Re: Opera's three security levels

Thanks. 

One thing that jumps out at me is that it's not clear what the user should 
and shouldn't do in situations where those various levels occur. Do you 
have any actionable advice to the user associated with these levels?
        Mez





"Michael(tm) Smith" <mikes@opera.com> 
Sent by: public-wsc-wg-request@w3.org
11/17/2006 05:35 AM

To
public-wsc-wg@w3.org
cc

Subject
Opera's three security levels






Below is a message from Opera's Yngve Pettersen that describes the
criteria that Opera browser uses for selecting the 1-3 number
displayed within the padlock icon in Opera (to indicate the
security level).

----- Forwarded message from "Yngve N. Pettersen (Developer Opera Software 
ASA)" <yngve@opera.com> -----

Date: Thu, 16 Nov 2006 04:39:39 +0100
To: "Michael(tm) Smith" <mikes@opera.com>
Subject: Opera's 3 security levels
From: "Yngve N. Pettersen (Developer Opera Software ASA)" 
<yngve@opera.com>

Hi,

I see from the WSC minutes that you want this information:

Level 0: At least one resource was loaded from an uncrypted site, expect 
for (Opera 8+) the first redirect as long as it is not a POST.

Level 1: Chosen for

  - 40 and 56 bit symmetric encryption (or below)
  - anonymous ciphers
  - authentication only.
  - RSA/DH/DSA keys shorter than 900 bits (Opera 9+ can adjust this in 
    jumps of 100 bits as needed).
  - Certificate warnings
  - SSL v2 (any cipher)

Level 2: RSA/DH/DSA keys between 900 (inclusive) and 1000 bits (not 
inclusive)

Level 3:  requires all of these:

  - 128 bit and more symmetric (including 3DES),
  - 1000 bit or more RSA/DH/DSA (will be upgraded to 1020 bit as soon as 
    old RSA SSCA root has been phased out)
  - Opera 9: No problems with OCSP validation (when used)

OCSP problems (except revocation) results in a one level down indication.

In Opera 9.10 no padlock is displayed for https pages that have level 2 
(IIRC) or below.

In Opera 9.0x level 2 and below will show a partial lock (open in case of 
mixed security) on grey background. Opera 8.x uses yellow background for 
all levels for a https page.

-- 
Sincerely,
Yngve N. Pettersen
 
********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

----- End forwarded message -----

-- 
Michael(tm) Smith
Opera Software, Tokyo
xmpp:smith@sideshowbarker.net
irc://irc.freenode.net/mobile-web

Received on Monday, 20 November 2006 16:51:11 UTC