Saturday, June 28, 2008

The Opera House and its Bouncer

The Opera browser has remained one of my favorite alternative browsers.

Sure Mozilla’s Firefox web browser remains my favorite one, by pure fact that I can customize the heck out of it with a collection of add-ons that leverages the power for all the things I do on the web, but Opera is fast, slick and sexy.

If Internet Explorer is the family sedan, then Firefox would be a green-version of a Range Rover Sport while Opera would be the Lotus Elise kept around for pure fun.

The Opera Desktop Team has been hard at work making additional refinements to their newest browser release version of 9.5.  It is pretty hard to ignore. Certainly it performs circles around Apple's Safari beta for Windows and even beats out Firefox 3.0; although that probably isn't difficult to do with all the add-ons that quickly get piled onto Firefox.

Opera 9.51 RC 2 – fixes some security status items, a Yahoo! Mail crash problem, other crash event triggers and style-sheet loading.

Opera 9.51 RC 1 – fixed drag/drop tab problems, menu rendering over at deviantart.com, display of new feed additions.

In addition, I’ve done some more reading and this Washington Post Security Fix blog by Brian Krebs offers great insight into Opera’s approach to browser-based malware/website blocking.

Opera 9.5 Offers Anti-Malware Protection - Security Fix

Firefox 3.0 operates its “phishing/attack-site” blocking by currently downloading a sqlite url file list periodically from Google’s servers.  It cross checks links against this and presents intercept-alerts to the user if a match is found. It’s not foolproof, but a good start. For more information see this GSD post Small Steps by Google...Big Help in Firefox 3.

Anyway…according to Brian’s post, Opera uses an on-line tie-in to Haute Secure’s black-lists.

Each time you browse to a new link, Opera will send a micro-packet (less than 1 kb) to Haute asking for a cross-check. If no match is found, the link is loaded. If so, then it is blocked with a warning. This packet traffic is flowing back and forth to the host sitecheck2.opera.com.

Haute uses its own proprietary collections from internal research and indexing efforts but also supplements that information from Google, Spamhaus, and Phistank.com.

Sending a packet check constantly to Haute might raise privacy concerns. Haute responded in the post comments that they do not send or collect any personally identifiable information nor store it.

Antibozo commented that he ran some detailed behaviour monitoring tests. Very interesting stuff. There was an interesting detail observed. “Every page loaded is checked” isn’t exactly accurate.  What antibozo found was that only the primary domain address was checked and it wasn’t rechecked on subsequent same-session visits in the browser. Results of packet response are indeed cached per domain for each session to improve performance as confirmed in the post comments by Opera Software representative Christer Mjellem Strand.

I don’t know the methodology of site indexing but it is conceivable that a site domain could be legitimate but a sub-domain or page could have been seeded with malicious content, thus allowing the user to browse onto the page unaware.

More “official” details on Opera’s browsing protection feature: Opera Fraud Protection

As with Firefox 3.0’s anti-phishing and “attack-site” protection, the similar features in Opera can be manually turned off in the options.

Finally, tests that Brian did by purposely browsing to pages of known malicious content found a poor blocking rate. Hopefully that detection rate will improve as Haute and the other Opera partners in this area continue to refine and expand their lists.

Certainly interesting information and I appreciate Brian, Christer, and antibozo's work in teasing it out.

--Claus

No comments: