Recently, Google found a google.com pre-certificate in a CT log, without having ordered one. This lead to a series of incidents, also involving Opera and its security team. The backstory Google promptly contacted Symantec who had issued the pre-certificate, and blocked the certificate in Chrome. Symantec investigated and found out that they had made mistakes...

» Read more

Remember the SuperFish scandal? A third party application installed a Certificate Authority on PCs, and then hijacked all secure connections by serving browsers certificates from this local certificate authority. The SuperFish issue was widely publicized, partly because it combined several bad practices, but it is far from the only program out there that attempts to...

» Read more

When a browser and website communicate over a secure connection, they encrypt and decrypt the data using a shared symmetric encryption key; the same key is used for encryption and decryption. In order for the browser and server to make sure they use the same key, they first need to share the key with each...

» Read more

The FREAK TLS attack Following the trend of memorable names for TLS attacks, FREAK was recently announced. This exploits a bug in some TLS libraries, combined with the support of ancient weak ciphers, to enable a MitM to force crackable encryption. (The story of these ciphers is quite interesting, but plenty has been written elsewhere...

» Read more

You might have seen our press release that Opera’s Rocket Optimizer can now optimize encrypted video streams. The attentive reader will already have halted and said, “wait, what?”. In this blog post, we’ll explain how this works. Rocket Optimizer works at the ISP level, ensuring that all subscribers get an optimal experience. When available bandwidth...

» Read more

At Opera Software, we run a large number of websites for our products and services, and we like to give credit to the researchers and website testers who offer their assistance to help us tighten the security of those websites. We would like to take this opportunity to thank the researchers and testers of 2015...

» Read more

So the last weeks have been rather hectic behind the scenes in the browser security world, when Google security group found a new way to exploit a rather well known design weakness in SSLv3 published in the paper This POODLE Bites: Exploiting The SSL 3.0 Fallback. You might wonder why that would be serious, when...

» Read more