When executed under Windows Vista, Opera runs as a single process (Opera.exe) of medium integrity, with file system and registry virtualization enabled (a User Account Control feature that allows users to operate without administrative rights), but without DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
[ See also: " How secure is Google Chrome?" Tomorrow: "How secure is Mozilla Firefox?" For more on browser security and protection against Web-borne threats, see Security Adviser and " Test Center: Browser security tools versus the evil Web." ]
Opera's unfortunate lack of support for DEP and ASLR makes the Opera process the weakest protected of any of the browsers I've tested (including Google Chrome, Firefox, Safari, and Internet Explorer) and potentially puts it at higher risk of buffer overflows. This weakness is exacerbated by the 45 announced vulnerabilities in Opera 9.x over the last two years, one-third of which would have allowed complete system compromise. Opera Software should immediately recode Opera to use ASLR and DEP, to remove this major blemish on an otherwise fine product.
Block that content
Opera lets a user (or admin) control which Web sites are allowed (or prohibited) and which content types can be downloaded through a URL-filtering .ini file (called urlfilter.ini by default). Wild-card characters and paths can be used to configure the rules, and any Web site not specifically included is automatically excluded when URL filtering is turned on. Most users prevent inadvertent excludes by allowing all Web sites by default (e.g. http://*.* and https://*.*) and then specifying the sites to exclude. If you really want to lock down the browser, Opera can easily be configured so that no files can be downloaded, saved, launched, or executed, or so that downloaded content is set to read-only. The only deficiency is that common file extensions are hidden by default.
Opera doesn't offer many choices under the standard Security menu option, but a user can modify more of Opera's configuration settings by directly editing Opera.ini. However, the preferred method is for the user to type " Opera:config" into the URL bar, which provides access to dozens of options. Unfortunately, detailed documentation for each option isn't always easily locatable. Some users prefer to have multiple Opera.ini files, each with separate security and functionalities enabled, depending on what they are attempting to do during a particular session.
Opera has the most granular cache control among the major browsers. You can determine what to cache (documents, images, and so on), how long to keep it, and the size of the cache. You can require HTTPS pages to redownload content when surfing through the browser's history. Although all cookie types (first and third party) are allowed by default, which is unfortunate, Opera has some of the best cookie controls on the market.
Frauds and authentics
Opera's anti-phishing filter, called Fraud Protection, is enabled by default. Sites confirmed by Netcraft or PhishTank as phishing sites are automatically added to Opera's blacklist. I like PhishTank enough to have used its collected links for the anti-phishing testing during this review. However, PhishTank relies on the user community to rank each submitted Web site to determine whether it is a confirmed phishing site. I have seen many false-negative and false-positive rankings at PhishTank, and those incorrect determinations could figure into Opera's Fraud Protection mechanism. Malware blacklists collected by Haute Secure are included in Fraud Protection too, but didn't set off any anti-malware warnings with my test sites.
Opera provides the standard pop-up blocking choices (Block All, Allow All, Block Unwanted). In my testing, it handled the most malicious DoS Web site fairly well, never allowing the browser to become completely locked up. However, the underlying Windows host did experience an unexpected reboot related to one of the attacks, so Opera can't claim a perfect success. Opera limits the maximum number of active connections to any one Web site to 8 by default (this value is modifiable), helping to prevent malware-infested Web sites from overwhelming the browser.
Opera has decent digital certificate support, with the second best initial cipher offering (behind Firefox), but there's one notable exception. Although the first five ciphers use 256-bit AES keys, strangely Opera does not yet support ECC (Elliptical Curve Cryptography), which is the strongest asymmetric cipher standard in use today. OCSP (Online Certificate Status Protocol) is supported by default, and the minimum SSL version can be specified.
Opera lets you view installed and registered plug-ins, but not manage them. However, a neat little feature that the other browsers don't have is the ability to specify which requests for plug-ins Opera should ignore. Most browsers bug the user repeatedly each time a reloaded Web page requires a specific control; only Opera and IE 8 allow per-site control. On an interesting note, Opera has integrated BitTorrent support, which some security administrators may not like.
Opera has another feature that allows site-specific CSS (called author mode) to be replaced by a user-specific CSS (known as user mode). Both author and user mode can be customized, allowing you to determine exactly what is supported in each mode. A similar option was added to Internet Explorer 8 and is part of the CSS 2.1 standard called Alternative Style Sheets.
Opera has another nice feature, kiosk mode, that is designed to be run on public information computers. Kiosk mode disables tool bars, requires full-screen window sizes, disables many paths to system areas, and can be used to prevent downloads. After a period of inactivity, it will return to the defined home page.
Opera does not have any significant enterprise features to brag about, but its configurable granularity using .ini files means that administrators should have little problem deploying and configuring it for a business environment. Although Opera has not yet gained enough market share to be considered thoroughly tested and vetted by mainstream hackers (as Firefox and Internet Explorer have), it deserves to be considered by more users. However, until Opera Software fixes the more glaring deficiencies (namely, lack of support for DEP, ASLR, and ECC), Opera cannot be highly recommended.
This story, "How secure is Opera?" was originally published by InfoWorld.