Tutorial: Security and Privacy in Opera

Online version: http://www.opera.com/support/tutorials/security/

Opera helps you protect your privacy and security while surfing the Web. This tutorial covers Opera's security and privacy features and teaches you how to guard your browsing habits from prying eyes, as well as protect your personal information on line. Opera's default security settings are fine for general use. But if you are concerned about protecting your browsing habits and personal information to the utmost, the tutorial will teach you how to make the most of Opera's features.

The tutorial mainly concerns itself with on-line security and privacy. If you would like advice on privacy and security limitations caused by others having physical access to your computer or a shared user account, please see the last chapter; Using a shared computer.

This tutorial was last updated for Opera 8.5.

Table of Contents

1. Viruses and Spyware
2. Downloads and Filetypes
3. Multimedia and Scripting
4. Shopping and Transactions
5. Privacy and Cookies
6. Network and Proxies
7. Using a shared computer

For users of Opera versions prior to 8.5, there is also a section on advertisements in Opera.

Viruses and Spyware

There are several things you can do to guard against viruses. First, you should have reputable virus protection software installed on your computer. Your local computer dealer has these for sale, or you can download them from vendors' Web sites.

However, you should also protect your computer against spyware; applications made to track your computer and on-line activities. Such applications often sneak into your computer as parts of other, seemingly harmless, software packages. Some of these applications may also harm your computer in other ways.

Note: Once you have this software installed, it is vital to keep it updated regularly. New viruses and spyware appear constantly.

Keeping malware out

We will, from now on, assume you have anti-virus and anty-spyware controls installed. But that is your last line of defense. The best way to prevent your computer from being infected, is to keep your computer from having to counter sources of infection. Viruses, spyware and other software that may harm your computer are collectively known as malware.

• Only download files from reputable sources. Try to research other users' experiences with applications.
• Be wary of e-mail attachments. Do not open anything unless you are certain it is safe. Messages with viruses in them will often pretend to be sent from someone you know, so a known sender is not a guarantee that the attachment is safe. If in doubt, send your contact a message and ask "Did you really send this to me? What is it?"
• Be particularly careful with file types that have been known to carry viruses, see Potentially hazardous file types.

Virus myths

You may at times receive virus "warnings" from friends or colleagues. These "warnings" are almost as common as viruses themselves, and in most cases the warnings are hoaxes. You may receive an e-mail warning of a virus that can be carried in the text of an e-mail. This is not true. A virus cannot be passed to you in the text body of a message. If you are using Opera's e-mail client, the only way you can receive a virus by e-mail, is as an attachment that you open.

Downloads and File Types

Opera handles a large number of varying file types, including HTML files, graphical files such as JPEG and GIF, and other types of files which it cannot use by itself. These include PDF documents, word-processor documents which can end in SXW, RTF, DOC, or any of a dozen other extensions. For certain file types, Opera needs multimedia plug-ins.

Configuring settings

By default, Opera will determine how to handle a file by its MIME type. MIME types are descriptions used by Web servers to identify files to browsers. This is the most secure way of receiving content on the Internet. There is a second option, however; you may choose to let Opera determine use the file's extension to decide which action to take when the MIME type is not reliable. This option is less secure than the default.

Some MIME types are intended as generic types, such as "text/plain" and "application/octet-stream". If a server is not specifically set up to handle a certain kind of content, these generic MIME types are often used. This means that sometimes a video file in an MPEG format will be sent using the "text/plain"MIME type. If you have chosen to determine action by file extension, Opera will nevertheless recognize the video file's extension (such as ".mpg"), and handle it according to your settings for .mpg files.

However, sometimes the file type indicated by the extension is not the file type that the browser interprets. This is due to an HTTP header called "content-disposition," which can assign a new name to the file you are downloading. Therefore, if you enable the option to determine file type by extension, pay close attention to the file name in "Open" and "Save" dialog boxes and make certain the file is not of a different kind than expected. If it is, do not open or run the file.

Handling file types

A sensible basic rule is not to let Opera open any file types that the browser itself cannot handle. Keep in mind that letting Opera launch files in other programs automatically makes the browser as insecure as the least secure of the other programs that you use. In other words, configuring Opera to automatically open ".doc" files in Microsoft Word makes your computer vulnerable to macro viruses that can run in Word documents and cause great damage to the computer system.

Note: When viruses attach to other files, they will often add their own extension after the original file extension and thus try to masquerade as a different file type. Before opening downloaded or received files, make sure they only have one, reliable extension.

Potentially hazardous file types

Most of these file types can do no damage to Mac and UNIX operating systems. The known exception is macro viruses.

.exe

Files ending in this are executable files, applications unto themselves. Viruses of this type can do anything a regular application can do, including deleting files on your computer. Executable files will very rarely be used legitimately as attachments. Never run .exe files you do not know the contents of.

.pif

A PIF is a program information file that contains the necessary information for running DOS applications. Executable files can also be renamed to .pif and remain functional, which means that .pif files should be treated with at least the same caution as .exe files.

.com

This file type is less common, but it is also a form of executable file. Note that this applies to .com as a file extension only, and not to Web sites ending in ".com".

.vbs

These three letters are short for "Visual Basic Script". The infamous "I love you" virus was a VBS file. This type of virus requires that your computer be capable of running Visual Basic scripts. Most computers running Microsoft Windows are, while Linux users have no worries here.

.bat, .cmd

Batch file that runs DOS commands have the .bat extension. Files ending in .cmd are Windows NT script files. Both may, if infectious, cause harm to your computer system.

.doc, .xls, .ppt

These extensions, used by Microsoft Office documents (Word, Excel, and PowerPoint, respectively), can carry a special type of virus called a macro virus. The important thing to know is that macro viruses can live in such documents, and that they can do almost as much damage as viruses that end in "exe".

.rtf

RTF stands for "rich text format," and is quite common as a document format. Documents ending in ".rtf" can, however, be Microsoft Word documents in disguise (with the extension changed). The same precautions should therefore be taken for these documents as for any .doc-document.

Note: If you are not familiar with the extension of a file you receive and are not certain which program it will open in and whether it may cause harm, do some research before deciding what to do with it. For an overview of file extensions on Windows, Mac and UNIX, try file-ext.com.

Multimedia and Scripts

The settings in Preferences > Advanced > Content allow you to set up external applications that Opera can use to enhance your browsing experience.

Plug-ins

Plug-ins are external applications that Opera can use to display images and video clips, show files, or play sounds that the browser is not able to handle by itself. Some of the most popular plug-ins are Macromedia Flash, QuickTime, and Adobe Acrobat.

Plug-ins are essentially separate applications. Therefore, Opera's various security settings will have no effect on how plug-ins work. It's a good idea to do your homework before installing new plug-ins. For example, a plug-in like RealPlayer can make use of cookies, and Opera's cookie settings will have no effect on these.

To see a list of installed plug-ins, open the built-in plug-in overview. Note that Opera for Linux has a separate preference window for installing and locating plug-ins.

Please keep in mind that any plug-in you add is an application installed on your computer. As always, protect your computer and download software only from reputable sources.

JavaScript

JavaScript (or actually ECMAScript) is a means of embedding executable content in Web pages. It is used for everything from making image links change when your mouse hovers over them, to receiving and sending cookies.

These scripts are completely safe most of the time, but they have been used for malicious purposes. JavaScript should not be able to access applications and information outside the Web page it resides on, but if you still fear JavaScript abuse, you can choose to disable it. You can also put some limits on what Opera should let the script do, e.g., resize or move windows, by clicking "JavaScript options". And you can choose to have the JavaScript console displayed should there be an error.

If you completely disable JavaScript, however, some sites may report errors, fail to display vital content such as menus or even shut you out. Remember that JavaScript is easily toggled on and off by way of Opera's "Quick preferences", that is displayed by pressing F12.

Java

Java is considered to be very secure today. If Java is installed and enabled in Opera, your system is unlikely to face security problems relating to Java. However, if you are still concerned that Java might be a security risk, disable it here. Enabling Java is also a Quick preferences option.

More information

Please see our support pages for more information about

• Java
• Plug-ins

Shopping and Transaction Security

Opera is designed with the most advanced and widespread security measures available, making on-line purchasing simple.

Some sites may greet you with a page saying something along the lines of "You do not have a secure browser; please download Netscape Communicator or Internet Explorer." The site designer may, mistakenly, believe that only those browsers support advanced security, although Opera has levels of security that are as good as or superior to these browsers.

Changing how Opera identifies itself will often allow you to circumvent this problem: press F12 to display the Quick Preferences dialog box, then use Edit site preferences > Network, and select to "Identify as" Mozilla or Internet Explorer. When you have selected one of these alternatives, go back to the page you were attempting to enter.

Before you enter any information about yourself, especially credit card details, look for the security bar that should appear on the address bar. On the security bar, there should be an icon that looks like a locked padlock. If you hover your mouse over the icon, you will see what kind of encryption the site uses. The organizational name of the security certificate holder should appear beside the padlock icon. See our advisory for more information. Additionally, clicking on the security bar should show the security certificate information.

Some Web sites will open a separate window with the address bar hidden. In this case, Opera will display the security bar as a collapsed address bar that shows the domain that the window belongs to. Before you enter any sensitive information, check that the domain matches the domain that you were expecting. You can also click the collapsed address bar to show the full address bar, and security bar.

Opera supports internationalized domain names (IDN), which allows domain names in languages such as Russian and Chinese to be written in their own native scripts. Opera will only allow certain combinations of scripts to be displayed in localized characters, unless the top level domain is trusted. Trusted top level domains are selected if they have established strict policies on the domain names they allow to be registered.

What is encryption?

Encryption is a way of scrambling information so that only a legitimate recipient of that information can make it readable again. The most common form of encryption today is public key/private key encryption. Imagine a strongbox that has two keyholes and two separate keys. If you lock the box using one key, you can only unlock it with the other.

Security protocols

Hovering the padlock icon when visiting a secure server, you will see a string of text that looks something like this: TLS v1.0 128 bit C4 (1024 bit RSA/SHA)

The first three letters will show what security protocol is used on the site. There are four common security protocols; in order from good to best, these are SSL version 2, SSL version 3, TLS 1.0, and TLS 1.1.

SSL

SSL stands for "secure sockets layer". SSL version 3 is better than version 2, which is being phased out and is only used by a small number of Web sites these days.

TLS

TLS is short for "transport layer security", a security protocol based on SSL. This is considered the most secure protocol in common use today.

Levels of encryption

When you send or receive information from a site where Opera's icon displays "Secure", Opera and the Web site use a secret one-time key before sending the information. When you entered the secure page, Opera and the Web site used public keys to agree on that secret key. That is called a handshake. The key encrypts all the information sent and is used for this session only.

The level of encryption depends on the available key space, which means the number of possibilities when generating keys. The more possible keys, the higher the security. For session keys, the most powerful form of encryption available in browsers today is 256-bit encryption. Although Opera supports as much as 3072-bit encryption when generating key pairs (a public key and a private key), some secure sites may not support this level of encryption. Opera's default setting of 1024-bit encryption should work with most secure sites.

The number on the padlock icon signals the level of encryption. Three dots means that the Web site has a high level of security. When rating the security level of a secure document, Opera takes into consideration the following:

• Everything loaded with the page, including images, frames, and redirects
  • Insecure images will automatically result in a level one rating
  • Other insecure content (such as scripting) will result in level zero
• The size of the symmetric key
• The server's public key size

Only documents using the most secure methods, 3-DES or 128-bit C4 and public keys larger than approximately 900 bits, get a level three rating.

Adding certificates

Reputable on-line merchants have their public keys signed by authorities, which are trusted security firms. These firms issue digital certificates that contain the public key, signed in a way that can be automatically proven. To display your current list of authorities, click "Manage certificates". Opera, like all secure browsers, comes with a set of certificates. Most of the time, certificates are fully valid, and if there is something questionable about a certificate, a warning dialog will be displayed. You may choose to proceed, but full security cannot be guaranteed at this point. Warnings may say:

• Server certificate expired. Certificates have expiry dates, and they must be renewed on a regular basis by the people maintaining the site. Accepting an expired certificate does not necessarily reduce security, but consider the site you are visiting and how long it has been since the certificate expired, before accepting.
• Wrong certificate name. A certificate is issued by an authority for a single site to use, and sites cannot borrow certificates from each other, as this invalidates the whole concept of certificates. Accepting a certificate belonging to another site is not recommended.
• Certificate signer not found. If the signer of a certificate is not found in your list of authorities, only accept the certificate if you are absolutely confident that whoever is running the site in question, can be trusted.

Some certificates are self-signed, which means that they are signed by the Web site owners themselves, and not an authority outside the organization. If you know that the signer can be trusted, and you want all sites using this signer to be considered as safe, install the certificate to add the signer to your list of authorities. Trusting self-signed certificates from for example your employer can be considered as safe.

It is unlikely that you will need to upgrade Opera's existing certificates, as most of them will not expire for a decade or more. The necessary updates are taken care of with each new release of the Opera browser.

E-mail security

If you leave the authentication type for your login as "Auto", Opera will try the most secure authentication available and then work its way down the list should the first type fail. The authentication types available to you will depend on the mail server. Note that this will not encrypt your actual mail data, only your login. See the Opera Mail tutorial for information on using TLS or SSL to encrypt e-mail.

More Information

For more information about encryption, please read our knowledge base article on encryption levels. We also recommend our security in Opera page.

Privacy and Cookies

The settings in Tools > Preferences > Advanced > Network and Tools > Preferences > Advanced > Cookies determine how Web servers handle and monitor your net activities.

Referrer logging

Some Web sites register the site that referred you to them. This information can be used to control content by delivering documents that have some bearing on the site that you came from. If you prefer not to allow a Web site to know where you were before visiting it, especially if you were on a local, secure, or restricted site, disable this option. Note, however, that some sites depend on referrer logging internally.

Enable automatic redirection

Sometimes a site might redirect your browser to a different URL, often because the site has moved. Leaving this option enabled does not constitute a big security risk, but turn it off if you want complete control of what sites you visit.

What are cookies?

Cookies are: Strings of text, pieces of information stored in files, that Web servers store on your computer when you are browsing. These files let the same servers recognize your computer the next time you visit their sites.

Cookies are not: Viruses. They cannot cause direct damage to your computer system in any way, but they can record your browsing habits in intrusive manners and trace your movements across different Web sites.

Some sites use cookies to store your user name, which means, for example, that for 10 hours after you log in with your password, you will not have to retype your password when you check your e-mail. This is a convenience, but it can also be a security hazard if others have access to the computer you are using.

Another use of cookies is to store information about the pages in a site that you have visited previously. This allows a Web site to customize itself with fresh content, rather than showing you the old material, and to present you with content you might be interested in based on what you have already viewed on the site.

Note that the "Use cookies to trace password-protected pages" option in the privacy preferences does not affect Internet activity, it merely uses the cookies saved to remove password-protected pages from your cache, and is thus mainly of interest if you are using Opera with a shared user account.

Invalid cookies

There are types of cookies that Opera will refuse regardless of whether you have set the browser up to handle all cookies. These are cookies set for top-level domains: domains ending in .com, .net, and .org, among others. Such cookies are considered invalid or illegal and are blocked because:

• Any Web site could read such a cookie's contents, it would have unlimited access.
• The only use for such cookies is to track surfers across the Web.

Opera will not let you accept these cookies.

Configuring cookie settings

Opera allows for a wide range of cookie setups. You can allow all cookies to be stored on your computer. You can refuse all cookies to be stored. Or, you can selectively allow certain cookies and certain types of cookies.

Your first option is whether to enable cookies at all. Note that you may have difficulties logging on to a significant amount of Web sites if you leave this unchecked.

The next step is deciding which cookies to accept and which to refuse. You can choose to allow only cookies that are set by the Web site you are visiting, not by any other sites whose content is displayed in frames or via images on the current page. You can choose to be prompted every time you receive a cookie, and to delete all new cookies when exiting Opera.

Managing cookies

Clicking "Manage cookies" takes you to your Server Manager, which lists all the domains you currently have cookies from. You can add new domains, delete the domains you do not wish to keep cookies from and edit cookie settings specifically for each server.

These cookie settings are also available on any site, using site preferences; Tools > Quick preferences > Edit site preferences.

More information

For more information, we recommend our security, privacy and cookies page.

Network and Proxies

The network settings that may affect your security and privacy mainly have to do with proxy servers. A proxy server collects information from the Internet and stores it locally, making the information available for viewing by anyone using proxy server. If your Internet service provider (ISP) has a proxy server available, configuring Opera to go through this proxy could speed up your surfing.

Proxy Server Settings

HTTP and HTTPS

Do not use a proxy server for HTTP or HTTPS unless you have particular reasons to do so. Opera is more than suited to handle these protocols. HTTPS is the secure version of the hypertext transfer protocol, and Opera can handle the highest levels of Internet security available. If you use a proxy server to handle HTTPS content, you are reducing your computer's level of security to that of the weakest application, which could be your proxy server.

Most HTTPS proxies simply pass on data and do not save or interpret the information that passes through them. This is because the information is encrypted. In special cases, it is possible for a proxy server to decrypt the information and act as a man in the middle. In such cases, Opera will display a warning unless you have already accepted and installed a certificate for the proxy in question.

Other settings

Advanced users may want to use a proxy server for most sites, but exclude some. This option is available and is activated by selecting "Do not use proxy on the addresses below". If you want to access certain sites directly, Opera will not use a proxy server for the Internet addresses you specify.

More information

Ask your system administrator or ISP for more information about proxies, or find more information about network and proxies in Opera's knowledge base.

Security and Privacy on a Shared Computer

Are you sharing your computer with colleagues, family, or co-habitants? Do you surf with Opera on publically accessible computers? This page holds some tips for maintaining privacy within the same computer and user account.

Shared Computer

First of all, when installing Opera on a multi-user Windows computer, make sure to opt for separate user directories during install. This will ensure that your settings, e-mail, Wand passwords, history, and so forth, are stored in your own user directory only. Remember that this may be of little use if other users have administrator privileges on the same machine, unless you protect your files by other means.

Shared Account

If the same user account is being used by several people, for example on a library, there are other precautions to take that will help guard your privacy.

When using Opera on a shared user account, the following features may raise privacy concerns, and you should consider whether you want to disable them, avoid them, or use them with caution:

• E-mail, Usenet news, newsfeeds, and chat (Tools > Mail and chat accounts and Feeds > Manage feeds to disable)
• The Wand (Tools > Preferences > Advanced > Security to disable or set master password, and Tools > Preferences > Wand to manage stored passwords)
• Auto-completion of forms (Tools > Preferences > Wand should be kept empty or used for generic, non-sensitive information only)
• Saved sessions and "Continue from last time" (use Tools > Preferences > General to set Opera to start with your home page and disable the start-up dialog)
• User JavaScript (use Tools > Preferences > Advanced > Content > JavaScript options to clear the "My JavaScript files" field). Note that User JavaScript is not loaded on secure pages.

History and Cache

All browsers keep records of where you have been on the Internet, and even store Web pages and other files (such as graphics) in a local folder known as the cache. Your cache folder can thus contain sensitive information. If you do not want other users to know about certain sites that you have visited, your history may point them to these sites, and your cache may contain local copies of the content of those sites.

If you do not want Opera to store your history, go to Tools > Preferences > Advanced > History and set the number of both typed-in and visited addresses to be stored, to 0. You may also set the cache to "Empty on exit", which means that it will be cleared when Opera is closed.

Cookies

Note that cookies are often used to simplify logins, remember personal information in Web forums and so forth. Such cookies should not be passed on to the next user. The easiest means of avoiding this, is to clear all cookies before closing Opera. This, too, can be automated. Go to Tools > Preferences > Advanced > Cookies and opt to clear all new cookies on exit.

Tracing password-protected pages

After you log on to a password-protected site, your browser will store the pages you have visited in your local cache where other people may find them. Enabling Tools > Preferences > Advanced > Cookies > Use cookies to trace password-protected pages makes Opera tag the cookies of the documents that were viewed after you logged in and automatically delete them from the cache when you close the browser. The Web addresses of these pages will never appear in your global history, and they will be removed from your list of typed-in addresses. Note that this option does not remove the cookies themselves.

Delete private data

Whether or not you have automated these processes, you can use Tools > Delete private data at any time to clear the history, cache, and cookies. You may also want to empty the list of transferred files if you have downloaded any files that did not open directly in the browser.