We have just released a silent update of Opera 20, you would most likely not even have noticed. From a security perspective, we have made two interesting changes in this update.

The first one regards what we call the badge, the icon to the left of the address field. In Opera 19, there were two different icons one could see; for regular pages , and for secure pages . However, the world is often complicated, and there is a large gray area in between. So for Opera 20, we experimented with a third icon, a padlock with a cross over it , for web pages which tried to be secure, but failed. In previews, we did not get much feedback, but once this change went into the Stable releases, many users noticed, and wondered why the pages they viewed were insecure, they had not noticed this before. (Two high profile examples were gmail being insecure after clicking on the Apps icon, and Angry Birds on iTunes.) So in this respect, the new icon succeeded, but as it simultaneously made users uncomfortable and sceptical, we have decided to revert this change. We will do some more work on this, and may release an improved version in the future. Even small changes we make to the address bar can have large effects for users.

The second change is related to a feature called Content Security Policy (CSP). A user noticed that CSP 1.1 leaks significant amounts of information cross domain, and showed how this could be abused to gain information about visitors’ relationships with other sites. There is currently a detailed discussion about this in the Web Application Security Working Group. Opera has not previously participated in developing CSP, but we are now actively partaking in the discussion in order to enhance its security. Opera 20 used to fully support CSP 1.1, but with this change, we are no longer supporting paths as specified. Webmasters can still specify paths, but Opera will only consider the domain. This was a change which could be deployed to our users fast, which takes care of the main security issues, and which continues to work with existing sites and configurations. Once CSP 1.1 is changed to be secure, we plan to follow the specification again.

In addition, the update contains relevant fixes from upstream, as always.

Back to top
  • Destruction Preventer

    Almost all browsers have a broken padlock icon for failed secure connections. To remove this is a mistake IMO. Maybe you can implement a mixed content blocker like IE and FF that blocks HTTP content on a secure page.

    • Chas4

      Then that breaks many sites, the problem with a lot of sites is security

      • Destruction Preventer

        Firefox only blocks active content and not passive, that works pretty well. Perhaps a notification more like Internet Explorer to is needed to make clear to regular users that something is blocked and then they can easily add an exception to make it work again.

  • Michael A. Puls II

    While a padlock with a cross over it technically reflects the situation, it is indeed too scary. Scaring the shit out of the user is the *right* thing to do, but it’s not the best thing to do as users find it annoying.

    What Opera needs is an icon that doesn’t express failure and instead expresses mixed content. Chrome uses a padlock with a yellow caution sign over it where clicking the icon gives a description next to that icon where it says that the connection to the page is encrypted, but insecure content is present on the page. Firefox uses a gray caution sign with an exclamation point in it.

    I definitely like that better. But, an icon that’s split diagonally with one half being green and the other being gray might be a good indicator for mixed content. There’s just not much real estate to work with with that small icon. Just using a caution sign like Chrome and Firefox makes sense.

    Either way though, when you click the icon in Opera on a mixed content page, you get a vague “unprotected connection” error with the reason why being under details and under “Errors:”. Chrome is way way better at presenting the info.

    • > What Opera needs is an icon that doesn’t express failure and instead expresses mixed content.

      Even with mixed content there are several gradations. A single static icon image loaded over HTTP on a page served over HTTPS does not necessarily present a major security risk – although it might, depending on the context.

      A mixed-content stylesheet is more dangerous.

      A mixed-content script is even worse, as that effectively gives a MitM attacker full control over everything on the page.

      I’m not sure if a single icon should be used for all these states.

      • Michael A. Puls II

        Good points!

  • To clarify, the problem with Gmail being “insecure” was that it was loading a single icon over HTTP rather than HTTPS. A classic mixed-content issue, although in this case there was not really a significant security impact. The worst that could happen was an man-in-the-middle attacker replacing the image with their own – which in this specific case still couldn’t lead to the user unknowingly performing an unwanted action.

    • NoName

      A middle man could change out images, making the user do things, that was not the his/her intention. For instance, if all buttons were images, you could switch out the text, making the user press different buttons.

      Not the easiest to take advantage of, but it’s possible.
      You can’t talk about specific cases. Then you would have to whitelist sites, to allow them certain things. That would be bad 🙂

      • A middle man could change out images, making the user do things, that was not the his/her intention. For instance, if all buttons were images, you could switch out the text, making the user press different buttons.

        That’s exactly what I was saying. It’s just that in this case, there is no such issue – even with a different image no security-sensitive action would be taken by the user if they clicked on it. Showing the mixed-content warning in that case, while technically correct, only scares users, or — even worse — teaches them to ignore the warning and move on.

        You can’t talk about specific cases. Then you would have to whitelist sites, to allow them certain things. That would be bad 🙂

        Indeed. It’s a tricky problem. I think having separate icons for the various types of mixed-content would be a good start.

    • Chas4

      Or the image having exploit code in it

      • What do you mean? <img src="some-file"> would never execute JavaScript encoded within the image.

  • NoName

    I noticed the padlock. But as long as it just says “Mixed content” as cause, it’s hard to take any action. I have no idea of how bad the “mixed content” situation is.

    I also thought, that it was a bug, since I used the developer version, and other browsers did not complain. (And the “bug” was posted several times already in comments).

    Looking forward to see what you end up with.

    • I also thought, that it was a bug,

      See, this is exactly what we’d like to avoid. If our icons are confusing users, we should change them. If users think a warning icon is there because of a bug, that’s bad for security – worse than just the mixed-content issue itself. Hence this change.

  • rey Umbao

    i have this version 18.0 How to dis-able auto update.I want to lock in version 18.0 Anyone can help

  • Chas4

    :knight: Outlook has similar issue as Gmail, many of Apple’s sites do get the green lock

  • Szymon K.

    It’s a little different question, but I’m glad that been added these new icons. I learned recently that the new Opera uses Yandex Safebrowsing. Is also uses Google Safebrowsing? And if possible to take account of this filter? 🙂

  • Roy Matthews

    whatever icons, badges, etc. system you use to the left of the address field, why would you not have them coloured red, amber, green ? This is the traffic light colouring world wide and everyone knows what these three colours stand for. IMHO would make things much less confusing.

  • Leif Roar Moldskred

    Save the “scary” icon for serious security problems and use a grey “almost closed” padlock (a row or two of empty pixels between the bold and the body on one side) for “probably safe enough for reading e-mail and editing wikis, but don’t trust it for your online banking needs”?

    Of course, coming up with a good classification for “probably secure, but minor issues” would be an interesting exercise.