Security remains the most important attribute of a Web browser. The success of any feature or function aimed at improving Web security often hinges on two factors: usability and how easy it is to configure. It seems Opera Software considered these factors in their latest release of the browser, Opera 9. Let's review some of the new security features Opera has to offer.
Opera 9 has a range of user-friendly security features, that are easy to configure and designed for the surfing habits of the non-security minded, which makes them more effective since users are more likely to utilize them. For example, in addition to having a padlock icon located inside the address field to indicate a site's security level, Opera 9 provides the name of the organization the certificate is registered to, as shown in the figure below.
Users are far more likely to notice this information in the address field than in the bottom right corner, where it's usually found, particularly because the information is greyed for a site using an encrypted connection that has a low security rating. Clicking on the bar opens a window that provides clear information about the certificate and protocols being used. This attention to detail could also help reduce the number of Opera users who fall victim to phishing scams.
Here are some of Opera 9's other security features:
- It supports SSL versions 2 and 3, has TLS 1 and TLS 1.1 enabled by default, and now uses the OpenSSL 0.9.8 crypto library.
- The pop-up blocker is stronger and there is a new "content blocker," which can block any content, whether images, ads or some other content type based on the URL. However, it needs to be trained on what to block. (Note: While Firefox does offer ad-blocking, it's not done directly through the browser, but rather through an extension called AdBlock.)
- Users can easily clear the browser's history and cache from the Tools menu, and can control what cookies to accept and reject.
- As in earlier versions you can use 168-bit triple DES encryption to protect your digital certificates, email, news and Wand passwords (Opera's password manager).
Widget Warning
Security policies will need to be updated to account for Opera's new widgets. These essentially are a Web page with no graphical framework and elements of the Web browser window (browser chrome). Since these widgets can operate cross-domain, they can access multiple Web sites at the same time, therefore, security policies must ensure that users do not install widgets from sources that are not known or trusted.
How Opera 9's security stacks up
Opera 9 has no unpatched Secunia advisories to date while IE has 21 and Firefox just four. (See the Secunia Vulnerability Report for more details.) If more users adopt Opera 9 it will no doubt attract more attention from hackers. However, when vulnerabilities have been discovered, Opera has been excellent in patching them quickly, which is always a big plus for IT administrators.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
