Network News

X My Profile
View More Activity

Opera 9.5 Offers Anti-Malware Protection

Opera Software today shipped a new version of its Web browser that the company says will help protect users from Web sites that try to install malicious software. The new version, Opera 9.5, is available here.

Opera is the latest browser maker to include anti-malware capabilities. The beta versions of both Internet Explorer 8 and Firefox 3 include similar features.

Opera spokesman Thomas Ford said the new software's malware-blocking capability comes from Seattle-based Haute Secure, a security company started by four former Microsoft employees. If an Opera user tries to visit a site included on Haute's blacklist, Opera will display a fraud warning saying the page has been reported for distributing malicious software (see the screen shot to the right).

Ford noted that unlike Firefox, which each day downloads a list of dangerous sites provided by Google through a partnership with Stopbadware.org, Opera 9.5 consults Haute's database with each page loaded. Ford said the browser can handle the added communications without slowing down the browser -- even for dialup users -- because the packet sent to Haute's servers is tiny (less than 1 kb).

Haute marketing chief Steve Anderson said the company's database also is informed by feeds from Google, in addition to intelligence from Spamhaus and Phishtank.com. But he said the bulk of the blocked domains on its blacklist comes from its own indexing of malicious links and pages around the Web.

The new version of Opera feels quick, slick and fairly intuitive. But so far I've been underwhelmed by the malware-blocking feature. For my anti-malware test drive, I put the browser through the first page of links listed at malwaredomainlist.com (do NOT visit any of these links, as they are all dangerous and hostile). The browser blocked just two of the nearly three dozen active, malicious links on the first page.

I realize this is a very unscientific test, but some of these links are days old. Haute's Anderson said they were open to including additional sources of malware location data, and I would hope that Haute will consider expanding its blocklist to those featured at malwaredomainlist.com.

If you're a current Opera user and are hesitant to upgrade, here are a couple more reasons to go ahead: This release also plugs at least three security holes and some 2,350 bugs found in previous versions of the browser.

By Brian Krebs  |  June 12, 2008; 6:19 PM ET
Categories:  New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Malware Silently Alters Wireless Router Settings
Next: Data Loss: The Ultimate Cluestick

Comments

So Opera now sends a continuously updated browser history (or at least domain names) to a remote third party? And they claim this is better than downloading a list and consulting it locally? Better for Haute, yes, I suppose. I wonder what kind of database they're building with that data.

If you are comfortable with this approach, you might as well use OpenDNS. It works with any browser. (For most folks I would recommend OpenDNS since they're already trusting an ISP's nameserver to the same degree anyway.)

Posted by: antibozo | June 12, 2008 9:06 PM | Report abuse

Opera is noticeably more secure than it used to be and it has a nice notes feature. Still, a whitelist based no script feature (like NoScript) would be much more valuable.

If you don't like Opera's key bindings, Elinks has built-in Javascript blocking and can also block other executable content. It has been successfully tested on all major platforms including ARM and OS X.

http://elinks.or.cz

Posted by: Singing Senator | June 12, 2008 10:40 PM | Report abuse

@antibozo -- I asked Opera and Haute about the privacy implications of this anti-malware service, and about what types of information would be shared. In fact, I meant to include their response in the body of the story.

Q: "How do you safeguard privacy?

A: "Each packet transmits only the domain information, not the specific page.
We send only that file. The IP address is visible as it would be with any
Internet communication. But it is not embedded in the file we send and it
is not logged. No personally identifiable information is transmitted nor
stored."

"The only data that travels anywhere from the client is a single HTTP request, containing the domain name, as well as a hash of the domain name. The hash is used solely to identify that the request comes from an authentic Opera client, and also helps protect the integrity of the servers."

"The only information that is sent from the client is data that is already exposed through DNS, even for encrypted sites: the domain name. The actual matching is performed in the client, maintaining privacy of actual pages visited."

Posted by: Bk | June 12, 2008 10:51 PM | Report abuse

Brian,

Thanks for the followup.

Since not everything in the response sounds, shall we say, clueful (e.g. "We send only that file"), I downloaded Opera to test the behavior.

Here's what happens: each time you go to a new site, Opera connects to a host called sitecheck2.opera.com, and sends a request. The request for www.google.com looks like this [I hope this survives in the posted comment]:

GET /?host=www.google.com&hdn=AGZGLiBzId7nGTYe3dxEwA== HTTP/1.1

The "AGZ..." value is a base64-encoded 128-bit value. My guess is it's an MD5 HMAC based on "www.google.com" catenated with some secret ("The hash is used solely to identify that the request comes from an authentic Opera client..."). It would be quite easy to discover the secret for anyone who cares, so that doesn't really prove that the request is from an Opera client, but it sets a very low bar.

The response to this request is a short XML document with the hostname, what appears to be a time-to-live (consistently one hour), and either an okay status or, in the case of a malware site, a list of sources who have reported the site. Like you, I found it difficult to get Opera to complain about a site on malwaredomains.com but eventually I hit one.

An interesting thing I noticed was that when I visited an https site, the sitecheck2.opera.com traffic was also conducted over https. Another interesting thing I observed was that Opera does not wait for the sitecheck response before starting to fetch objects from a new site; in fact, sometimes it issued the first request to the new site before it issued a request to sitecheck. Hopefully it at least waits for the response before it starts rendering anything.

Opera's statement that Opera consults Haute "with each page loaded" is not correct. I returned to Google several times in my tests, and Opera never re-checked after the first visit. Presumably it would check again after an hour, but I didn't wait around to find out.

The statement that the checks are not logged, I cannot demonstrate to be false, but I would wager real money that they are in fact logged on the sitecheck2.opera.com web server, as they are simple GETs which any Apache (sitecheck2.opera.com claims to be Apache) will log automatically.

The statement that the data is already exposed through DNS, while technically true, is disingenuous, in that that data is not exposed to Opera or Haute Secure when you use any other browser.

Posted by: antibozo | June 13, 2008 4:23 AM | Report abuse

Wow

Thanks BK and antibozo, I guess I will continue to skip Opera. Hopefully, you guys thoroughly test FF3 the same as well. I use FF at work, but OmniWeb at home.

Posted by: umm.huh | June 13, 2008 12:34 PM | Report abuse

umm.huh> I guess I will continue to skip Opera.

I want to clarify that while I think this is not the best way to do things, I don't think it is excessively invasive. I don't plan to switch to Opera, but I believe it has a number of nice features and there are some folks who swear by it. It's up to each individual to decide whether sharing the sequence of domain names visited with the Opera and Haute Secure folks is worth the benefit of the product. And if not, there is an option to disable the feature: under Tools...Preferences...Advanced...Security, uncheck Enable Fraud Protection.

Posted by: antibozo | June 13, 2008 12:43 PM | Report abuse

As I suspected, the HMAC secret is trivial to discover--it takes literally about 15 seconds, and requires no particular cleverness.

This means that if the anti-fraud tactic turns out to be effective, it would be easy to write, for example, a Firefox extension that would utilize the same service. OpenDNS is still easier, but my point is that the anti-fraud service is essentially free to anyone who wants to use it. I wonder how Haute Secure feels about that.

A security impact of this is that purveyors of malware can easily script automated checks against the Opera service to identify when they have to switch hostnames.

Posted by: antibozo | June 14, 2008 12:26 AM | Report abuse

I am so not interested in these people. I wish they'd just go away.

Posted by: Rick | June 14, 2008 9:42 AM | Report abuse

There is a problem with Opera v9.5 and some Adobe software. The version causes some Adobe software to hang after starting with conflicts between Adobe and Opera's library files. Removing Opera will restore the operation of the Adobe software. And the problem has been reported to Opera.

Posted by: Scott Knowles | June 15, 2008 6:58 PM | Report abuse

Amazing -- even the WaPo malware LOL [cookies, etc] are apparently being blocked by the new Opera 9.5 browser.

GREAT !!!

Posted by: brucerealtor | June 16, 2008 3:47 AM | Report abuse

antibozo: I see you've gone through things quite thoroughly. We believe we can withstand scrutiny, and it's comforting to see people put us to the test, and not just take our word blindly :)

The one thing you will have to take our word for, we do *not* store, log, sell or share this info in any way. That I can guarantee, both from a technical as well as a moral standpoint.
You are free to read the technical documentation for the feature, which was released with 9.50:

http://www.opera.com/docs/fraudprotection/

as well as our general privacy policy:

http://www.opera.com/privacy/#opera

I'm sure Haute Secure would also be happy to verify that they are not receiving any user data from us.
You are right that Apache is powering the service, but all logging has explicitly been turned off. The only way to finance storing the browsing history of 20 million users would be to sell it, and we do neither.

As for consulting the server every time, the results are cached per domain for each session for performance reasons. I see now that this is missing from our documentation, and will make sure to ask our documentation department to include this. Thanks for pointing it out.

The statement regarding DNS refers to the fact that user-identifiable information is not transferred, which I'm sure you can verify yourself. The bare minimum of personal information (the IP address) is exposed. I doubt we could easily avoid that being exposed to Opera, but as mentioned, it is not logged. Even if it was, it wouldn't be particularly useful.

And finally, regarding using OpenDNS as an alternative, OpenDNS is in fact a partner of ours, so the same sites that are blocked in PhishTank will also be blocked by Opera. The benefit to using Opera is that sites from our other partners (currently Netcraft and Haute Secure) will also be blocked.

We realize that the way this service functions does require users to instill a level of trust in that Opera Software will do as they say. We hope that our privacy track record of the last decade will function as an indicator that we are indeed protecting against spyware, not producing it.

- Christer

Posted by: Christer Mjellem Strand, Opera Software | June 23, 2008 2:17 PM | Report abuse

Christer,

Thank you for the detailed response. :^)

Posted by: antibozo | June 24, 2008 11:55 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company