Guide to security information

This is a guide to the different security information that is displayed in the browser. This information helps you to decide if each website is the right site and is trustworthy, which is especially important when entering private or financial information.

The security information to look for in the browser is shown and described below.

Security information in the address field

  1. Security badge
  2. Combined address and search bar

1. Address

The address for the webpage is displayed in the address field. This contains the registered name of a company, organization or person that identifies the specific computer on the Internet that is storing the webpage you requested. This is called a domain name, and ends with a suffix, such as .com, .org, .gov, or .edu, to indicate the type of organization.

To make it even easier for you to see exactly where you are, the most important part of the address is highlighted. The protocol, such as HTTP, and some parameter details are hidden. To see the full address, click the address field. You can disable this feature and display the full URL for all webpages. From the menu, select Settings > Preferences > Advanced > Browsing and select “Show full URL in address field”.

Domain names in other languages

Opera supports Internationalized domain names (IDN), which allows domain names in languages such as Russian and Chinese to be written in their own native scripts. Opera will always display domain names in such a way that no two domains will look alike.

Tips

  • Before providing sensitive information, check whether the highlighted part of the address looks like where you expected to be. If it looks wrong, investigate further or consider carefully before entering personal information.
  • If you arrived at this website using links from another webpage or email, type the web address into the address field yourself. This ensures that you are directed to the correct website and have not been misdirected.

2. Opera's security badge

The security badge indicates the security of the website. Always look for a badge containing a padlock symbol , which indicates a webpage with a good level of protection.

For a full guide of the security badges, see the Fraud and Malware Protection topic.

3. Security information

To see security information, click the security badge. Summary information displays, as shown in the example below.

The summary describes the type of connection and may provide notes about the security record or organization running the site. For more information, click the Details button. This displays more information about the site's certificate and security connection.

Certificate

Click the certificate name to find specific and detailed information about the security certificate, such as the server name of the secure site, the organization name and country, the expiry date and who issued and signed the security certificate (Certificate Authority).

The increasing number of fraudulent websites has highlighted the importance of certification. Opera is a member of CA/Browser Forum, a voluntary organization of leading certification authorities (CAs) and browser vendors, and is part of the decision-making process in creating certificate standards.

If the organization name looks wrong, investigate further or consider carefully before entering personal information.

Certificate validity

Most of the time, certificates are fully valid. If there is something questionable about a certificate, a warning dialog will be displayed. You may choose to proceed, but full security cannot be guaranteed. Warnings include the following:

Server certificate expired
Certificates have expiry dates, and they must be renewed on a regular basis by whoever maintains the site. Accepting an expired certificate does not necessarily reduce security, but consider the site you are visiting and how long it has been since the certificate expired, before accepting.
Wrong certificate name
A certificate is issued by an authority for a single site to use, and sites cannot borrow certificates from each other, as this invalidates the whole concept of certificates. Accepting a certificate belonging to another site is not recommended.
Certificate signer not found
If the signer of a certificate is not found in your list of authorities, only accept the certificate if you are absolutely confident that whoever is running the site in question can be trusted.
Self-signed certificates

Some certificates are self-signed, which means that they are signed by the website owners themselves, and not an independent authority. Be aware that the browser cannot certify that the certificate comes from the person or organization stated. If you know that the signer can be trusted, and you want all sites using this signer to be considered as safe, install the certificate to add the signer to your list of authorities.

Manage certification

Opera, like all secure browsers, comes with a list of authorities that can issue certificates. This is upgraded with each new release of the Opera browser. To display a list of the authorities currently being used and your installed certificates, click "Manage certificates". For more details, see the "Manage certificates" section in Opera Help — Security.

More information

Some security terms explained

HTTP and HTTPS

These are common ways of accessing information over the Web and are defined in more detail below. HTTP is used for normal communication, while HTTPS is used for extra security for private information.

HTTP
This is an abbreviation for “Hypertext Transfer Protocol” and is the most common method of accessing information on the Internet. When you request a webpage, information about your browser and the address of the requested page is sent to the recieving server. The server sends back some information about what you requested, for instance whether it is a webpage, just an image, or a file to be downloaded, as well as what you actually requested.
HTTPS
This is an abbreviation for “Hypertext Transfer Protocol Secure” and is a secure version of HTTP. HTTPS allows your web browser to verify the identity of the server from which it is getting information, as well as to encrypt the information so that nobody else would be able to understand it.

While HTTPS is generally considered to be the more secure protocol, HTTPS does not automatically mean that you have a totally secure connection. A HTTPS site may still have some issues that make it vulnerable. Opera’s security badge in the address field is a more reliable indicator of security.

Encryption

Encryption protects your data while it is being sent from your browser to the website. It is a way of scrambling information sent so that only a legitimate recipient of that information can make it readable again. The most common form of encryption today is public key encryption.

Imagine a strongbox that has two keyholes and two separate keys. When you enter a secure page where Opera's icon displays "Secure", Opera and the website use public keys to agree on secret keys for that session. When you send your information to this secure site, you are effectively locking the box using your key; no one else can read the data being sent. The box (your data) can only be unlocked by the other key held by the website.

These security protocols are usually described as a string of text that looks something like this: "TLS v1.0 128 bit C4 (1024 bit RSA/SHA)". The first three letters indicate the security protocol used, such as the following:

TLS
TLS is short for "transport layer security", a security protocol based on its predecessor, SSL. This is considered the most secure protocol in common use today as versions TLS 1.0 and TLS 1.1.
SSL
SSL stands for "secure sockets layer" and encrypts data with two keys. It is available as SSL versions 2 and 3. SSL version 3 is better than version 2, which is being phased out and is only used by a small number of websites these days.

Opera supports TLS and SSL version 3.

Levels of encryption

The level of encryption depends on the size of the key — the bigger (and more complex) the key, the higher the security. Opera automatically attempts to use the biggest keys possible.

Encryption blocks for websites

If the encryption method used by a site is outdated, you will see a notification along the lines of: "The site is using an outdated encryption method" and the site is blocked. A site matching one or more of the following criteria will trigger this type of notification and block:

  • The protocol SSL v2 is used.
  • Encryption methods with 40 or 56 bit keys are used.
  • Key exchanges are performed using RSA or Diffie-Hellman (DH) keys less than 900 bits long.

If possible, use a corresponding service with a more updated server.

Page 2 of 10

Return to: Guide to security and privacy in Opera — Topics