The following guide provides several tricks (‘tweaks’) how you easily setup Opera for the maximum security in terms of internal given mechanism which you need to enable or switch to enhance the overall browser security. It’s a guidance and not an universal guide because Browsers changing frequently and there might getting or removing several functions, please keep this in mind.
Based on Opera 51 the guide will show several recommendations from me to lower the attack surface. Let’s get started.
Enabling the integrated adblocker
Ensure you enabled “Block ads and surf the web up to three times faster” among the filter lists which you like to use. The default pre-defined list ‘Easylist’ and ‘NoCoin’ are good enough for most users, of course there exist no lists which address really every advertisement but loading more lists might breaking pages or loading the website less fast because the ad-blocker is busy parsing the list when you run out of memory.
Click on ‘Manage Exceptions’ and ensure you remove all of the pre-given exceptions because you especially want to block ads on Facebook & Co. You don’t need to do this step if you never visit such platforms but I suggest you remove it anyway and only add manually the pages which might not loading correctly.
The download location is an important option because several OS mechanism protecting special dirs, for Windows this is the Documents/Download location, don’t set it to Desktop because by default Windows Defender protects (if on latest Windows 10 version 1709) the download dir against Ransomware (Ransomeware protection must be manually be enabled in Windows Defender first!).
To avoid attacks locate the default download dir on a secure place, in case you use a Sandbox or RamDisk use this location. Also ensure that the ‘Ask where to save each file before downloading’ option is enabled, which will ensure that there no sneaky background downloads.
Cookies are always problematically because they can expose and track you, the strategy here is to only accept cookies from visited pages and then delete them automatically when we close Opera.
Cookies getting automatically deleted after you are finished using the Opera browser. 3rd-party cookies getting blocked by default.
Enable ‘Show advance settings’
This option ensures that we see all ‘hidden’ options, well there not really hidden but Opera things that there not really ‘useful’ to bother with for the normal user but we want to control every aspect – so let’s enable it with a simple click.
Always show the full URL in the search and address bar
The full URL showing option ensures that you not get a shorten URL, this can prevent attacks to obfuscate or nest bad links into a short one.
Disable Flash entirely
Disable Adobe Flash via “Block sites from running Flash” and simply don’t use any website with Flash, use alternative pages which don’t require Adobe Flash, this is a simple rule.
Location, Microphone, Midi full Control & Camera
Same rule from Adobe Flash goes for Location, Camera and the Microphone option, simply work with exclusions and turn it off.
Turn of Background Sync
If possible don’t use any Sync or background processes to avoid attack scenarios in the first place, only use Sync if you really need it, nothing these days speaks against local copies and backups. As always work with exceptions.
Privacy and security
This is the interesting stuff and some options are by default hidden here and the reason why we enabled the advance options.
Turn everything off except the automatically crash submission to help Opera in to identify or fix possible problems. If you don’t trust Opera with this, simply don’t use their browser in the first place, people often say that this reveals a lot about you and this is not wrong but how else you provide something useful without submitting a crash report? Right you can’t, besides it only contains meta-data like which OS you use and this alone doesn’t say anything about you.
VPN & Networking + Turbo
Opera’s Turbo mechanism tries to reduce the overhead and compress the pages, images while their so called VPN is simply a Proxy, instead better use your own VPN provider.
Autofill and Passwords – Nope!
Theoretically nothing speaks against it, but Password Managers like KeePass are more secure since they encrypting their database which in case you computer gets hacked the attacker would need to brute-force your database. Autofill entries in Chrome/Opera and Passwords can be read-out with several tools and that is a no-go, so better use KeePass or another password manager program instead.
If you not need WebRTC then turn it off, if you use it ensure you use the “Use default public network interfaces only” option.
Change it to “Disable non-proxied UDP” in case you don’t want/need WebRTC. it doesn’t entirely turn every connection of but it eliminates the leakage problem on insecure connections.
We don’t want that any websites can add or ‘Handlers’, turn it off by setting the option to “Do not allow any site to handle protocols”. The Handlers are used e.g. if you Browser are not aware what to do with a specific format/protocol eg. if there is no support for it or if it requires an external program, this can be a security risk.
Fine tuning with about:flags and Addons
Here comes the geek stuff but I make it brief, open the about:flags (opera://flags/) page by typing it into the address bar which shows a lot of additional options. Since Opera is a tweaked Chromium engine based Browser, it works exactly the same like with Chrome, change a value and restart you Browser afterwards to activate the change but not all changes requiring a restart so set every flag you want and do only once restart to avoid wasting time.
I will list only the interesting ones, all others are same like the not mentioned Opera options optional and more a matter of taste, we are keeping out focus on the security aspect.
To simplify the process I only mention the links so you can click on them and Opera loads it automatically for you:
- chrome://flags/#backup-preference-files – Enabled, to ensure you get a local copy, by default the configuration is located under %APPDATA%\Opera Software\Opera Stable\Preferences
- chrome://flags/#flash-detection-through-navigator-plugins – We don’t use Flash but we want to ensure that we get a better abusing detection
- chrome://flags/#adblocker-advanced-selectors – Enabled, we use the integrated ad-blocker, so we want to see more filters and options to improve the blocking
- chrome://flags/#adblocker-split-rules – Enabled, we want to see what’s going on so let’s split the ad-blocking rules
- chrome://flags/#adblocker-selective-mode – Disabled, normally not need to change it but we want to ensure that the adblocker is enabled (useful in case you want to create a preference file yourself and need the flags)
- chrome://flags/#addons-detailed-errors – Enabled, yep we want all the details we can get
- chrome://flags/#enable-quic – Enabled, Googles new protocol used on e.g. YouTube to load the page faster, we want that
- chrome://flags/#extended-feature-stats – Disabled, this is the telemetry option which collects more meta-data in case Opera crashes, it’s not needed
- chrome://flags/#save-as-pdf – Enabled, use SumatraPDF or other offline programs instead to read the PDFs.
- chrome://flags/#prompt-on-risky-download – Enabled, sometimes annoying but better one dialogue more than taking unnecessary risks
- chrome://flags/#reborn-communicator-show-permissions – Enabled, this is a very useful function to work with site permissions
- chrome://flags/#show-midi-permission-badge – Enabled, we work with exceptions but in case you really have one page with midi permission, ensure you see a badge indicator
- chrome://flags/#warn-for-unknown-root – Enabled, this also can be annoying but we want all details about possible broken or invalid certificates to prevent certificate frauds
- chrome://flags/#vkontakte-messenger – (Optional) Disabled in case you don’t need/use VK to prevent some connections/pings to their services, cause VK collects a lot ‘statistics’
- chrome://flags/#personal-news-notifications – (Optional) Disabled, If you don’t use any RSS-Feed feature turn it off to prevent pings/connections, just in case
- chrome://flags/#enable-webrtc-srtp-aes-gcm– (Optional) Enabled if you use WebRTC
- chrome://flags/#enable-webrtc-srtp-encrypted-headers – Enable, no matter if you use WebRTC or not, the header reveals already a lot so we want to ensure it’s secured
- chrome://flags/#WebRtcUseEchoCanceller3 – Enabled, even if it’s an experimental option because it’s useful and lower attack surface
- chrome://flags/#enable-history-entry-requires-user-gesture – Enabled, this prevents that a website or app/addon possible adds a entry without your knowledge
- chrome://flags/#disable-hyperlink-auditing – Disable, we don’t need it or want to provide more meta-data than needed
- chrome://flags/#enable-service-worker-script-streaming – Disabled, to avoid service worker which are eg used for browser hijack crypto-mining
- chrome://flags/#reduced-referrer-granularity – Enabled, use this if it works for you, some pages have a problem with it eg several banking pages
- chrome://flags/#mark-non-secure-as – ‘Always mark HTTP as actively dangerous’ the indicator is useful
- chrome://flags/#enable-http-form-warning – Enabled, we want warning if something is possible dangerous/insecure always
- chrome://flags/#enable-site-per-process – Enabled, this is really a powerful option and helps against several attack scenarios
- chrome://flags/#enable-top-document-isolation – (Optional) Enabled, some pages have issue with it but it’s same like site isolation a really powerful option
- chrome://flags/#enable-gamepad-extensions – (Optional) Disabled, if you never use it turn it off to avoid several fingerprinting methods from working (but it’s not really needed because this alone will not expose you)
- chrome://flags/#enable-appcontainer – Enabled, same like Site Isolation, really powerful and a must
- chrome://flags/#enable-brotli – Enabled, a new protocol/compression algorithm to load pages faster (if they supporting it) and so reduce some bandwidth
- chrome://flags/#user-activation-v2 – Enabled, user gestures aka manually controlling content is most effective to avoid that a page automatically eg plays sound or a video without permission
- chrome://flags/#tabs-in-cbd – Enabled, enable the tab to clear Browser data (advance tab)
- chrome://flags/#new-audio-rendering-mixing-strategy – Enabled, mixed rendering strategy can theoretically improve loading speed
- chrome://flags/#enable-feature-policy – (Optional) Enabled, might break some pages
- chrome://flags/#enable-generic-sensor – Disabled, only disable it on Smartphones because Android/iOS itself can already detect it
- chrome://flags/#enable-mojo-loading – Enabled, mojo is a new API to improve the loading sequence
- chrome://flags/#autoplay-policy – Set it to ‘User gesture is required for cross-originiframes’ in order to preventing HTML5 auto video playing
- chrome://flags/#sound-content-setting – Enabled, control the sound muting option with this option to comply the functionality with an context menu entry
- chrome://flags/#enable-parallel-downloading – (Optional) Enabled, not security related but it helps to improve the download speed
- chrome://flags/#clipboard-content-setting – Enabled, take permission control over the clipboard API to prevent bad guys to read-out your clipboard content
The missing gap is covered by Add-ons which getting an separated article because it would be too much right now to explain them over here.
Opera can be tweaked same way like Chrome and it’s worth to do this because it can lower the attack surface in several scenarios, the site isolation function for example is really powerful and it’s beyond me why it isn’t enabled by default already.
The guidance is a current view of given options and should not be seen as ‘ultimative privacy guide’ to harden Opera, harden something means you constantly check the product for weaknesses and try to fix them within the source code and not with ‘optional’ implemented options – such options are there because some users might have or not have problems and several things are optional because of that, always test things yourself and not blindly trust any page, ask questions and reveal the truth to understand how things are really working to build strategies to be more secure than he mass. Stay informed and monitor several sources to know what to do when the next leak comes – and for sure there will be the next bang, no matter which Browser you use, at the end all you can do is to keep yourself updated with information and the latest software.