How secure is Opera?

Tests show Opera processes have the weakest protection

Opera has long been an underrated, feature-rich browser worthy of greater attention and a larger market share. It runs on Microsoft Windows, Mac, Linux, FreeBSD, Solaris, mobile phones, Nintendo gaming systems, and other now historical operating systems. Like all of the leading browsers, it supports Java and JavaScript, and its impressive, growing feature set pushes beyond today's standards such as tabbed browsing to include the likes of voice-controlled browsing, e-mail, and instant messaging. Opera has many unique security features too, and the granularity of its security controls easily beats that of most rivals, the exception being Microsoft's Internet Explorer.

When executed under Windows Vista, Opera runs as a single process (Opera.exe) of medium integrity, with file system and registry virtualization enabled (a User Account Control feature that allows users to operate without administrative rights), but without DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

Opera's unfortunate lack of support for DEP and ASLR makes the Opera process the weakest protected of any of the browsers I've tested (including Google Chrome, Firefox, Safari, and Internet Explorer) and potentially puts it at higher risk of buffer overflows. This weakness is exacerbated by the 45 announced vulnerabilities in Opera 9.x over the last two years, one-third of which would have allowed complete system compromise. Opera Software should immediately recode Opera to use ASLR and DEP, to remove this major blemish on an otherwise fine product.

Block that content

Opera allows you to block any Web site, object type, or object class -- globally or on a per-site basis. Although it would be nice to have security zones, as in Internet Explorer, no other browser makes it so easy to block specific types of content. It's very granular. Not only can Opera block broad classes of content such as Java, JavaScript, pop-ups, and cookies, but also individual image types, redirects, sound files, animated images, file extensions, and Web protocols (FTP, for example). You can block specific content or classes of content by using the Quick Preferences menu option, the F12 function key, or a URL-filtering .ini file. You can block any or all content from specific Web sites simply by right-clicking the Web page and choosing Block Content.

Opera lets a user (or admin) control which Web sites are allowed (or prohibited) and which content types can be downloaded through a URL-filtering .ini file (called urlfilter.ini by default). Wild-card characters and paths can be used to configure the rules, and any Web site not specifically included is automatically excluded when URL filtering is turned on. Most users prevent inadvertent excludes by allowing all Web sites by default (e.g. http://*.* and https://*.*) and then specifying the sites to exclude. If you really want to lock down the browser, Opera can easily be configured so that no files can be downloaded, saved, launched, or executed, or so that downloaded content is set to read-only. The only deficiency is that common file extensions are hidden by default.

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

More about: AES, Google, INS, Linux, Microsoft, Netcraft, NICE, Nintendo, Opera Software, PayPal
References show all
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: opera, security
Whitepapers
All whitepapers

Data retention: Just like diamonds, metadata is forever

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia