:tools: Scheduled maintenance

Heads up! Downtime for the Forums, related to the NodeBB upgrade, is planned for Thursday, December 14, starting from 10:00 UTC.
Please make sure to finish all your posts before this time. The downtime should only last for a few minutes.

Opera 12.17 Build 1863 TLS 1.1 1.2

  • hello

    is it safe to enable TLS 1.1 and 1.2 and disable the insecure cipher suites ?

    Your client supports cipher suites that are known to
    be insecure:
    TLS_RSA_WITH_RC4_128_MD5: This cipher use RC4 which has insecure biases in its output.
    TLS_RSA_WITH_RC4_128_SHA: This cipher use RC4 which has insecure biases in its output.

    thx for help

  • It looks like those are results from howsmyssl.com?

    • Go to Settings - Preferences - Advanced tab - Security.
    • Click the "Security protocols" button.
    • Click the "Details" button.
    • Look under the "Cipher" column, and uncheck :

    128 bit ARC4 (RSA/MD5) and 128 bit ARC4 (RSA/SHA)

    This will improve your results on howsmyssl.com.

  • Nope, its not safe. TLS 1.1 and 1.2 are flawed and you shouldn't use them. That said, you shouldn't be using a web browser that hasn't been updated in 2 years either. So I guess you will have to evaluate the level of risk you are comfortable with and base your decision on that.

  • Galabutbul, certain characters are reserved in the local markup renderer, so use backticks to show stuff.

    Your client supports cipher suites that are known to
    be insecure:
    TLS_RSA_WITH_RC4_128_MD5: This cipher use RC4 which has insecure biases in its output.
    TLS_RSA_WITH_RC4_128_SHA: This cipher use RC4 which has insecure biases in its output.

  • Nope, its not safe. TLS 1.1 and 1.2 are flawed and you shouldn't use them.

    What should we use? TLS 1.1 and 1.2 are the latest.

  • You shouldn't use TLS at all, its not secure. Theres a draft for 1.3 out but its not finalized and it wont be added to Opera 12 (which is no longer maintained) even if it is. If you are concerned with security you should use better crypto protocols and update your browser.

  • You shouldn't use TLS at all, its not secure.

    Opera 30 uses TLS.

  • Right, because Opera 30 has been updated to 'manage' the problems with TLS so its 'secure enough' for general use. Opera 12 has not been updated because it is no longer being maintained. I still try to avoid using TLS because of its known issues. Just like I try to avoid using Flash and Java for anything that requires security.

  • I still try to avoid using TLS because of its known issues.

    What do you use instead?

  • I still try to avoid using TLS because of its known issues.

    Did you not make an https connection using TLS in order to make that post? And how do you avoid TLS while using Opera? I see a flag to set the minimum TLS but nothing about maximum or about disabling TLS.

    Unless there is an alternative it sounds like a strategy to use no security in order to avoid flawed security. That or give up a large part of my online activity as more and more sites use https. Maybe I am missing something here.

  • Did you not make an https connection using TLS in order to make that post?

    Its not that I don't go to places that use TLS and HTTPS, its that I don't use just TLS and HTTPS to do things that I have security concerns with. If someone compromises the Opera forums and my account the worst case is they get my throwaway email address I used to register with and can make bogus posts in my name. Since I use very strong passwords* and don't reuse passwords between accounts that gets them nothing. Thats not a security concern because I am not risking anything. You wont see me putting out my SSN or CC/bank account info without some extra level of security though.

    Its like using a cheap padlock vs a 800 lbs safe embedded in the concrete of my basement. The padlock is fine for keeping people out of my backyard shed. I'd definitely want my hundreds of millions of dollars in something more secure though.

    What do you use instead?

    Things other than the internet, generally. Its harder for a hacker to perform a man-in-the-middle attack when I've mailed my credit card bill payment via USPS ;) Its even harder if I setup an automatic bill payment. In either case its out of my hands and someone else's problem. But, as I said above, if you're really concerned with security making sure your browser is up to date goes a long way to improving your security.

    *My Opera account password is 350 bits. Just want to give a shout out to the team that maintains this site for allowing very long passwords. Good job.

  • Thanks for the security tips Lando.

    I think the OP and I are in the same boat, wondering how best to hang on to 12.17 for email as long as possible and when to let it go. We need a guru.

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.