Review
By Roger A. Grimes
Columnist, InfoWorld |
Opera has long been an underrated, feature-rich browser worthy of greater attention and a larger market share. It runs on Microsoft Windows, Mac, Linux, FreeBSD, Solaris, mobile phones, Nintendo gaming systems, and other now historical operating systems. Like all of the leading browsers, it supports Java and JavaScript, and its impressive, growing feature set pushes beyond today's standards such as tabbed browsing to include the likes of voice-controlled browsing, e-mail, and instant messaging. Opera has many unique security features too, and the granularity of its security controls easily beats that of most rivals, the exception being Microsoft's Internet Explorer.
When executed under Windows Vista, Opera runs as a single process (Opera.exe) of medium integrity, with file system and registry virtualization enabled (a User Account Control feature that allows users to operate without administrative rights), but without DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
[ See also: " How secure is Google Chrome?" Tomorrow: "How secure is Mozilla Firefox?" For more on browser security and protection against Web-borne threats, see Security Adviser and " Test Center: Browser security tools versus the evil Web." ]Opera's unfortunate lack of support for DEP and ASLR makes the Opera process the weakest protected of any of the browsers I've tested (including Google Chrome, Firefox, Safari, and Internet Explorer) and potentially puts it at higher risk of buffer overflows. This weakness is exacerbated by the 45 announced vulnerabilities in Opera 9.x over the last two years, one-third of which would have allowed complete system compromise. Opera Software should immediately recode Opera to use ASLR and DEP, to remove this major blemish on an otherwise fine product.
Block that contentOpera allows you to block any Web site, object type, or object class -- globally or on a per-site basis. Although it would be nice to have security zones, as in Internet Explorer, no other browser makes it so easy to block specific types of content. It's very granular. Not only can Opera block broad classes of content such as Java, JavaScript, pop-ups, and cookies, but also individual image types, redirects, sound files, animated images, file extensions, and Web protocols (FTP, for example). You can block specific content or classes of content by using the Quick Preferences menu option, the F12 function key, or a URL-filtering .ini file. You can block any or all content from specific Web sites simply by right-clicking the Web page and choosing Block Content.
Opera lets a user (or admin) control which Web sites are allowed (or prohibited) and which content types can be downloaded through a URL-filtering .ini file (called urlfilter.ini by default). Wild-card characters and paths can be used to configure the rules, and any Web site not specifically included is automatically excluded when URL filtering is turned on. Most users prevent inadvertent excludes by allowing all Web sites by default (e.g. http://*.* and https://*.*) and then specifying the sites to exclude. If you really want to lock down the browser, Opera can easily be configured so that no files can be downloaded, saved, launched, or executed, or so that downloaded content is set to read-only. The only deficiency is that common file extensions are hidden by default.
Opera doesn't offer many choices under the
standard Security menu option, but a user can modify more of Opera's configuration settings by directly editing Opera.ini. However, the preferred method is for the user to
type " Opera:config" into the URL bar, which provides access to dozens of options. Unfortunately, detailed documentation for each option isn't always easily locatable. Some users prefer to have multiple Opera.ini files, each with separate security and functionalities enabled, depending on what they are attempting to do during a particular session.
Opera has the most granular cache control among the major browsers. You can determine what to cache (documents, images, and so on), how long to keep it, and the size of the cache. You can require HTTPS pages to redownload content when surfing through the browser's history. Although all cookie types (first and third party) are allowed by default, which is unfortunate, Opera has some of the best cookie controls on the market.
Frauds and authenticsOpera's anti-phishing filter, called Fraud Protection, is enabled by default. Sites confirmed by Netcraft or PhishTank as phishing sites are automatically added to Opera's blacklist. I like PhishTank enough to have used its collected links for the anti-phishing testing during this review. However, PhishTank relies on the user community to rank each submitted Web site to determine whether it is a confirmed phishing site. I have seen many false-negative and false-positive rankings at PhishTank, and those incorrect determinations could figure into Opera's Fraud Protection mechanism. Malware blacklists collected by Haute Secure are included in Fraud Protection too, but didn't set off any anti-malware warnings with my test sites.
Opera provides the standard pop-up blocking choices (Block All, Allow All, Block Unwanted). In my testing, it handled the most malicious DoS Web site fairly well, never allowing the browser to become completely locked up. However, the underlying Windows host did experience an unexpected reboot related to one of the attacks, so Opera can't claim a perfect success. Opera limits the maximum number of active connections to any one Web site to 8 by default (this value is modifiable), helping to prevent malware-infested Web sites from overwhelming the browser.
Opera has decent digital certificate support, with the second best initial cipher offering (behind Firefox), but there's one notable exception. Although
the first five ciphers use 256-bit AES keys, strangely Opera does not yet support ECC (Elliptical Curve Cryptography), which is the strongest asymmetric cipher standard in use today. OCSP (Online Certificate Status Protocol) is supported by default, and the minimum SSL version can be specified.
Opera supports Extended Validation (EV) digital certificates, including something called "strict EV." Strict EV, which is not enabled by default, ensures that all Web site elements come from EV-protected Web sites before displaying the normal green EV highlighting. These two screen images show the differences between Strict EV enforcement and regular EV enforcement. When visiting PayPal.com with regular EV enforcement, you'll find that the Web site's common name appears in green. When visiting the same Web site with strict EV enforcement, you'll find that the Web site name appears in yellow, just as normal SSL (non-EV) Web sites do. Most EV supporting browsers do not support strict EV enforcement. It's nice to have the choice, because strict EV could prevent real malware attacks, such as malicious JavaScript redirects.
Opera lets you view installed and registered plug-ins, but not manage them. However, a neat little feature that the other browsers don't have is the ability to specify which requests for plug-ins Opera should ignore. Most browsers bug the user repeatedly each time a reloaded Web page requires a specific control; only Opera and IE 8 allow per-site control. On an interesting note, Opera has integrated BitTorrent support, which some security administrators may not like.
CSS, XSS, and JavaScriptOpera has another feature that allows site-specific CSS (called author mode) to be replaced by a user-specific CSS (known as user mode). Both author and user mode can be customized, allowing you to determine exactly what is supported in each mode. A similar option was added to Internet Explorer 8 and is part of the CSS 2.1 standard called Alternative Style Sheets.
Over the years a number of CSS attacks (not to be confused with cross-site scripting, or XSS, attacks) have been discovered. Besides allowing a user to customize a Web page's appearance, user-mode CSS might allow those who have it enabled to avoid the associated risks. Similarly, Opera also allows the user to specify a custom JavaScript file to be run on each Web site visited; this can be used to implement any JavaScript-enabled task, including additional security checks.
Opera has another nice feature,
, that is designed to be run on public information computers. Kiosk mode disables tool bars, requires full-screen window sizes, disables many paths to system areas, and can be used to prevent downloads. After a period of inactivity, it will return to the defined home page.
Opera protects locally stored Web site passwords fairly well using a feature called Wand. Passwords (and client digital certificates) can be protected by a master password that is at least six characters long. In my tests on the Password Manager Evaluator Web site, Opera tied Firefox for the best remote password handling among the top browsers, passing 7 out of the 21 tests. Opera is very clear about which Web site the password is being saved for, while many other browsers are not. Opera also passed the standard browser, JavaScript, and XSS testing suites I ran against it, preventing the installation of any malware in every case. These tests included dozens of predefined tests made in the lab, several browser-security tests on the Web (including scanit and Jason's Toolbox), and surfing to more than 100 malicious Web sites.
Opera does not have any significant enterprise features to brag about, but its configurable granularity using .ini files means that administrators should have little problem deploying and configuring it for a business environment. Although Opera has not yet gained enough market share to be considered thoroughly tested and vetted by mainstream hackers (as Firefox and Internet Explorer have), it deserves to be considered by more users. However, until Opera Software fixes the more glaring deficiencies (namely, lack of support for DEP, ASLR, and ECC), Opera cannot be highly recommended.
This story, "How secure is Opera?" was originally published by InfoWorld.
- Security
- Networking
- Computers and Peripherals
An security columnist since 2005, Roger Grimes holds more than 40 computer certifications and has authored ten books on computer security.
Follow
Copyright © 2009 IDG Communications, Inc.
7 inconvenient truths about the hybrid work trend
FAQs
Can you be tracked on Opera? ›
The Opera web browser (Opera) can tell the website approximately where you are, with the help of Google Location Services (GLS). Opera will always ask for your permission, and your privacy will always be respected.
Is Chrome safer than Opera? ›If you care about your data privacy, Opera Browser is the clear winner. Even though Google Chrome states that they are doing a lot around security and privacy, Google actually collects a hefty amount of user data by default.
Is Opera private really private? ›Private mode in Opera Touch allows you to surf the web without the browser tracking your activity. All browsing data, such as cookies and history, are removed after closing private mode, therefore making it impossible to reopen closed tabs or review browsing history.
Is Opera safer than Firefox? ›Even though Firefox lacks a built-in ad blocker like Opera, you can easily block ads with an extension while staying protected by Google Safe Browsing. Opera is not quite as safe overall due to its less reliable safe browsing solutions.
Is Opera private browsing safe? ›Unfortunately, Opera doesn't qualify as a secure browser. Even if it was, you'd still be protecting your browsing only. Luckily, there's a solution to that in the form of a Virtual Private Network (VPN). It encrypts all your traffic, be it streaming, torrenting, or gaming.
How strong is opera VPN? ›All things considered, Opera VPN is a mediocre service at best. It advertises itself as a VPN but doesn't act like one in the slightest. The tool doesn't use any secure tunneling protocols, can't unblock any streaming platforms except for YouTube, and is pretty useless when it comes to torrenting.
Is Opera owned by China? ›Opera is headquartered in Oslo, Norway, with additional offices in Europe, China, and Africa. In 2016, Opera was acquired by an investment group led by a Chinese consortium. On July 27, 2018, Opera Software went public on the NASDAQ stock exchange, raising $115 million in its initial public offering.
Which browser is the safest in 2022? ›Brave is arguably one of the best web browsers for all-around security. The open source browser includes a built-in ad blocker, a script blocker, automatically upgrades to HTTPS, blocks all third-party storage and protects against browser fingerprinting.
What is the safest browser? ›- DuckDuckGo privacy browser (iOS and Android) The DuckDuckGo privacy browser is a new addition to our lineup. ...
- Waterfox. Waterfox is a fork of Firefox that was maintained by just one person for many years. ...
- Bromite (Android) ...
- Pale Moon. ...
- GNU IceCat. ...
- Iridium.
While the data savings feature helps you save data, it doesn't hide your IP address. Only browsing traffic that can be optimized goes through this proxy.
Is opera better than Chrome? ›
We recommend Opera over Chrome for its suite of advanced built-in features that reduce the need for extensions. Even though Chrome is faster, a version of Chrome with too many extensions might lag behind an extension-free installation of Opera.
Can hotels see what you are browsing on incognito? ›While your hotel's management usually won't be able to see the contents of your communications, they can easily find out what websites you visit and how much time you spend browsing the Internet. Doesn't sound like private browsing, does it? Check out our video on hotel Wi-Fi below.
Does Opera collect data? ›Opera says it does not collect any user data, though the company encourages consumers to send some information about their feature usage to improve the product.
Why do people use Opera? ›It's not a resource hog
This is definitely a deal breaker/maker if you tire of browsers like Chrome and Firefox slowing down your PC. Opera is a resource-friendly browser that focuses on using less of your PC and Internet resources. Many of its features are made to strip down resource usage (more on them later).
- Anti-phishing & malware protection.
- Minimal data collection.
- Automatic tracker blocking.
- DNS over HTTPS (DoH) encrypted browsing.
- Compatible with proprietary and third-party security extensions.
By default, Opera does not block any third-party cookies, although in Opera's settings you can block cookies. However, Ghostery's tracker blocker is far more customisable than Opera's allowing you to be flexible in who sees your information.
Does Opera GX sell your data? ›Opera GX Safety Concerns
Browser privacy is another issue – it involves the company that makes the browser selling your information to advertisers. In terms of security, Opera GX is pretty safe. Like the regular Opera browser, it is based on Chromium, so it is as safe as most Chromium browsers.
- History can be accessed from the History button on the Home screen. Tap a page to open it in a new tab.
- Your browsing history will influence which sites will populate the Top Sites section on the Home screen.
- Learn how to clear your browsing history and other data.
- From the main menu, select Opera > Clear Browsing Data….
- Select the time period from which you'd like to remove history items using the Obliterate the following items from dropdown menu.
- Tick the checkboxes next to the specific browsing data you'd like to remove.
- Click Clear browsing data.