New Security Features in Opera 8
Security Certificates
Authors: Andrew Gregory & NonTroppo
Opera 8 now goes one step further in ensuring your browsing security. Where most browsers just tell you that you have a secure connection, Opera will tell you that, but also tell you the name of the organisation the security certificate belongs to:
You can see the site address is "bmtmicro.com" and the certificate was issued to "BMT Micro, Inc.". Hovering your mouse over the yellow indicator will display a tooltip telling you the strength of the encryption the site is using (the more bits the better). Clicking on the yellow indicator shows you the certificate details:
Even more details are available if you want to view them! Just click on the Details tab.
This information make is easy to tell if the level of security is high, and if the certificate holder is related to the business you think you're dealing with. You can also see the dates the certificate is valid for.
Popup Windows
Many sites present logins and other sensitive pages as popup windows. Normally, these windows do not show the browser toolbars, which makes it hard to see information about the page, especially the address. This can be dangerous as you may be fooled into thinking a popup window is from a trusted site (like a bank), when it is not. Opera makes sure you know exactly where the window is coming from by showing a bar at the top of the page with the site address:
In this secure bank login, Opera shows you (in yellow at the top) the real address of the page (the domain www.ebank.hsbc.co.uk), and the owner of the security certificate (HSBC Holdings plc [GB]). The makes sure you can easily verify whether the page is really what you think it is. Clicking this bar opens the full address toolbar for the page.
International Domain Name Spoof Protection
Opera, along with most other modern browsers, has support for internationalised domain names (IDN). This means that web addresses can use regional characters, so the Swedish Red Cross can use characters like ö that occur in Swedish: http://www.rödakorset.se/. This is important for the globalised web, as it does not discriminate against most other languages that don't use Eglish characters (called ASCII).
But it was also soon realised that there is a possibility to misuse this:
Happy vs. Hаppy
These two words look the same, but they are not! The second happy uses a letter from the Cyrillic (Russian) alphabet "а" that looks almost identical to the English (ASCII) "a", but it is not the same letter (they are known as homographic letter-forms). This is a problem because I can write ebаy.com that looks like ebay.com but it isn't the same! This is a very thorny problem, because there are many combinations of characters in all the rich diversity of written letter forms of the World. And most of those are valid (even combinations from different alphabets), but still there is a possibility to abuse it.
Opera has come up with the most advanced solution to this conundrum so far.
- Trusted Domain Whitelists: First of all, a large burden of the responsibility lies in organisations that register new domain names for web sites. It is their duty to make sure someone cannot register ebаy.com. Some top level domain registrars have implemented strict policies to check and guard against such fraud. Opera has created a whitelist of trusted domains where such policies occur (these are currently no, jp, de, se, kr, tw, cn, at, dk, ch, li, museum & hu).
- Character Combination Restrictions: Outside of the trused domains, Opera has implemented a restriction to which characters can be combined. In the example above, Opera will not allow ASCII to be combined with Cyrillic, and ebаy.com therefore becomes xn--eby-7cd.com (called ASCII punycode). Other combinations are allowed however, so Chinese and Japanese characters (which are often mixed) are allowed to combine: http://見つけた.jp/.
- Reverse Spoof Protection: In browsers which simply show the ascii punycode without any other controls like FireFox (Mozilla), a site like http://rödakorset.se/ is alway shown using the ASCII punycode http://xn--rdakorset-07a.se. However what if a malicious party decided to register xn--rdakorset-07a.se as their domain. Users of such browsers will then be unable to tell the difference. Opera is largely impervious to such a reverse spoof attack because it would not have shown the punycode in the first place.