anonagain
@ikbcc.com
|  Opera 10.10 keeps opening ICF ports - security issue?
This is clearly some kind of bug or security issue. Opera 10.10 adds itself automatically to exceptions to Windows ICF, even after it has been unchecked or removed from there. Also, Windows ICF does NOT warn user that Opera is opening ports, not even when the "Display a notification when Windows Firewall blocks a program".
I bet, that this has something to do with the Opera Unite system, but even when that is disabled, Opera STILL add itself to exceptions without any warning or prompt and keeps adding itself there nomatter what I do.
Should I be worried? Can anyone else confirm this or is it just me?
I really dont like Opera being there. Atleast it should be under control. Now it seems that Windows ICF isnt in control, but Opera is and I dont really like that. |
|
Graycode
join:2006-04-17
 ·net2phone
| Opera used to be a "browser", but now it's also a full fledged "server". What you're seeing is UPnP where Opera is punching holes through your firewall to permit inbound external connections.
To alleviate that you will need to disable the Unite server, and disable the UPnP options.
• Enter opera:config in that browser.
• Expand the "User Prefs" section and turn OFF the checkbox for "Enable Unite".
• Expand the "Web Server" section and turn OFF all those checkboxes, especially the 2 labled UPnP.
I've gone back to version 9 after being concerned about what version 10 is doing in terms of security. I don't think it's right for a browser to also install externally accessible server processes. |
|
Frodo
join:2006-05-05
| reply to anonagain
I can see UPnP performing on the fly port and network translations, but I don't think it can, or should open up the firewall. There's probably more than one thing happening here. In the case of the firewall, perhaps there is a setting telling Opera to configure the firewall, but in addition, I would think that Opera would have to be operating with administrative privileges. Running any browser with administrative privileges is, in itself, a security issue.
I would be very interested if Opera is changing ICF settings while not running with administrative privileges. |
|
Frodo
join:2006-05-05
| All right, I took a perfectly good Opera 9.6 something and loaded 10.10 on top of it. I ran the install with administrative privileges, but unchecked the box that said to run Opera after the install completed.
Then, I started the Opera under a limited user account and Windows Firewall is operating normally, with the usual pop-up messages.
The only way I see Opera having a chance to change firewall settings is if it is running with administrative privileges, and that privilege level would be the overriding security concern.
As suggested in this thread, I set about to disable any services within the browser process I'm not going to be using. |
|
Frodo
join:2006-05-05
| reply to anonagain
"Opera 10.10 adds itself automatically to exceptions to Windows ICF, even after it has been unchecked or removed from there."
I toyed around with the browser in administrative mode. I shut off the bittorrent, the UPnP, the web server, the Opera Unite and so forth, and Opera continues to add itself as a firewall exception. So far, I haven't located a setting that disables this functionality. That would be something I would like disabled by default. So, there is somewhat of a security issue with this silent configuration, that can be mitigated by not running as administrator. I'll keep looking for a setting to disable automatic firewall configuration. |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FiOS
1 edit | reply to Graycode
said by Graycode  :What you're seeing is UPnP where Opera is punching holes through your firewall to permit inbound external connections. Sounds pretty outrageous if you ask me. Thanks for the tweaks, all of which I have performed.
Edit: If you decide to perform the recommended tweaks, be sure to click on the [Save] button at the bottom of each drop-down section, or else they will not take effect.
--
Courage is being scared to death but saddling up anyway.
|
|
Graycode
join:2006-04-17
·net2phone
| In addition to UPnP my firewalls also detected outbound IGMP protocol being used. The IGMP stopped happening after disabling Opera's new everybody-runs-a-server Unite crud.
It leaves me with very little faith in what Opera's up to. Opera used to preach their concern & focus on being a secure browser but that no longer seems applicable  |
|
HA Nut
Premium
join:2004-05-13
USA
| reply to anonagain
I mentioned earlier this year that Unite was "risky" and would be tolerable if it was a purely optional download. I was told I was, in so many words, over-reacting, that it is no risk.
Well, I stand by my original thoughts. Opera will not get loaded on any box I touch... mine, friends, family or work. Until Unite is 100% optional, IMO running Opera is a security risk. |
|
Frodo
join:2006-05-05 | On my Opera, Unite wasn't enabled by default. Anyway, that is an issue separate from the automatic adding of the browser as a firewall exemption. |
|
HA Nut
Premium
join:2004-05-13
USA
| said by Frodo :On my Opera, Unite wasn't enabled by default. Anyway, that is an issue separate from the automatic adding of the browser as a firewall exemption. IMO, I think they are related issues. Am I incorrectly understanding that Opera did not have this behavior until Unite appeared on the scene? |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FiOS
1 edit | reply to anonagain
Okay, now that I have executed Graycode's tweak I no longer get an alert from ZAF that Opera wants to accept connections from the Trusted Zone, every time I launch the browser.
Edit: I take it back. One just popped up so I am going to set up a "Deny" rule for Opera accepting connections from either the Trusted or Internet zones. 
--
Courage is being scared to death but saddling up anyway.
|
|
Frodo
join:2006-05-05
| reply to HA Nut
said by HA Nut :IMO, I think they are related issues. Am I incorrectly understanding that Opera did not have this behavior until Unite appeared on the scene? They are related, my mistake. I apparently didn't hit the save button on some of the settings. The instructions by Graycode do work. Started Opera twice as administrator, and no firewall exception found. |
|
Frodo
join:2006-05-05
| reply to anonagain
One more thing though. UPnP will work for non-administrators. However, to have the entry added to ICF as shown, the process has to be running with administrative privileges. In my book, running as administrator is a bigger no-go than any of the other issues raised in this thread. |
|
DownTheShore
Kick sand Jump waves
Premium
join:2003-12-02
Beautiful NJ
clubs:
| reply to anonagain
Again, for those like me who are not conversant with all possible acronyms:
Windows ICF = Windows Internet Connection Firewall
--
Patriotism is not waving a flag, it is living the ideals
I want to retire to the Isle of Sodor and ride the trains. |
|
lcnoble
join:2006-11-11
Nancy, KY
| reply to anonagain
Am I missing other firewalls mentioned in this post, or is only one firewall affected by this issue? I like Opera, but to my knowledge I can not use Flash with the ability to automatically delete the "Super Cookies" as soon as the super cookies are dumped on my system. This issue, (fire walls and super cookies), and Opera's actions relating to this issue will probably affect my decision to explore the future use of Opera. I have not used Opera for several months! |
|
Frodo
join:2006-05-05
1 edit | I can only speak for XP-Pro. On this system, only the built-in firewall was affected. My Kerio 2.15 was not affected.
--Edit: Opera is a back-up browser for me. My primary browser is Firefox/w NoScript/Adblocker/Flashblocker. |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FiOS
| reply to anonagain
Okay, here's an update. It looks like Graycode's tweaks took hold after a restart of Opera, because so far today there have been no ZAF alerts about accepting connections from either the Trusted or Internet zones.
--
Courage is being scared to death but saddling up anyway.
|
|
DownTheShore
Kick sand Jump waves
Premium
join:2003-12-02
Beautiful NJ
clubs: | reply to anonagain
I'm staying on version 10.01 for the time being.
Older versions of Opera here:
»www.filehippo.com/download_opera/ |
|
MeDuZa
join:2003-06-13
Austria
3 edits | reply to anonagain
Just trying to clarify some things.
Webserver functionality of OperaUnite is disabled by default.
There is no way somebody will ever enable it accidentally since you will have to go through different steps in order to activate.
However Unite's Service Discovery is enabled by default.
quote:
UDP protocol is used over Port 1900 because the UDP protocol supports a "broadcast semantics" which allows a single UPnP announcement message to be received and heard by all devices listening on the same sub-network. TCP, being inherently a point-to-point connection-oriented protocol, does not support message broadcasts.
When UPnP devices wish to announce themselves, or "shout out" to find out what other UPnP devices are hanging around on the network, they issue a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. This special "multicast" broadcast address has been set aside for UPnP devices and will be received by all of them listening on UDP port 1900.
If you have no use to Unite you can disable the service in Opera's Preferences Editor:
Uncheck 'Service Discovery Enabled'
You can also uncheck 'UPnP Service Discovery Enabled'
However if you don't use the Unite service you can simply uncheck 'Enable Unite'
This setting will overrule all OperaUnite settings no matter how they are set.
For network admins
"The system fixed file allows the system administrator to define settings that the individual user cannot override".
System administrator’s handbook
--
Reality corrupted. Reboot universe? (Y/N) |
|
EGeezer
Fly kites
Premium
join:2002-08-04
Country! | Thanks for the factual information.  |
|
