Me again!! Well hopefully these posts keep us occupied!

A few quick questions:

Opera Encryption (or lack of) Warning

As you can tell I'm new to Opera so please bear with me if this is a "basic" question. Why do I keep getting the warning when sending web mail or on certain sites "This form is being submitted without encryption"? What does actually mean (my e-mail can be intercepted and read?)and how do I "encrypt"?

Word

OK I should know the answer to this as I have been using Word on Psions for years but my brain is hiding the answer. To create a default for a blank Word doc. so that every time you open a new file it has your preferred font and size etc you create a new doc amend accordingly and save it as

C:\ System\Applications\Word\Normal

When I then tap on the silk screen icon I get what I was expecting (i.e what I set up the default to be) but if I use New file on the drop down menu I get the Psion default. Is this normal?

Thanks all!

Grant

In regards to Word and creating a new file, that is what always happens to me. I believe that my "new" files have the word wrap turned on, etc., all of which are off in "Normal". I think that what you are experiencing is standard.

Hope this helps.

Thanks Brian - nice to know that It's not a quirk of my "Malaysian" Netbook. Yet oddly , this does not appear to be the case with my 5mx which appears to open in my prefined default whether it's from the screen icon or the drop down menu - interesting!

Grant

File -> More -> Save as template

then it's appear in \System\Templates\Word\name_of_template (Normal for default)

Of course!

Thanks Raindog

Hi Calbrit,

As for Opera Encryption Warning.

A good news is that Opera does its job correctly and your connection is indeed not encrypted. (Some browsers don't tell you this potential risk on default, but anyway that doesn't make the risk magically go away.)

A bad news is that there's a risk, and there's no solution. It's more a server side issue than the browser side, and as such there's nothing you can do other than complaining to the web administrator to implement the encrypted connection :(

And the rough idea of network-based communication: You're talking to your server loudly, and anybody between you and the server can listen to your talk if they so wish. You cannot stop them. If you don't like it, you speak in a secret language that only you and your server can understand. That's the encrypted connection.

As you correctly guessed, anytihng that is transmitted through a non-encrypted connection can potentially be "listened to" by somebody else. This is on a par with a standard POP/SMTP, by the way.
To prevent this, you have to make sure that not only the connection between you and your server but 100% of the connection route from your server to the recipient is encrypted, which is simply impossible.

All in all, if you think your email is really of a confidential nature, then please do not use email (whether webmail or standard SMTP doesn't matter). Instead you can phone or FAX or even use a postal mail (yes phones and postal mails can also be intercepted, but they are more point-to-point than email transportation mechanism, thus less middleman-listeners). Otherwise, please don't be scared too much, and enjoy your netBook life;)

Best wishes,
Keita

Thanks Keita, I hadn't realised that my e-mail/web activity was also unencrypted. Iguess that MS keep quiet on this front!

Grant

Originally posted by ktkawabe

As for Opera Encryption Warning.

A good news is that Opera does its job correctly and your connection is indeed not encrypted. (Some browsers don't tell you this potential risk on default, but anyway that doesn't make the risk magically go away.)

A bad news is that there's a risk, and there's no solution.

the solution is opera 3.62 aka 9.0.

Hello Calbrit,
Thanks Keita, I hadn't realised that my e-mail/web activity was also unencrypted. Iguess that MS keep quiet on this front! You're welcome, I'm happy if my post was of any help. (And in my opinion MSIE's default security settings are something between irresponsible and insane.)

And hello raindog,
the solution is opera 3.62 aka 9.0.I'm afraid either I or you or both are seriously misunderstanding either the real issue here or the functionality of Opera 5.14 or both. I may be wrong of course and it may be only me who's misunderstanding, and if that's the case I'm more than happy (quite honestly:) ). It would be nice of you if you kindly give me some counter arguements to the following points. Then we can together build up a better understanding of the current security situation of netBook users.
Writing such a lengthy post makes me feel a bit uncomfortable, but I think I have to be responsible here because we're talking about the security.

A.
An unencrypted connection is unencrypted regardless of the version of the browser. If the server doesn't offer an encryption you cannot do anything.

In Opera for EPOC 5.14 on my netBook, the warning for unencrypted form is enabled, even though it appears that the security preference shows me the opposite. Whenever I try to submit something through unencrypted connection Opera 5.14 warns correctly, and I'm yet to see any false of Opera 5.14 for this.

An easy example of this: The login feature of this forum is not encrypted as far as I can see. Try logging in to this forum using Opera 5.14. Then try doing the same using any other browser with a sensible security option. For example, if you are currently using Internet Explorer, you can change the security setting via menu-> Tools-> Internet Options-> Security-> Internet zone. Press "custom level" button, and then there's an item "Submit nonencrypted form data" under "miscellaneous" category. Change this to "Prompt" and then press OK. When you are asked if you really want to change this, please simply press yes. The next time you try to log in to this forum, you'll see a warning saying the data you submit can be read by somebody else.

B.
When the server supports some encryption protocol based on some encryption scheme, of course it depends on your browser if you can use it or not. And if you're claiming that Opera 5.14 reports the alarm when actually the server offers the encrypted connection that Opera 5.14 doesn't understand, that's different from the issue discussed above. And I think this can happen, though I myself haven't seen an example. Have you, raindog? Do you know which encryption protocol (SSL2, SSL3, and TLS1) is actually supported or not, and which raises the warning?

As a matter of fact, I know Opera 5.14 actually supports at least SSL2. It's working well on my netBook. And I cannot disable it, even though the "security" preference setting tells me otherwise. I don't know if Opera 5.14 actually supports SSL3 and TLS1, because I'm not using SSL3-only and TLS1-only web sites.

An easy example again: If you have an ebay account, please try to log in to ebay via secure channel. Normal login facility of ebay is unencrypted, but they have a secure login option (why this is not the default behavior is beyond my understanding). You can do this by going to "my ebay", then click the "secure login (SSL)" link under the normal login button. You are directed to a secure login form. Then proceed as normal. When submitting, you don't receive any warning, but you'll see a message from the server that the data is being processed, then you're redirected to the normal "my ebay" page. Try this using Opera 5.14 and any other browser enabling only SSL2.

C.
Calbrit was mainly worrying about sending the web mail unencrypted, and I think he was quite sensible in worrying that. When you asserted that "the solution is opera 3.62 aka 9.0.", I read your words in such a way that

C-1: "the webmail server in question actually supports encryption that Opera 5.14 cannot understand and thus Opera 5.14 warned, but Opera 3.62 can use it"

C-2: "and therefore, using Opera 3.62, nobody can read Calbrit's email. Problem solved"

(sorry if that's not at all what you meant, but it was possible to read it that way). And then, just for some thought-experiment, let's assume that C-1: is true (though at the moment the validity of C-1: is unclear). Does this automatically assure that C-2: is also true? No, not at all, because email transport is not point-to-point in nature and you cannot make sure that whole transport route is encrypted.

Again an easy example.
Let's think about the simplest configuration. The recipient uses a normal POP email client. Your webmail server is A and recipient's POP server is B. Suppose that you use "secure" form that is available on A to transmit email from your netBook to A. This merely means that any middleman between you and A will have a great difficulty in de-ciphering your message if they listen to your transmission. Not more than that. How about the people between A and B, or B and the recipient? A has to send this email to B somehow. Whether this channel between A and B is encrypted or not is beyond your control (most probably it's not encrypted). Then the recipient has to receive your mail from B. To ensure that the channel between B and him is encrypted, B has to offer encryption in the first place, the email client of the recipient has to support that also, and the recipient has to know that such a thing is available (and how to enable the encryption support in his favorite email client). Problem not solved. This is the reason why I wrote "if you think your email is really of a confidential nature, then please do not use email".

I'd like to stress that I'm not making these discussions for discussion's sake, I honestly HOPE to be proven to be wrong. The less security risk, the happier I am. :D

Best wishes,
Keita

leave servers alone :), we assume, that server supports encryption. the problem is that 5.14 doesn't support it and 3.62 does.

Originally posted by raindog
leave servers alone :), we assume, that server supports encryption. the problem is that 5.14 doesn't support it and 3.62 does.

Its not as bad as all that raindog! Opera 5.14 does support SSL1 to 3, and TLS1.0. All it does not support are self-signed security certificates, it supports those whose security chain goes back to a root certificate signer.

Thus only those sites who are too skinflint to invest in a verifiable certificate will not work.

Hi,

Thanks Yan, for providing such useful information about the encryption protocols Opera5.14 supports

I knew these certificate issues were discussed sometime ago in "secured banking" thread, but apart from that do you have some example of Opera 5.14 actually supporting SSL3 and TLS1?

And raindog:
I'm sorry I have to be a bit harsh here.
You didn't understand my posts and are still trying to make some security recommendation to others, which is dangerous.

I'll write the important thing first, then less-important details will follow.

I'm actually more concerned about the possibility that your post can be misunderstood as "sending email via encrypted webmail form using Opera 3.62 is free from the risk of my email being intercepted.", which is not true at all, thus increasing the potential security risk of OTHERS, RATHER THAN YOURS.

You could have written something like

It might be that your server actually supports encryption that Opera 5.14 doesn't support, and Opera might raise a warning about unencrypted connection in such a case, though I don't remember if I ever saw this warning under such a situation. Anyway in that case Opera 3.62 aka 9.0 helps to make the connection between your server and your netBook secure, though this doesn't ensure anything about the security of the whole email transfer route after your server

instead of simply saying without any explanationthe solution is opera 3.62 aka 9.0.I know that you were not trying to promote this "we're all secure with Opera 3.62" view, and it's absolutely wonderful that you are trying to help out people, but I hope you were a little more cautious.

OK, now I can go to less important details.

In the previous post, I gave you an example of Opera 5.14 actually supporting SSL2 (and it supports SSL3 and TLS1 according to Yan).
In the same post I suggested that if it's the client's side problem, it should be the matter of which protocol or cipher is supported, and I wrote it mitght be that Opera displays "not encrypted" warning if it doesn't understand the protocol the server supports (though I was actually VERY doubtful about this point).
I even asked you "Do you know which encryption protocol (SSL2, SSL3, and TLS1) is actually supported or not, and which raises the warning?".
Then your answer was "we assume, that server supports encryption. the problem is that 5.14 doesn't support it and 3.62 does.", which tells exactly nothing because:

a. It's not clear if you know anything about the server of Calbrit (weren't we trying to help Calbrit in the first place anyway? Or do you have something to believe that you know Calbrit's server?),

b. It's not clear if you've ever come across any example in which Opera 5.14 raised a "not encrypted" warning when the server offered encryption that Opera didn't support, and

c. I already talked about the possibility of this, asking you to give me some clear information/details/examples, which you didn't.

The next time you make some recommendation about security, please try to do the followings:

1. understand previous posts,
2. answer to each and every questions/points when asked,
3. back your words by some experiments/examples/facts if possible,
4. stay away when you don't clearly understand what you understand.

Of course you don't have to, but it's a better practice to do so if you act like a person who knows something about security (which you are I believe). I'll try the same. All of these because your words may potentially affect the security of others in a negative manner.

Again my apology for bringing some harsh air in this wonderful forum. (_O_)

And now you know that security is a dangerous topic for me :)

Cheers,
Keita

Oh, my finger typed it almost automatically....Again my apology for bringing some harsh air in this wonderful forum. (_O_)
This (_O_) is "a man who is sitting on his heel, touching the ground by his palms and his forehead, expressing his sincerest apology/thanks/whatnot", and it's really popular in Japan when saying "sorry". You are sitting in front of the man and looking at his head, hands and arms in this case.

You might have seen such a thing in Japanese movies (most likely crappy ones, though ;) )

Originally posted by ktkawabe
And now you know that security is a dangerous topic for me :)


my practice taught me that if a human doesn't know about security / encryption, then he doesn't need it. so, i see no sense in such long postings - my time, at least is much more expensive.

also, i want to emphasize that by posting that i'm definetely not saying that i was or am right in any way: i have problems with 5.14 and i use 3.62, but it's only my problems and my hand-made certs.

and thanks to diem for telling me the truth concerning 5.14.

Hi raindog,
also, i want to emphasize that by posting that i'm definetely not saying that i was or am right in any way: i have problems with 5.14 and i use 3.62, but it's only my problems and my hand-made certs. Yes I can't agree more. I'm sure you noticed that I've never criticized you for claiming your words absolutely right, nor for saying something that is incorrect in my personal opinion?
my practice taught me that if a human doesn't know about security / encryption, then he doesn't need it.My view on this:
Calbrit, and potentially many others, wanted to know a bit of security information (e.g. if his webmail can be read by others and such) without knowing the answer and he needed it, so we both tried to provide that info as far as we know/believe. At least I hope that was helpful. Now I think I have provided some basic informations, and he/they knows both of our opinions, so that's fine.

Another view:
My kids don't even know the words "security" and that's healthy (for now). Not only security, but this and that and bla bla. Then someday they themselves will have to think and say "OK I don't know much but don't want to care" or something else. Until that day, a mere fact that they don't know something doesn't mean they don't need anything of that sort. If they're exposed or want to be exposed to some information before that (which is very likely), I'd try to feed something I believe myself. By the way the same sentiment to all of "before that day" humans (especially those whom I know of personally). Expensive time? Yes. I don't care.

Regards,
Keita

Well they say ignorance is bliss! I'm afraid you guys have confused me somewhat. Please - no spilt blood on my behalf!

Thanks for your postings. I will have to print them all off and study them at length as I'm not quite sure what "supporting SSL2 and it supports SSL3 and TLS1 etc" all means. I feel a bit like a car driver listening to 2 mechanics talking!

Many thanks anyway,

Grant