Test Center: How secure is Opera?

Opera Software's underrated browser is rich in both features and granular security controls, but misses important Windows protections

Opera has long been an underrated, feature-rich browser worthy of greater attention and a larger market share. It runs on Microsoft Windows, Mac, Linux, FreeBSD, Solaris, mobile phones, Nintendo gaming systems, and other now historical operating systems. Like all of the leading browsers, it supports Java and JavaScript, and its impressive, growing feature set pushes beyond today's standards such as tabbed browsing to include the likes of voice-controlled browsing, e-mail, and instant messaging. Opera has many unique security features too, and the granularity of its security controls easily beats that of most rivals, the exception being Microsoft's Internet Explorer.

When executed under Windows Vista, Opera runs as a single process (Opera.exe) of medium integrity, with file system and registry virtualization enabled (a User Account Control feature that allows users to operate without administrative rights), but without DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

[ See also: "How secure is Google Chrome?" Tomorrow: "How secure is Mozilla Firefox?" For more on browser security and protection against Web-borne threats, see Security Adviser and "Test Center: Browser security tools versus the evil Web." ]

Opera's unfortunate lack of support for DEP and ASLR makes the Opera process the weakest protected of any of the browsers I've tested (including Google Chrome, Firefox, Safari, and Internet Explorer) and potentially puts it at higher risk of buffer overflows. This weakness is exacerbated by the 45 announced vulnerabilities in Opera 9.x over the last two years, one-third of which would have allowed complete system compromise. Opera Software should immediately recode Opera to use ASLR and DEP, to remove this major blemish on an otherwise fine product.

Block that content
Opera allows you to block any Web site, object type, or object class -- globally or on a per-site basis. Although it would be nice to have security zones, as in Internet Explorer, no other browser makes it so easy to block specific types of content. It's very granular. Not only can Opera block broad classes of content such as Java, JavaScript, pop-ups, and cookies, but also individual image types, redirects, sound files, animated images, file extensions, and Web protocols (FTP, for example). You can block specific content or classes of content by using the Quick Preferences menu option, the F12 function key, or a URL-filtering .ini file. You can block any or all content from specific Web sites simply by right-clicking the Web page and choosing Block Content.

Opera lets a user (or admin) control which Web sites are allowed (or prohibited) and which content types can be downloaded through a URL-filtering .ini file (called urlfilter.ini by default). Wild-card characters and paths can be used to configure the rules, and any Web site not specifically included is automatically excluded when URL filtering is turned on. Most users prevent inadvertent excludes by allowing all Web sites by default (e.g. http://*.* and https://*.*) and then specifying the sites to exclude. If you really want to lock down the browser, Opera can easily be configured so that no files can be downloaded, saved, launched, or executed, or so that downloaded content is set to read-only. The only deficiency is that common file extensions are hidden by default.

Opera doesn't offer many choices under the standard Security menu option, but a user can modify more of Opera's configuration settings by directly editing Opera.ini. However, the preferred method is for the user to type " Opera:config" into the URL bar, which provides access to dozens of options. Unfortunately, detailed documentation for each option isn't always easily locatable. Some users prefer to have multiple Opera.ini files, each with separate security and functionalities enabled, depending on what they are attempting to do during a particular session.

Opera has the most granular cache control among the major browsers. You can determine what to cache (documents, images, and so on), how long to keep it, and the size of the cache. You can require HTTPS pages to redownload content when surfing through the browser's history. Although all cookie types (first and third party) are allowed by default, which is unfortunate, Opera has some of the best cookie controls on the market.

Frauds and authentics
Opera's anti-phishing filter, called Fraud Protection, is enabled by default. Sites confirmed by Netcraft or PhishTank as phishing sites are automatically added to Opera's blacklist. I like PhishTank enough to have used its collected links for the anti-phishing testing during this review. However, PhishTank relies on the user community to rank each submitted Web site to determine whether it is a confirmed phishing site. I have seen many false-negative and false-positive rankings at PhishTank, and those incorrect determinations could figure into Opera's Fraud Protection mechanism. Malware blacklists collected by Haute Secure are included in Fraud Protection too, but didn't set off any anti-malware warnings with my test sites.

Opera provides the standard pop-up blocking choices (Block All, Allow All, Block Unwanted). In my testing, it handled the most malicious DoS Web site fairly well, never allowing the browser to become completely locked up. However, the underlying Windows host did experience an unexpected reboot related to one of the attacks, so Opera can't claim a perfect success. Opera limits the maximum number of active connections to any one Web site to 8 by default (this value is modifiable), helping to prevent malware-infested Web sites from overwhelming the browser.

Opera has decent digital certificate support, with the second best initial cipher offering (behind Firefox), but there's one notable exception. Although the first five ciphers use 256-bit AES keys, strangely Opera does not yet support ECC (Elliptical Curve Cryptography), which is the strongest asymmetric cipher standard in use today. OCSP (Online Certificate Status Protocol) is supported by default, and the minimum SSL version can be specified.

Opera supports Extended Validation (EV) digital certificates, including something called "strict EV." Strict EV, which is not enabled by default, ensures that all Web site elements come from EV-protected Web sites before displaying the normal green EV highlighting. These two screen images show the differences between Strict EV enforcement and regular EV enforcement. When visiting PayPal.com with regular EV enforcement, you'll find that the Web site's common name appears in green. When visiting the same Web site with strict EV enforcement, you'll find that the Web site name appears in yellow, just as normal SSL (non-EV) Web sites do. Most EV supporting browsers do not support strict EV enforcement. It's nice to have the choice, because strict EV could prevent real malware attacks, such as malicious JavaScript redirects.

Opera lets you view installed and registered plug-ins, but not manage them. However, a neat little feature that the other browsers don't have is the ability to specify which requests for plug-ins Opera should ignore. Most browsers bug the user repeatedly each time a reloaded Web page requires a specific control; only Opera and IE 8 allow per-site control. On an interesting note, Opera has integrated BitTorrent support, which some security administrators may not like.

CSS, XSS, and JavaScript
Opera has another feature that allows site-specific CSS (called author mode) to be replaced by a user-specific CSS (known as user mode). Both author and user mode can be customized, allowing you to determine exactly what is supported in each mode. A similar option was added to Internet Explorer 8 and is part of the CSS 2.1 standard called Alternative Style Sheets.

Over the years a number of CSS attacks (not to be confused with cross-site scripting, or XSS, attacks) have been discovered. Besides allowing a user to customize a Web page's appearance, user-mode CSS might allow those who have it enabled to avoid the associated risks. Similarly, Opera also allows the user to specify a custom JavaScript file to be run on each Web site visited; this can be used to implement any JavaScript-enabled task, including additional security checks.

Opera has another nice feature, kiosk mode, that is designed to be run on public information computers. Kiosk mode disables tool bars, requires full-screen window sizes, disables many paths to system areas, and can be used to prevent downloads. After a period of inactivity, it will return to the defined home page.

Opera protects locally stored Web site passwords fairly well using a feature called Wand. Passwords (and client digital certificates) can be protected by a master password that is at least six characters long. In my tests on the Password Manager Evaluator Web site, Opera tied Firefox for the best remote password handling among the top browsers, passing 7 out of the 21 tests. Opera is very clear about which Web site the password is being saved for, while many other browsers are not. Opera also passed the standard browser, JavaScript, and XSS testing suites I ran against it, preventing the installation of any malware in every case. These tests included dozens of predefined tests made in the lab, several browser-security tests on the Web (including scanit and Jason's Toolbox), and surfing to more than 100 malicious Web sites.

Opera does not have any significant enterprise features to brag about, but its configurable granularity using .ini files means that administrators should have little problem deploying and configuring it for a business environment. Although Opera has not yet gained enough market share to be considered thoroughly tested and vetted by mainstream hackers (as Firefox and Internet Explorer have), it deserves to be considered by more users. However, until Opera Software fixes the more glaring deficiencies (namely, lack of support for DEP, ASLR, and ECC), Opera cannot be highly recommended.

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform