I know that Chrome an IE9 use LI and sandboxing as well as OOP/ patches. Firefox at least has OPP... what does Opera do to secure the user?

Please what means LI, OOP and OPP ?

Low integrity = LI
OPP = Out of Process Plugin
OOP was me typoing. I meant OPP.

Ok thanks. No OPP for opera. For LI i don't know

I think the most secure thing about Opera is that such a small percentage of folks are using it as their browser; no one wants to bother hacking it (sort of like Linux). I no longer use Opera but when I did I liked using a browser that hardly any one else uses. I know a bunch of folks here at Wilders use Opera but that is only because Wilders is so concentrated full of knowledgeable folks and therefore has a higher percentage of Opera users but earth wide we all know that the percentage is quite small.

Acadia

After a short research it seems that opera don't use LI.
So i don't know which security systems opera uses.

-{ Quote: "I think the most secure thing about Opera is that such a small percentage of folks are using it as their browser; no one wants to bother hacking it (sort of like Linux). I no longer use Opera but when I did I liked using a browser that hardly any one else uses. I know a bunch of folks here at Wilders use Opera but that is only because Wilders is so concentrated full of knowledgeable folks and therefore has a higher percentage of Opera users but earth wide we all know that the percentage is quite small.

Acadia" }-


Security by obscurity doesn't work, just ask the Mac crowd.

So opera is weak on security ?

Is there any tests about exploit on differents browsers ?

-{ Quote: "So opera is weak on security ?" }-

I always thought it was one of the safest 'out of the box' (I may be wrong about this). See what Opera say themselves (http://my.opera.com/securitygroup/blog/)

We have some informations about privacy but nothing about a malwares' protection.

Ermmm this? (http://my.opera.com/desktopteam/blog/2008/06/06/malware-protection)

& this? (http://www.opera.com/browser/tutorials/security/fraud/)

& maybe this? (http://www.opera.com/browser/tutorials/security/fraud/)

Oh, some of those links may be about Linux.

Sorry ... I forgot this. (http://www.opera.com/browser/tutorials/security/guide/#securitysummary) :thumb:

You guys forgot about malicious website blocking, which all 3 support, and malicious downloads blocking which Chrome (and IE) has. Firefox can scan downloads with your default AV, but that's usually redundant.

I knew I'd forgotten something. ;)

Hi,

Opera does not have any security features besides that blacklist. Also... they do not participate in most public security events such as Pwn2Own. They have also sent legal letters in the past to security firms mentioning Opera weaknesses in blogs/articles.

In a nutshell... Opera has very low user numbers so therefore could be considered a lower value target. However I would personally recommend using another browser.

-MessageBoxA

-{ Quote: "Ermmm this? (http://my.opera.com/desktopteam/blog/2008/06/06/malware-protection)

& this? (http://www.opera.com/browser/tutorials/security/fraud/)

& maybe this? (http://www.opera.com/browser/tutorials/security/fraud/)

Oh, some of those links may be about Linux.

Sorry ... I forgot this. (http://www.opera.com/browser/tutorials/security/guide/#securitysummary) :thumb:" }-

Haute... is more like What... It's gone. lol

I think Opera now gets data from AVG. But... is that it? No prevention or mitigation... sandbox... No? ::) *puppy*

What I see in Opera is a myriad of settings along the security lines. I haven't seen anything so easy to setup in IE or Firefox.

In addition to blocking unsafe sites with a big red alert, there's a ton of things one can set in Tools>preferences for overall behavior of content, security, fraud protection, certificates, what can download ... and even more in opera:config url.

And then there's the easy, F12, access to quickly setup few permissions for specific sites - scripts, iframes, whatever would normally be blocked by the global settings above.
Finally there are ways to write/add your own urls to be watched in urlfilter.ini.

I would think that malicious programs are better watched by antivirus. Download something, Opera asks where to save it, then scan if AV didn't scream right away. Not sure really what the issue is here discussed, so if I'm totally out of line, I apologize in advance.

-{ Quote: "What I see in Opera is a myriad of settings along the security lines. I haven't seen anything so easy to setup in IE or Firefox.

In addition to blocking unsafe sites with a big red alert, there's a ton of things one can set in Tools>preferences for overall behavior of content, security, fraud protection, certificates, what can download ... and even more in opera:config url.

And then there's the easy, F12, access to quickly setup few permissions for specific sites - scripts, iframes, whatever would normally be blocked by the global settings above.
Finally there are ways to write/add your own urls to be watched in urlfilter.ini.

I would think that malicious programs are better watched by antivirus. Download something, Opera asks where to save it, then scan if AV didn't scream right away. Not sure really what the issue is here discussed, so if I'm totally out of line, I apologize in advance." }-

What you mention is all good... but do you really believe that most of those using IE or Google Chrome, due to the security by design, would know how tweak anything? They don't know they can, nor how to do it in IE and Chrome.

Without those tweakings, which I can also have in Chromium... what does it offer?

I think people look at if differently today than years ago. These days, with scripting/flash/etc, opera can be considered safe if you manage what websites are allowed scripts. Rmus uses this to great success.

I think many of us are used to the old days when browsers, especially IE, had holes that were exploited. Those still exist, but I would say they are not as common now as other types of attacks. And if they are not as common, then security by obscurity becomes even stronger.

At least, thats my take on it. Conclusion - any browser will have an exploit in code - but too most any browser can be secured against todays common threats by handling content properly.

Sul.

I think that the object of the topic is : which protection for opera against exploit ?
If you exclude the av it would be nice that the browser prevent a risk. For me the browser could be the frst line against malwares.
I say that, i'm using opera since 3 years.

-{ Quote: "Haute... is more like What... It's gone. lol

I think Opera now gets data from AVG. But... is that it? No prevention or mitigation... sandbox... No? ::) *puppy*" }-

All I know about Haute is from http://Wikipedia. (http://en.wikipedia.org/wiki/Haute_Secure) I think that you are right & it doesn't exist any more.

It's probably best to ask about sandboxing & the like on their forums. (http://my.opera.com/community/forums/tgr.dml?id=2)

Remember that Opera has a good adblocker extension now, plus NotScripts, External Scripts extension & even Flag Button (a bit like Flagfox).

Sidetracking a bit, one of the pretty rare missing feature with Opera, for me, is that when I want to highlight a word or a phrase: usually, in some other browser, I can simply key "MAJ + ->" and the word highlightning would enlarge to the right until I quit the "->" key. (Sorry for my english french mixin'...)

edit: oops, I see now that I was not in the right tread for my little opéra's keys annoyances. And, trying to read again my post this morning, I am almost not sure of what actually my technical problem was !! And, more, being that this was the "la fête nationale de la St-Jean"'s weekend by here, simply probable that I lost the little bit of anglish that I 'm used to own, or I think...

-{ Quote: "What I see in Opera is a myriad of settings along the security lines. I haven't seen anything so easy to setup in IE or Firefox.

In addition to blocking unsafe sites with a big red alert, there's a ton of things one can set in Tools>preferences for overall behavior of content, security, fraud protection, certificates, what can download ... and even more in opera:config url.

And then there's the easy, F12, access to quickly setup few permissions for specific sites - scripts, iframes, whatever would normally be blocked by the global settings above.

" }-


Opera is safe, as a good browser can be. Real security is from fw, HIPS, sandboxing software... The reasons to choice Opera are his features and options, his speed, his graphics...

-{ Quote: "Opera is safe, as a good browser can be. Real security is from fw, HIPS, sandboxing software... The reasons to choice Opera are his features and options, his speed, his graphics..." }-

Agree :thumb:

That's not true at all. From what I can see all Opera does is patch up holes. That's a stupid security scheme.

"Real security" what the hell does that even mean? Applications should be designed with security in mind... especially your most used web facing application.

Sandboxing is not a catch-all. Especially not Sandboxie.

-{ Quote: "From what I can see all Opera does is patch up holes. That's a stupid security scheme." }-
Maybe I miss something somewhere along the way.

Every piece of code created will have an exploit, and when an exploit is found, a fix must be made. To apply the fix, you need to patch the hole. No patch, no fix.

How is that stupid? Isn't it simply the only way to fix the situation? Are you suggesting that code be done "correct" the first time so there is no exploit available? If so, you should be a very wealthy man if you know how to do that ;)

Sul.

Patching isn't stupid. Relying on patching is stupid.

Like you said, every piece of code created will have an exploit. And with each update and addon there are more and more introduced. You can NEVER hope to have a product without exploits so you need to have some kinda security scheme that accounts for this.

Chrome and IE9 have LI and sandboxing. They also patch.

All Opera does is patch. It plays cleanup with its code, but as we both agree that all software has bugs and exploits that's really a pretty trivial pursuit. It's an arms race against hackers but they only ever need one exploit.

-{ Quote: "Sandboxing is not a catch-all. Especially not Sandboxie." }-

Not trying to be inflammatory here, but I'm genuinely curious.

In the context of Opera's security vulnerabilities as discussed in this thread, how would Sandboxing (even with Sandboxie) not be sufficient to pick up the supposed slack on Opera's end of things?

Even if there were a huge exploit in Opera that was attacked, I can't see how Sandboxing wouldn't prevent it from delivering the payload.

Are you implying that something could escape the sandbox? Or talking more about nasties doing their thing within the sandbox?

-{ Quote: "

"Real security" what the hell does that even mean? Applications should be designed with security in mind... especially your most used web facing application.

" }-


In an ideal world all the applications and the OS would be safe and we would not need of security softwares. Real world is not so.

-{ Quote: " Especially not Sandboxie." }-
Are you implying that Sandboxie is one of the poorer sandboxing programs, if so, that runs contrary to almost everything that I have ever read hear at Wilders.

Acadia

No. I'm saying that people put far too much stock into sandboxie -- especially for browser security.

Browsers have multiple tabs so a sandbox for all of them means they can still access each other. IE9/ Chrome don't have to worry about this. Opera does.

Sandboxing isn't a catch-all.

-{ Quote: "No. I'm saying that people put far too much stock into sandboxie -- especially for browser security.

Browsers have multiple tabs so a sandbox for all of them means they can still access each other. IE9/ Chrome don't have to worry about this. Opera does.

Sandboxing isn't a catch-all." }-

yes, but since everything is sandboxed you can delete the content of the sandbox on exiting the browser and everything is gone, no?

unless we are talking about "man in the browser" attack.

i'd appreciate if you could expand a little more on the subject.

tnx m8!

I've never heard of man-in-the-browser attack but I can assume it's just a play on man-in-the-middle attack.

The idea between sandboxing individual tabs (purely in terms of security, not going to get into performance/ stability) is that if one browser tab is compromised the others won't be.

If all of my tabs reside in a single process then they aren't separated and a single attack is enough to gain access to every tabs information.

So if I have tab A and tab B where tab A is sensitive information and tab B is malicious code... sandboxing the two is one proven way to prevent them from intermingling. Sandboxie would not do this -- it would just put them both in the same sandbox.

This is why programs/ operating systems need to be built around security and not rely on third parties to secure them.

Sorry to sidetrack slightly, but what conclusion are we coming to about Opera's security overall, especially compared to Chrome & Firefox?

-{ Quote: "Sorry to sidetrack slightly, but what conclusion are we coming to about Opera's security overall, especially compared to Chrome & Firefox?" }-
Seems like it suck...but I like the browser and use it anyway :)

-{ Quote: "

So if I have tab A and tab B where tab A is sensitive information and tab B is malicious code... sandboxing the two is one proven way to prevent them from intermingling. Sandboxie would not do this -- it would just put them both in the same sandbox.

This is why programs/ operating systems need to be built around security and not rely on third parties to secure them." }-
I would agree with that for the most part. However, this assumes that the user is a neophyte and does not understand anything about how they might become compromised. I would never have one tab open in any browser that had sensitive infos on it, while at the same time surfing to a less than trustful site in another tab. It is asking for problems.

Including the ability of one tab in a job object to stay segregated from another is a very valid point. But isn't comparing a sandboxie to sandboxed tabs like apples and oranges? SBIE creates an environment that is segregated from the real OS, and that is its purpose. It is not meant to segregate components of an application within its environment. I agree SBIE isn't a catch all, but that isn't the point here, is it. The point is, if you are not advanced enough to know not to have a tab open with your bank infos and surfing pr0n at the same time, then nothing, including SBIE is going to help you out. Using a browser that segregates tabs would be the best choise, but if you are going to "bank and spank" at the same time (LOL), maybe you should get what you deserve ;)

Sul.

-{ Quote: "Seems like it suck...but I like the browser and use it anyway :)" }-


Yeap!

Sully,

I agree that he user should be smarter than that. The fact is that you can have legit sites get attacked in another tab. How likely is this? It doesn't really matter -- it's a situation that the user should be protected from.

Yes, sandboxie and sandboxed tabs are two separate things -- if anything, that's my point. People hear "sandboxing" and think it doesn't have any subdivisions, when of course it absolutely does. There are multiple types of sandboxes.

========================

Daveski,

It seems that Opera's security is on-par with firefox's. It relies on a blacklist to prevent malicious websites. Something Chrome and IE9 both offer.

Other than that I can't really see what features it provides security-wise.

-{ Quote: "
Yes, sandboxie and sandboxed tabs are two separate things -- if anything, that's my point. People hear "sandboxing" and think it doesn't have any subdivisions, when of course it absolutely does. There are multiple types of sandboxes.." }-
Yep, all too true. The term "sandbox" is used universally, and while the general definition might be something like

"an area kept separate that can be raked clean"

there are multiple technical version, for sure.

Sul.

-{ Quote: "Seems like it suck...but I like the browser and use it anyway :)" }-

LOL! Yeah, when I use Opera I can always have the extensions: WOT, NotScripts, External Scripts, VirusTotal & a good adblocker. So, it can't be that bad. ;)

-{ Quote: "

Daveski,

It seems that Opera's security is on-par with firefox's. It relies on a blacklist to prevent malicious websites. Something Chrome and IE9 both offer.

Other than that I can't really see what features it provides security-wise." }-

OK, there are some security extensions available for Opera though.

Not really interested in security extensions, honestly. Security is one of the few things I think needs to be built into a program -- especially a browser.