Security in Opera
Opera has been named the "most secure browser you can use" and similar things by a number of publications and people alike, and this is not for nothing. Since version 3.0, Opera has been in the forefront of Internet security, instantly supporting Secure Socket Layer versions 2.0 and 3.0, giving the maximum of 128-bit security available encryption keys, a necessity in this day and age of e-commerce and online banking - in the US as well as in the rest of the world. Unlike other Internet browsers, whose security loopholes are detailed in periodicals almost on a weekly basis, Opera Software AS has taken a more cautions approach, waiting and troubleshooting and testing until we have a product that's as safe to use for our users, as our users would like their browser to be. The result is Opera.
Encryption in Opera - SSL and TLS
Secure Socket Layer (SSL) v2 and v3 support began in Opera 3.0 and continues in present Opera versions. These protocols are enabled by default under Opera's "File/Preferences", "Security". Although the actual strength of encryption is determined by the site itself, and not by the browser, Opera offers instant 128-bit encryption.
Opera 3.50 was the first commercially available browser to support Transport Layer Security (TLS) 1.0, which is the successor of SSL. TLS in Opera offers up to 128 bit encryption. Again, the actual strength of the encryption is "decided" by the site itself.
The Document security status in Opera is represented by an icon on the "Progress bar" (in lower left corner of each document window). One of four icons will show the current document status:
| Icon | Text | Status |
|---|---|---|
| No Security | Document is without any encryption or authentication. | |
| Low Security | Vulnerable keys methods with 32-bit to 64-bit encryption. | |
| Medium Security | 64-bit to 96-bit encryption, as well as all SSL version 2 encryption methods with 64-bit keys or more. SSL v2 will be phased out due to certain weaknesses within the next few years. | |
| High Security | 96-bit encryption and above (up to 128-bits), with the exception of SSL version 2 methods. |
If you wish to, you can enable text on the buttons to see the document security status. Go to "File/Preferences", "Toolbars" to enable it.
Glossary
Here is a glossary of terms used in this document. Please refer to this if you have any questions about the terms and abbreviations used in this document. To the far bottom you will find an explanation of the ciphers that are supported in Opera's security protocols.
| Term: | Explanation: |
|---|---|
| Bit | A Single digit of a number written in the binary number system used by computers. A binary number uses only zero (0) and one (1) as legal numbers, as opposed to the decimal system (zero to 9) used by humans. |
| Byte | Collection of 8 bits. Can represent numeric values from 0 to 255, giving the sum total of 256 possible values. |
| Decryption | Method used to make information that is unreadable (scrambled) readable again by using the proper methods and information to reverse the process |
| Encryption | Method used to make information unreadable (scrambled) without the proper decryption (unscrambling) methods and information |
| Encryption Keys | A secret number or combination of numbers that are used to encrypt or decrypt data, These are most often secret (see Public Key/Private Key for a variation). The length of these keys are given in bits, and is usually used as a measure of how difficult it is to find the key, or to break the method |
| HTTP | The protocol used to transfer documents and files over the World Wide Web |
| HTTPS | HTTP with SSL, all communication of HTTP data are made with the SSL protocol |
| Private Key | You use the private key yourself to encrypt data you wish to transmit. This data can be decrypted and read by everyone who has the public key corresponding to your personal certificate, but the security lies in that they know that you are the only one that can encrypt the data with the private key. |
| Public Key | Conversely, everyone who has your public key can encrypt data and transmit it to you, and be absolutely sure that you are the only one that can decrypt the data and read it, using your private key. It's as simple as that. |
| RSA | Public key encryption method, named for the inventors Rivest, Shamir and Adleman. Uses simple math, but is very difficult to break, as the use of large prime numbers is a central foundation of this method. |
| SSL | SSL is a protocol that is used communicate over an encrypted connection, and to authenticate none, one or both of the participants. There are two versions in use on the Internet today, SSL version 2 (SSL v2) and SSL version 3 (SSL v3). SSL version 1 has been superseded by these protocols, and SSL v2 is also close to being discontinued, as SSL v3 is more flexible and considered safer than SSL v2 |
| TLS | The successor of SSL, TLS in Opera offers up to 128 bit encryption. The actual strength of the encryption is "decided" by the site itself, but many servers are beginning to use this advanced protocol. Opera gives you the chance to select which parts of the protocol you wish to have enabled. If a site uses SSL, the TLS protocol will work in most cases |
| Cipher: | Explanation: |
| Authentication Only | This method does not encrypt the transmitted data, but can authenticate the server, and if necessary, yourself, and verifies that the data have not been tampered with. This method lets anyone read your data, but not change them. It may be used for transmission of already encrypted data, saving the computational time needed for the extra, unnecessary, encryption |
| C2 | An encryption method compatible with RC2 (developed by RSA Data Security Inc.). It can use 40 bit or 128 bit keys (128 bit only in SSL v2) |
| C4 | An encryption method compatible with RC4 (also developed by RSA Data Security Inc.) It can use 40 bit or 128 bit keys |
| DES | An encryption method developed by IBM in 1974, and certified as a US standard at least until 1998. It can use 40 or 56 bit keys |
| 3-DES | An adaption of DES using 3 encryption/decryption steps with 3 different keys, giving a total of 168 bit in the key |
Security Preferences
In this menu, you can change the security settings for your Opera to comply with your Internet security wishes. Although they might appear confusing and daunting at first, most settings are actually easy to figure out once you have a little bit of background information, and should present no major obstacle. Keep in mind, though, that editing these settings without knowing the impact may result in error messages when you connect to secure sites.
Certificates
The first part of this menu deals with certificates. "Certificates" in this context, means a digitally signed data records with information either about an Internet user, which is a personal certificate, or the one with the authority to sign the certificate, commonly referred to as the Certificate Authority.
Clicking on the "Personal..." button will take you to the Personal Certificates menu, and clicking the "Authorities..." button will take you to the Certificate Authorities menu.
Please see the instructions on installing certificates further below.
Security Protocols
In this part of the menu, you are able to select which security protocols your Opera should enable for use on the Internet. Opera supports SSL v2, its successor SSL v3 and its successor TLS 1.0, which make up the de facto standards for security on the Internet today. All of these protocols are enabled by default, and can be selectively disabled as per your wishes.
To the right of the protocol names, you'll find two buttons, "Configure v2..." and "Configure v3 and TLS...", which, when pressed, will take you to the menus where you can configure SSL v2 and configure SSL v3, respectively.
Password
Seeing as Opera is an Internet browser with security features that offer up to 128-bit encryption, an important and often overlooked threat to your personal security is the use of Opera by others with access to the same machine. Opera solves this, if you let it, by allowing you to set a security password that prevents others from using your security features.
Note! The password this section of the menu refers to only protects sensitive information for your local copy of Opera: Your personal certificates and your password for the internal e-mail client in Opera, if applicable.
In order to set a security password, press the button named "Set password..." in this part of the menu. You will then be presented with a dialog for typing in a password. Type in anything you want, but remember these two "golden rules":
A password should be obscure, as long as necessary, and it should have a mixture of alphabetic character, both small and large case, numbers and other characters; the more, the merrier. With today's efficiency at breaking keys by brute computer force a moderately secure password should be 10 random characters or more, a really secure more than 20 random characters (change characters to words if you are using readable words). And of course you should be able to remember the password, and not write it down on paper or anything else.
Never select the birthdays or the name(s) of your wife, husband, girlfriend/boyfriend, children, parents, favorite artist or TV-character or movie, your dog or cat, words that are in any kind of dictionary by themselves, or citations from literature; If somebody wants to break your password (or any password) they will not just have these items and more on hand, they will use them automatically.
Pressing the "OK" button will confirm your selection, while pressing "Cancel" will exit the dialog, discarding your entered password.
Note! One of the most important things about keeping passwords secure is that you'll need to remember it in your head - writing it down on a Post-it® Note and sticking it under your computer monitor or keyboard will not suffice. Should you lose your password, there is no way to get it back, neither from your copy of Opera nor from Opera Software AS, so make sure you remember what it is, and never ever forget it.
Following the creation of a password comes the options on when to use it. Choose between having to enter the password once per session that Opera is active, whenever it is necessary, or, if you wish, for Opera to demand it from you on a regular basis to lessen the chance that anyone could be accessing the secure parts of Opera as you wish. This setting can be altered later.
Show alert
The very nature of the HTTP protocol is that it does not contain any way of encrypting data sent through forms on the Internet in itself, only through the use of the SSL or TLS protocols to form the HTTPS protocol. This process is lengthy and complicated, and relatively unnecessary for most of the information that is sent through the Internet every day, exemplified by on-line search services and engines.
This information can be read by anyone that wishes to do so, and who knows how to do it, which may not be what the user of the Web browser in question wants. Therefore, Opera will prompt you with a warning message whenever you do send information through an insecure form. If you want to disable this warning message, uncheck the box labeled "Before submitting a form insecurely".
Personal Certificates
Personal certificates are data records containing information certifying that, basically, you are who you claim to be. The certificates consist of two parts: a private key, that you keep secret for yourself, and a public key, that you may send to each and every one you communicate with, or post in a database.
See the glossary for an explanation of these terms.
These are the items you'll see in the "Personal Certificates" menu:
Certificates
A list of personal certificates that you have got installed is displayed in this field. You may have several certificates issued to yourself, each for a different public and private key set. In order to view a particular certificate, highlight the certificate to view the details of it in the fields below.Certificate name
This field contains the name and personalia the certificate was issued to, i.e. your own name and personalia. Unless you're using someone else's copy of Opera and they haven't password-protected their personal certificates, that is. You'll see the name and the address, as well as other relevant information in this field.Issuer
Here, you'll see the name of the issuer of the certificate. This field also contains corporate information about the issuer, such as the postal address and other contact information, for easy communication and reference.
Below these fields, a field containing information about the certificate itself is placed. You'll probably see the certificate version, serial number, the date the certificate was created and the date it will expire, as well as the public key algorithm. Note that the private key algorithm is never shown here, but is always encrypted until it is used.
Certificate Authorities
Certificate Authority certificates are data records containing information certifying the server making use of them is what it claims to be an not some other site. Certificate Authority certificates consist of two parts: a private key, that is kept secret, away from prying eyes, and a public key, that may sent to any number of people the site wishes to communicate with, or it may be posted in a publicly available database.
See the glossary for an explanation of these terms.
These are the fields you will see in the "Certificate Authorities" menu:
Certificates
A list of Certificate Authority certificates that are installed in your copy of Opera. Opera already comes with a number of these certificates installed, in order to make using the Internet smoother for the user. The list reads:
- Thawte Personal Freemail CA
- Thawte Personal Basic CA
- Thawte Personal Premium CA
- Thawte Server CA
- Thawte Premium Server CA
- Secure Server Certification Authority
- TC TrustCenter, Germany, Class 0 CA
- TC TrustCenter, Germany, Class 1 CA
- TC TrustCenter, Germany, Class 2 CA
- TC TrustCenter, Germany, Class 3 CA
- TC TrustCenter, Germany, Class 4 CA
- Class 3 Public Primary Certification Authority
- KMD-CA Server
Certificate name
This field contains the name of the certificate you have got installed, as well as other corporate information about the certificate, as deemed nice-to-know by the issuer.Issuer
Here, you'll see the name of the issuer of the certificate. This field also contains corporate information about the issuer, such as the postal address and other contact information. This field may or may not differ from the above "Certificate name" field.
Below these fields there is a field containing information about the certificate itself. You'll probably see the certificate version, serial number, the date the certificate was created and the date it will expire, as well as the public key algorithm. Note that the private key algorithm is never shown here, but is always encrypted until it is used.
Configuring the SSL v2 Protocol
Opera allows you to manually select the encryption methods you wish the browser to be able to make use of. In this menu, you configure the SSL v2 protocol as you wish.
The encryption methods shown in the configure SSL v2 box has this format, which is called a "cipher":
| [n] bit | [Method] | ([Public key-method]/[Hash method]) |
This describes how many bits (n) the encryption keys used for transmission of data have, which Method is used for data transmission, which Public key method is used to exchange the shared secrets needed and the Hash method used to verify that the transmitted data are correct.
These are the ciphers that are supported in Opera:
| 40 bit | C2 | (RSA/MD5) |
| 40 bit | C4 | (RSA/MD5) |
| 56 bit | DES | (RSA/MD5) |
| 128 bit | C2 | (RSA/MD5) |
| 168 bit | 3-DES | (RSA/MD5) |
| 128 bit | C4 | (RSA/MD5) |
See an explanation of these terms in the Glossary.
All of these methods are enabled by default. You may selectively disable or enable them by clicking on the entries. When highlighted, they are selected. Pressing the "OK" button will save your settings, while pressing the "Cancel" button will discard your settings.
Configuring the SSL v3 and TLS 1.0 Protocols
Opera allows you to manually select the encryption methods you wish the browser to be able to make use of. This is the menu in which you configure the SSL v3 and TLS 1.0 protocols. The reason these two technologies share the same menu is that they are too closely fitted to be split up.
The encryption methods shown in the configure SSL v3/TLS 1.0 box has this format, which is called a "cipher":
| [n] bit | [Method] | ([Public key-method]/[Hash method]) | [Export level] |
This describes how many bits (n) the encryption keys used for transmission of data have, which Method is used for data transmission, which Public key method is used to exchange the shared secrets needed and the Hash method used to verify that the transmitted data are correct. Export level refers to the methods you'd normally have to have special permission to export from the US, but since Opera is being developed in Norway, the Opera browser is not under these restrictions.
These are the ciphers that are supported in Opera:
| 0 bit Authentication Only (RSA/SHA) | |||
| 40 bit | C2 | (RSA/MD5) | |
| 40 bit | C4 | (RSA/MD5) | |
| 40 bit | DES | (RSA/SHA) | |
| 56 bit | DES | (RSA/SHA) | Exportable |
| 56 bit | C4 | (RSA/SHA) | Exportable |
| 56 bit | DES | (RSA/SHA) | |
| 168 bit | 3-DES | (RSA/SHA) | |
| 128 bit | C4 | (RSA/MD5) | |
| 128 bit | C4 | (RSA/SHA) | |
See an explanation of these terms in the Glossary.
By default, all but the first entry "0 bit Authentication Only (RSA/SHA)" are enabled. You may selectively disable or enable them by clicking on the entries, but be wary when enabling the "0 bit Authentication Only (RSA/SHA)", because, although this is a secure method that will make sure the information is sent and received as it should be, it does not encrypt the information being sent.
When highlighted, these ciphers are selected. Pressing the "OK" button will save your settings, while pressing the "Cancel" button will discard them.
Certificates Explained
Certificates are actually small pieces of encrypted information that enable you and the server you are connecting to to verify that you are you and the server is the server. There are two types of certificates, Personal Certificates and Certificate Authority Certificates . Opera supports both types, making online transactions as safe as they possibly can be.
How to install Security Certificates in the Database:
Certificates come in several flavors, but they are basically either client-side or server-side, and Opera supports both personal certificates and certificates that are certifying Certificate Authorities. Opera does not come with any personal certificates already installed, so you will need to install personal certificates manually. Please follow the below instructions if you want to do so.
Installing Personal Certificates
Personal Certificates that you use to identify yourself to sites that require such identification are issued by a Certificate Authority, which is a Third Party that is trusted by you personally and those operating the service you want to use, to not issue fake certificates in your name and to verify that the information certified is correct.
The process involves these steps:
-
Register with your selected Certificate Authority. Make sure that they can issue certificates for Opera. If they do not support Opera you will have to ask them to add Opera to their list of supported browsers.
-
Depending on what kind of information the certificate shall include, you may have to provide the Certificate Authority with certain information or documents, either via forms, e-mail, ordinary mail, and in certain cases by personally visiting one of the Certificate Authority's offices to give the the necessary information. Some Certificate Authorities require this information before allowing you to request a certificate, others have other practices; consult the information from your selected Certificate Authority to find out what they need.
-
Visit the Certificate Authority's Web site and navigate to the page where you submit the request for a certificate. Fill in the necessary information they require for this particular certificate. Select the number of bits the private key shall have (at least 1024-bit is recommended). When the form is submitted Opera will generate a private key/public key pair that is inserted into the password protected database. The public key is then sent, along with the other data entered, to the Certificate Authority to be included in the certificate.
Note! The private key never leaves your computer, and is not known to the Certificate Authority. It only knows that you have the private key associated with the public key it received, which cannot be used to easily find the private key.
-
The Certificate Authority will then process your request, a process that may take a few days. If necessary you may have to provide certain documents that are needed and authorize payment for the certificate. When the certificate has been issued you will most often receive an e-mail that gives you an URL where you can download the certificate.
-
When you download the certificate from the Certificate Authority, Opera will automatically start the installation procedure.
If you received your certificate as an e-mail attachment you must point Opera at the file containing the certificate. Installation will start automatically provided that the file extension matches the ones in the "File/Preferences", "File types" for "application/x-x509-user-cert" (default ".usr").
In some cases certificates are distributed as PEM-files (Privacy Enhanced Mail) and generally have the file-extension ".pem", of the type "application/x-pem-file".
The PEM files always starts with the line
-----BEGIN CERTIFICATE-----
followed by a lot of seemingly random letters and digits ending with the line
-----END CERTIFICATE-----
As above, point Opera at the file, and installation should start automatically.
See more information about installing a PEM encoded certificate below.
-
You can now start using your certificate. When the server asks for a certificate Opera will open a dialog-box asking you which certificate (if any) you wish to use with that particular server.
Installing Certificate Authority certificates
Certificate Authorities create special certificates to themselves that certifies their master private keys. These certificates are called Root Certificates, and each particular certificate level generally has its own (e.g., one for e-mail-only certificates, another for full name personal certificates, and a third for servers). Opera is shipped with a number of such certificates. But this list does not contain all available root certificates.
Sometimes you may have to install certificates for unknown authorities. If that is the case, please follow these instructions:
For personal certificates these Root Certificates are often included with the certificate that is issued to you, and therefore installed automatically if it is not already installed. If Root Certificates are not shipped with the certificate, the Certificate Authority should provide links to the certificates, Installation is usually automatic.
If you encounter a server with a certificate issued by an unknown certificate Authority you will be asked if you accept the certificate. If the certificates sent by the server contain the Root Certificate from that Authority you will be offered the possibility to install its certificate and to set the guideflags for that particular Certificate Authority.
Most Certificate Authorities provide links to their Root Certificates (the top entry pages of some services may also have such links). Clicking these links will automatically start the installation procedure.
If you received the Root Certificate as an e-mail-attachment or file you must point Opera at the file containing the certificate. Installation will start automatically provided that the file extension matches the ones in the "File/Preferences", "File types" for "application/x-x509-ca-cert" (default ".crt" or ".ca").
In some cases certificates are distributed as PEM-files (Privacy Enhanced Mail) and generally have the file-extension ".pem", of the type "application/x-pem-file".
The PEM files always starts with the line
-----BEGIN CERTIFICATE-----
followed by a lot of seemingly random letters and digits ending with the line
-----END CERTIFICATE-----
As above, point Opera at the file, and installation should start automatically.
See more information about installing a PEM encoded certificate below.
Install a PEM encoded Certificate
This box is shown if you load a certificate holding a PEM encoded certificate. The actual installation procedure depends on this certificate being a personal certificate or a Certificate Authority certificate, which is determined after you press OK.
Because of the dual nature of this box you may set the authority flags, but they will not be used for a Personal Certificate.
If the first certificate in the chain has a public key that matches the public key of a private key already in the database, that certificate will be considered a personal certificate and installed in the Personal Database, otherwise it will be treated as a Certificate Authority certificate.
The remaining certificate, if any, must be the certificate of the signer of the personal certificate. That certificate must either be self-signed (and the last certificate), or be signed by the next certificate in the list.
These certificates are installed in the Authorities Database if they are not already installed, and will cause a warning to be issued if a server sends a certificate signed by the new authorities.
Disclaimer: We cannot guarantee that the instructions in these documents will work on every computer and every platform. Please inform us if you have problems with Opera, but please, first check our online support section, as this section is updated on a regular basis with information about the Opera Browser.
Copyright © 1995 - 2000 Opera Software AS. All rights reserved.