Security in Opera Browser: A Brief Glance
Since our previous Security Insight newsletter where we took a look at the leading Internet browsers on the market and delved into their security standings, we’ve been getting feedback asking us to also evaluate Opera. Opera is the fast-growing but a distant-third browser, which in the United States commands only a fraction of market share compared to its more infamous counterparts.
We willingly accepted the offer and in the current article will try to cover the most remarkable security aspects of this now-free web browser hailing from the snowy land of Norway.
Opera, quoted by its developers as “The Fastest Browser on Earth”, has since fall last year become a free product that is being developed for a multitude of desktop and mobile platforms. The browser is tiny in size, weighing around 4 megabytes; it is a snap download considering modern Internet speeds. Its current 8.5 version is available for download in more than 20 languages here: http://www.opera.com/download.
External web content and third-party plug-ins
Similar to Firefox, Opera doesn’t support Microsoft-native ActiveX technology. ActiveX by design continues to fuel spyware problems and malware attacks caused by surreptitious installation of embeddable code in the background of the browser window.
Visual Basic scripts are also not supported, which many experts consider dangerous elements representing a big risk to a computer. Visual Basic scripts can be used to write snippets of malicious code, and the notorious “I Love You” virus was written in Visual Basic—so from the embeddable content viewpoint Opera is on par with its Firefox rival.
Opera supports third-party plug-ins such as RealPlayer’s embedded playback capability or the functionality of the Adobe PDF viewer to easily view a document within the Opera page. However, when the browser is using a third-party plug-in then it becomes as secure as the third-party plug-in. A lot of security breaches over the past few years occurred when a vulnerable third-party plug-in was exploited by being injected into the browser and then used as an attack vector. You can view a list of currently installed plug-ins by typing the following command in the Opera address bar: “opera:plugins”.
Encryption certificates and security protocols
When a user visits a site that supports encrypted transactions (such as the site of an online bank or a web access e-mail provider), a closed padlock icon appears at the right on the address bar. By clicking on the yellow security bar you get access to more information about the validity of the certificate issued to the server. Now most of these sites employ TLS v1.0 256-bit AES encryption; you should check to see whether the site you plan to submit sensitive information to uses such encryption. Opera supports Secure Socket Layer (SSL) versions 2 and 3, and TLS. It offers automatic 128-bit encryption, the highest available security of any web browser.
Needless to say, you should submit sensitive data only to sites that you trust and make sure the site has a valid security certificate issued by a credible authority.
A type of online financial fraud, also known as Phishing, is used to impersonate a trusted or well-known entity in order get hold of financial or other material information. Phishing is often used by attackers to gather information by designing a replica of a legitimate website and luring users to enter their details there. Opera has a built-in anti-phishing tool that alerts a user when he/she supposedly visits a spoofed site. Although the tool didn’t work quite well in our beta version of Opera 9.0, the vendor promises full-scale phishing protection when the new Opera ships out later this year. As most of the phishing sites don’t bother with obtaining a valid security certificate, let alone forging the existing one, if you spot a site that looks legitimate but doesn’t carry any certification, it serves as a sure sign that you are in the wrong place. Never leave any private information there.
Also pay attention to the address bar, which shows your exact location. A legitimate site where you’d enter your login data will look like https://www.paypal.com/cgi-bin/webscr?cmd=_login-run while the spoofed address would be anything like that: http://paypal.submityourfinancialinfohere.com/cgi-bin/webscr?cmd=_login-run. Pay attention to the protocol identification—in the first instance it’s HTTPS (which stands for Hyper Text Transfer Protocol Secure) while the former is simply HTTP.
Updating the program
An automatic check for security updates enables users to get up-to-date patches and fixes to Opera as soon as they are ready. This helps minimize security risks and makes sure users are given the most secure browser configuration automatically. Sometimes advisories, albeit of low risk, do appear pertaining to Opera, but developers deserve praise in that respect because they fix them rather quickly, something that hasn’t been seen with Microsoft’s IE.
Cookies, referrer logging
Opera allows you to customize what private data is allowed to be communicated to visited sites. Again, there’s an option to quickly define global cookie placement and referrer logging properties and then customize them specifically to the selected websites. This is quickly done by activating the “quick preferences” window and then clicking the “site preferences” option at the bottom of the window.
A built-in cookie manager will provide advanced customization options where you can set detailed control rules of what cookies to accept and reject, such as allowing for different set-ups for different servers.
Instant clean-up of an entire browsing history
Opera can be configured to clear the history and cache when exiting. Any kind of private data such as cookies, web history, passwords, history of file transfers, browser cache and more can easily be erased by simply going to the Delete Private Data dialog found in the Tools menu.
A tool called Wand can make the process of storing passwords and entering them online effortless. You simply type in your password when you visit a site for the first time and the program offers to save it to use automatically later when you return. By clicking a combination of the Ctrl and Enter keys, the login form is filled with your password; then log in happens automatically. With Wand, you don’t have to remember numerous passwords to different sites and the process of password management is much more convenient than with IE. The only thing you have to remember is that if you choose to save your passwords, anyone with access to your computer account can use the password on your behalf. To make sure this doesn’t happen, Opera offers different user accounts within the product itself which you can password-protect. It also enables users to have a unique master password to access the locally-stored password collection.
Opera can block pop-up windows, as can other web browsers. The convenience is that you can customize which sites are allowed to open up pop-ups, and which cannot “on-the-fly”. In our tests pop-ups were blocked quite successfully, though some of them still came through unchecked.
Thus far, we evaluated the Opera browser from a privacy and security standpoint. It can be seen with the naked eye that Opera Software (the developer of Opera) cares a lot about security. On the security side and considering the richness of privacy settings, this browser deserves a better response from end users who simply shy away from using Opera, believing it is too complicated. From our personal experiences, the browser is very secure and easy to use. It offers great usability which we hope to cover in subsequent issues, and believe us that a lot of pleasant surprises are awaiting you in that respect, so stay tuned!
Posted in Security Insight