way to ensure that users are safe is to clearly and consistently explain to those users that the latest release of the browser has fixed security flaws and users should immediately update or face real dangers on the web. Opera should be using the press it gets around releases to forcefully proclaim that previous versions of their browser are unsafe and should not be used. Failing to use the loudest microphone they have to reach their users in cases involving user safety is simply unacceptable.
Even Microsoft discloses the existence of security flaws in previous releases and the details of their security fixes in the new version at release time.
Hiding the fact that they've fixed security issues for PR reasons takes away the user's only opportunity to protect herself. Betraying users for short term public relations gains is the fastest way to lose the confidence of your users and I wouldn't be surprised to see this cost Opera in a big way.
This is an unacceptable practice for any company that makes internet connected software -- and when it comes to browser makers, it's hard to call it anything other than negligence. Users depend on their software providers to keep them safe and when a software provider explicitly blocks a user's best opportunity at keeping himself safe, it is a fundamental breach of faith users should never tolerate.
At Mozilla, we've invested significant resources building a sophisticated automatic update mechanism that delivers security and stability updates to virtually all our tens of millions of users in less than 48 hours. In addition to the update system, we inform all of our users at the top of the release notes for the new version that it contains security fixes. That explanation links to the full list of issues, categorized and described in terms that both users and technical experts can appreciate. This is all done immediately upon release because we understand that there is no higher value we can offer to our users than to keep them safe on the web, even if that means describing our flaws or shortcomings in detail.
Microsoft also has a sophisticated automatic update system and has adopted similar practices in terms of disclosure. Opera Software should not ship another major release until they have a similar program in place.
