Safety questions - Cross Network Navigation
-
digiface last edited by
Is it more secure to enable or disable this feature? I read that it's more safety feature (when enabled), but i'm not sure. Also, is Opera 12.17 safe from XSS vulnerability?
-
blackbird71 last edited by
Back in September, 2011, Hallvors wrote (in http://stackoverflow.com/questions/5464599/opera-wont-load-some-javascript-files/7442998#7442998 ):
"Opera has a feature called cross-network protection. Basically it places some extra limitations on what pages from the internet can do with stuff on your local network.
The reason this feature exists, is the emergence of the so called "phish farm" exploits, where it was discovered that the HTTP-based config screens of some popular home routers / modems were so poorly secured that malicious web pages could rewrite your router settings - for example to configure it to use a proxy and pipe all your traffic through a malicious server. To counter this, Opera knows that some IP addresses are not used on the public web (such as 127.0.0.1 or 192.168.*) and it doesn't allow pages from a "public" site to load files or send requests to a "local" site. ..."
From that, I would conclude that disabling cross-network navigation is a safer way for a browser to operate.
Currently, Opera 12.17 is not listed at recognized vulnerability sites like Secunia or CERT as having any XSS vulnerabilities.
-
blackbird71 last edited by
From that article i figured it's safer to be enabled?
Yes, the gist of the article is that it's safer to have CNN protection "enabled" or "active"... which means you should leave the "allow CNN" option UNchecked in opera:config. Opera's CNN protection is a blocking function that normally comes set-in-place in Presto Opera, and a user has to manually request it to be disabled or removed, thus allowing CNN itself to occur from a website. There are infrequent situations where a user may want/need to allow CNN... and the option exists in opera:config for those situations - but ordinarily, the "allow CNN" option should not be used (meaning you should leave its box unchecked).
The terminology can admittedly be confusing, as it is with a number of vintage Opera settings terminologies.
-
digiface last edited by
Btw, i found a strange problem in 12.17. If you enable support for TLS v. 1 and 2, Operas update checking disables those settings. So i disabled auto-update in Opera. There's really no updates for Opera 12 anymore, so it's kinda pointles anyhow.
-
blackbird71 last edited by admin
As a result of the SSL3 "Poodle" vulnerability, there's been a lot of turbulence in the secure-link performance realm. Opera, in order to protect Presto Opera users against the vulnerability, elected to use its Presto updater to silently "push" a settings change to browser security settings to disable SSL3. That, in turn, has led to a number of somewhat confusing Opera 11-12.xx user experiences revolving around SSL/TLS settings and certificate expirations. There have been several threads in this forum and elsewhere about this, but the bottom line of it appears to be that the best compromise (which produces the least hiccups) for many Presto Opera users is to uncheck all the TLS/SSL options except TLS1 and to turn off auto-updating. One recent thread on this, which contains a good link in its third post, is:
https://forums.opera.com/topic/6358/unable-to-complete-secure-transaction-error
-
digiface last edited by
I wouldn't like to disable TLS 1.1/1.2 and left TLS 1.0 enabled, because 1.0 vulnerable to BEAST attack. Another question: I checked the link blackbird71 gave and i just wonder, is it possible to update 12.17 certificate database?
-
digiface last edited by
Addition to my earlier post: Is it possible to use newer Opera's cert. databases with 12.17. Opera 12 has files opcacrt6.dat and opicacrt6, which seems to be cert. database files.
-
Deleted User last edited by
Is it possible to use newer Opera's cert. databases with 12.17.
No. The databases are incompatible.
-
blackbird71 last edited by
I wouldn't like to disable TLS 1.1/1.2 and left TLS 1.0 enabled, because 1.0 vulnerable to BEAST attack. > ...
And that, in a nutshell, is but one of the obsolescence dilemmas in which Presto Opera users increasingly find themselves. Namely, if they mitigate the SSL3 protocol vulnerability by enabling just TLS 1.2, 1.1, and 1, they risk stumbling over expired certs at any of those levels, depending on which ones the site downward-security-protocol-negotiation might encounter first; if they minimize the exposure to expired certs by enabling only TLS 1, they risk the documented TLS 1 protocol vulnerability in that way. The digital online world continues to change; Presto Opera is essentially frozen in time and will remain so... and there's only so much that can be done to work around the growing number of missing pieces.
Opera may or may not find it in its own best interests to update Presto Opera's certs... they certainly have little reason to do that if their focus is on expanding adoption of their Blink Opera version(s). At some point, common sense dictates Opera ASA will say "no more" in terms of bailing out Presto users. This is a key point that ought to drive users to move away from Presto Opera to a new flavor of browser (be it Blink Opera or somewhere else) if such obsolescence issues matter to them, and sooner rather than later. If users can live with these kinds of issues, then of course their life with Presto can go on.