Interview with Christen Krogh, Opera Software’s VP of Engineering

Christen Krogh is responsible for all software development at Opera. Krogh received his bachelor’s degree in computer science from Glasgow University and his Ph.D from the University of Oslo.

What is Opera’s market share? How many users?
Market share is a difficult number to measure and different companies use different methods and track different websites, so a true and accurate representation is almost impossible. Our numbers though are more interesting: we have between 10 and 15 million users of the desktop browser, more than 10 million cumulative Opera Mini users, come pre-installed on more than 40 million mobile phones and are available to anyone using Nintendo Wii or Nintendo DS.

In your opinion, what are Opera’s strengths when it comes to security?
Our strength is that we take it really really serious. We have an excellent Q&A team that tests the browser versions prior to release, both manually, and automatically. We even have a group of skilled experts who call themselves “Evil Knights” working at finding holes and issues prior to launch.

Second, we try to develop our product in such a way that it helps the end users to browse safely. Our advanced Fraud Protection is one example of such a feature. Thirdly, whenever something comes up as a security issue after we have launched a product it takes first priority. We aim to never let a security issue stay unpatched.

Does Opera use technology that makes it stand out from other browsers?
For us, security is largely about architecture, process, and user interface. Architecturally, we might be less prone to certain issues, due to the fact that we have a self-contained browser application with few necessary dependencies to the underlying platform. Process-wise, we might test more diversly than the competition, due to the fact that we release our products on the largest amount of different platforms. Regarding user interfaces, it has always been a design goal never to mislead the user that they are in a safe environment when they aren’t.

Do you believe that you are more secure than other available browsers?
Security can be classified in several ways. Security is a function of architecture, process (including QA), and design (including user interface). For the lay person, however, security is measured largely by statistics:

1) how many issues
2) how long (on average) did it take to release a QA’ed version with a patch (as opposed to how long did it take to have a suggested code change which is not Q&A’ed)
3) how many issues are unpatched (at any one time)
4) the severity of an issue.

The only way of evaluating this is to cf with an independent advisory organization such as secunia.org. According to their independent analysis, we have a superior track record, of which we are very proud and work hard to maintain.

How many security issues have you patched in 2006?
According to secunia.org, Opera 9 had two known security vulnerabilities in 2006, both were patched. In 2006, Opera 8 had two reported vulnerabilities, both were patched.

What has been your average response time to a reported critical vulnerability?
If reported correctly with sufficient details in the report, it is usually less than 24 hours.

Do you believe that your level of security would drop if you managed to get a quite larger portion of the market?
No. I dont think so. Recall the distinction between principalled security and the lay persons perception. Our principalled security will be at least as good with higher market share. The amount of attacks directed at Opera only might increase, but it is important to remember that almost all attacks are tried out on all the main browsers. Thus the net result of even more attacks will most likely not be significant. What *will* be significant, however, is that the overall security level of end users browsing will be better if Opera gets a larger market share – due to the facts discussed above.

What’s your take on the full disclosure of vulnerabilities?
We prefer that reporters contact vendors prior to disclosing a vulnerability in order to ensure that the impact on innocent bystanders (i.e. end users) is as minimal as possible. When there is a patch available from a vendor, we understand and respect that some reporters want to disclose their findings to the community.

Don't miss