Opera and Security

security

Opera has been named the most secure browser available, and for good reason. It natively supports a wide range of security protocols and methods; indeed, Opera is often at the technological forefront. Unlike Internet Explorer and Netscape Communicator, whose security loopholes are detailed in periodicals on a regular basis, Opera has been designed from the beginning with security and privacy in mind.

Strong encryption

Encryption is used to ensure that private data remains private, and to avoid impersonation of legitimate users. Encryption scrambles data so that it is readable only to those with the right key. The security of the encryption methods increases with the length of the key. The length is measured in bits, and every bit doubles the time needed to break an encrypted message if every possible combination is tried (known as the "brute force" method). In the nineties relatively short keys were often used ("weak encryption"). This was intensified by US export regulations, which limited the keys to 40 bits for US companies. Encryption with only 40 bits may still be adequate for many purposes, but is no longer considered truly safe. Opera provided strong encryption at the time, and has done so ever since.

Opera displays the real server encryption level. While other browsers only tell you that a connection is "secure", Opera tells you exactly how secure it actually is. The icon tool tip will give further information on the connection if button tool tips is activated in Preferences.

IconTextStatus
Open padlockNo SecurityDocument is without any encryption or authentication.
Locked padlockLow SecurityVulnerable keys methods with 32-bit to 64-bit encryption.
Locked padlockMedium Security64-bit to 96-bit encryption, as well as all SSL version 2 encryption methods with 64-bit keys or more. SSL version 2 is to be phased out due to certain weaknesses.
Locked padlockHigh Security96-bit encryption and above (up to 128-bits), with the exception of SSL version 2 methods.

For a full list of supported ciphers, see the specifications.

SSL and TLS

Opera has supported Secure Socket Layer (SSL) versions 2 and 3 since Opera 3.0. These protocols are enabled by default, and can be changed by pulling down Opera's Preferences menu and selecting Security. Though the actual strength of encryption at a site is determined by the site itself, and not by the browser, Opera offers automatic 128-bit encryption -- the highest available security of any Web browser.

TLS (Transport Layer Security) is based on SSL (Secure Sockets Layer) version 3. This protocol, developed by the Internet Engineering Task Force (IETF), has improved security over SSL due to better cryptographical formulas and the methods used to generate encryption keys. Opera 3.50 was the first commercial browser to support TLS. Not only the Opera Web client, but also the e-mail and news clients, support the TLS protocol.

There are still Web servers that don't have TLS support. TLS is backwards compatible with SSL (the security level will then of course be on par with SSL, not TLS), so this is not an issue unless the SSL support too is buggy. In known cases Opera will automatically degrade to SSL. In rare cases you might have to turn off TLS support manually. If this happens, we would appreciate that you sent us a bug report, so that we can handle that brand of server in future releases.

Authentication

A Web application will often need to know that the user is the person he or she claims to be. Opera supports both Basic and Digest Authentication, but the former should only be used in low security environments as the passwords are plainly readable for anyone between Opera and the server. Basic Authentication inside a TLS or SSL connection may provide acceptable security. Digest Authentication, on the other hand, is a method safe from eavesdropping as passwords are never transmitted. It is quite simple to implement as well, and can even replace a common use of cookies.

Certificates

A more general way to identify users and servers is using certificates. Certificates use two keys, one private (secret) and one public, and are normally "countersigned" directly or indirectly by a trusted third party, a Certificate Authority. Opera is able to generate private keys with up to 3072 bits. For a full list of the certificates and Certificate Authorities that Opera supports, see the specifications.

Security password

You can set a security password to prevent other users on the same machine from using your certificates. This can be set from the security tab in Preferences.

Cookies

Opera supports RFC2965, the newest version of the IETF cookie protocol that outdates RFC2109, which in turn is an improved version of the original Netscape cookies. RFC2965 (and Opera) is backwards compatible, but using RFC2965 on the server side is strongly recommended. Apart from following the specifications, there are a few other recommended guidelines. In particular private data (passwords, personal identification like social security numbers, e-mail addresses, and similar) should never be a part of cookies. There are many good tutorials on how to develop Web sites with cookies that are convenient and safe for the Web site and users alike.

Read the tutorial on security and privacy.

Proxy servers

A proxy server is a machine between Opera and the Web server (or another proxy server). This can give you a different layer of security. For more information on Opera's handling of proxy servers, please read our article on Proxy server preferences.

Security and privacy warnings

There are a number of techniques unscrupulous Web designers can use to fool users. They may attempt to trick users into believing that they are on a different Web site than they actually are, or try to retrieve private data without the user's knowledge. Opera is able to detect several of these methods, and will warn the user.

Plug-in architecture

ActiveX is a Windows component technique used to run arbitrary code in other programs (such as a browser). While this is a very powerful programming technique, it is also a potential security nightmare as access is given to the operating system as well as the browser itself. Even with Microsoft's security model, a large number of Internet Explorer's security holes have been related to ActiveX. Opera does not support ActiveX and consequently avoids these problems. It does support Netscape type plug-ins (NP4). This is a much smaller, but not entirely negligible security risk. While the data a Netscape plug-in can access from Opera is strictly limited, it is still a full-fledged program and can as such interact with your system. Any restrictions you may have for downloading or installing other programs should therefore apply to plug-ins as well.

E-mail security

Viruses and worms

Microsoft's e-mail clients for Windows allow received e-mail to run operating system scripts. This is a chronic security hole. Netscape allows received e-mail to run JavaScript, which is a smaller security risk. Opera allows neither. This means that Opera is invulnerable to the e-mail viruses and worms that plague Microsoft Outlook and Outlook Express. But Opera goes one step further. By default Opera turns off Web access for images, style sheets, and other external files. While neither images nor style sheets pose security risks, spammers can use them as a method for counting or, in the worst case, identifying e-mail recipients.

Attachments

You should always be wary of opening attachments from strangers (or reckless friends). Opening files inside Opera is safe, while files sent to the operating system (OS) may or may not be safe. Any program that can run on the OS is unsafe (for example in Windows files that end with .exe, .vbs and many other extensions), as are files for Microsoft Office and other programs with similar capabilities. You can safely open Office files if you don't have Microsoft Office installed, for example if you use Wordpad or any other program that can read such files.

Screenshots

Opera screenshotOpera screenshotOpera screenshot

View more screenshots of Opera.

Tutorials

Learn more about using Opera in the Opera tutorials.

Promote Opera

Show the world that you use Opera by placing a Opera button on your site.