dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2680
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Firefox, Opera allow crooks to hide an entire phish site

"A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.....the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.

It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. .....

Google’s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs. Klevjer created a 26KB attack page that failed to load in Internet Explorer, but worked on both Firefox and Opera."

Sounds nasty. I would assume Sea Monkey is also vulnerable. Just another reason to be leery of shortened URLs.

»www.theregister.co.uk/20 ··· s_peril/

FF4m3
@bhn.net

FF4m3

Anon

I wrote a simple Proxomitron filter for this. It removes 'data:' and 'data_uri' from webpage code. It may neuter the described vulnerabilities.

Not sure yet if it's too broad, or effective in all cases, or will break pages.

Am testing it now.

Name = "Remove Data URI [12.08.04]"
Active = TRUE
Limit = 8
Match = "(data:|data_uri)"
 

StuartMW
Premium Member
join:2000-08-06

StuartMW to Mele20

Premium Member

to Mele20
said by Mele20:

"...and once shortened using a service such as TinyURL..."

Which is why I avoid TinyURL and clicking on their links.

And no I can't be bothered trying to figure out the actual URL even if it is possible.

FF4m3
@bhn.net

FF4m3 to FF4m3

Anon

to FF4m3
My above filter is targeting too broadly with negative impact at some sites. I've removed it from my config.

therube
join:2004-11-11
Randallstown, MD

4 edits

therube to Mele20

Member

to Mele20
> I would assume SeaMonkey is also vulnerable

Sure, why not .

Now this phish site, is it hosted on a foreign domain? Does it require Javascript?

Well then.

And in addition to Proxo, what else knows to check for & help protect against data: URI, including blocking, by default, both javascript: & data: URI typed into the address bar?

(I either couldn't get his sample code to work, it simply seemed to bring up a wikiMedia page, or didn't understand what it was supposed to do?)

OK, got it.
It brings up a "phish" site, wikimedia, which was made to look like wikipedia.

Here is the sample code, the same, just a bit easier to get to, »pastebin.com/pdkzuPjJ.

Oh, & do note that data: URI are perfectly legitimate.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD to Mele20

Premium Member

to Mele20
why only Ff and Opera?

Ctrl Alt Del
Premium Member
join:2002-02-18

Ctrl Alt Del

Premium Member

said by AVD:

why only Ff and Opera?

Because IE and Chrome limit the amount of data you can pack into a data URI. Firefox and Opera don't have limits.

Note: this is not an overflow vulnerability. This is a "feature" that is being taken advantage of.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to Mele20

Premium Member

to Mele20
Ctrl Alt Del See Profile is right. The discussion about this in a thread over in Opera's security forum The Register outs Opera & Firefox can be summarized:
The data URI scheme has been an official standard since 1998 and is supported by all browsers, at least to some extent. IE and chrome restrict or block some aspects of its behavior, but other browsers do not. (Data URI scheme) In Opera, the address bar will always show the relevant URI address as a URI (and does not show a badge, as do normal URLs); the link tooltip will show that it's a data URI. Simply restricting the length of data URIs would not accomplish what one might expect, since one could merely create a container for the data URI and load the other elements from external hosts like URL shorteners.
Bottom line: the Register article describes a malicious use of a standard that is supposed to work this way, but if one knows how to use their browser and understands the information it provides, they should not be deceived.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD

Premium Member

said by Blackbird:

the Register article describes a malicious use of a standard that is supposed to work this way, but if one knows how to use their browser and understands the information it provides, they should not be deceived.

PBCAK

therube
join:2004-11-11
Randallstown, MD

therube

Member

Not really.

If you happen to see it, maybe you'd want to be more suspect, but just because there exists a data: URI does not mean that it is nefarious.

Further if it is embedded in the web page code, you're not going to know it is there in any case, expect again, if you happen to note the URI on a mouseover.

And then if it is a "trusted" site that has been hacked, with the code embedded, loaded into an IFRAME or the like ...

It is really no different from any or type of URI only that one is more readily readable (understandable by you and I) then the other.
therube

therube to Mele20

Member

to Mele20
MSDN: data Protocol
DMO: data URIs
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to Mele20

Premium Member

to Mele20
Click for full size
looking at the webpage that "therube" posted a link to, »developer.mozilla.org/en ··· ata_URIs , i saw the code "data:text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E".. i tried putting that in my browser's address bar and got what is shown in the image..

it looks like, if you are using "firefox" with the "noscript" addon, you are protected against the "URI" thing..

therube
join:2004-11-11
Randallstown, MD

1 edit

therube

Member

quote:
data: URI typed into the address bar
(Note that in SeaMonkey / NoScript, there is some sort of bug, in that you needn't actually change the specified Pref. All you need to do is to open about:config, & that alone is enough to allow data: URI.)

& NoScript offers [XSS] data: URI detection.

& whatever this is:

+ More flexible noscript.forbidXBL about:config preference:
  0 - allow all XBL
  1 - allow trusted and data: (Fx 3) XBL on any site
  2 - allow trusted and data: (Fx 3) XBL on trusted sites
  3 - allow only trusted XBL on trusted sites
  4 - allow only trusted XBL from the same site or chrome (default)
  5 - allow only chrome XBL
 

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Mele20

Premium Member

to Mele20
I've always tried to stay away from the shortened url/uri's. To me it always seemed another proxy/server to go through and I'm glad I did.

FF4m3
@bhn.net

FF4m3 to therube

Anon

to therube
said by therube:

& whatever this is:

[code]
+ More flexible noscript.forbidXBL about:config preference:

XBL (XML Binding Language)
Floriana
join:2012-05-23

Floriana to Mele20

Member

to Mele20
said by Mele20:

"A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.....the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.

That's too bad. Hopefully, I use Google Chrome most. Google Chrome is my default browser. But I still have firefox and opera on my PC. Sometime I take firefox to visit specific website. too bad.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to redwolfe_98

Premium Member

to redwolfe_98
said by redwolfe_98:

looking at the webpage that "therube" posted a link to, »developer.mozilla.org/en ··· ata_URIs , i saw the code "data:text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E".. i tried putting that in my browser's address bar and got what is shown in the image..

it looks like, if you are using "firefox" with the "noscript" addon, you are protected against the "URI" thing..

I put that in Fx address bar and got a page that said "Hello, World". I don't use No Script.
Mele20

Mele20 to Blackbird

Premium Member

to Blackbird
I see the Opera thread got locked. Why? I wanted to ask the poster who mentioned a "badge" in the address bar about it. What is he talking about? There is no badge in an address bar. Opera does put a stupid star at the right end of the address bar but that is all. BEFORE the address bar (adjacent on the left side) is a lock for secure sites and a strange looking gray ball for all other sites. No more favicons for sites which is one reason I seldom use Opera these days.

But a badge?? Where? He says a "normal" URL shows a badge? I sure can't see a badge just as I can no longer see a favicon for the site. By "badge" does he perchance mean the strange looking gray ball that has replaced all favicons and more or less ruined Opera?

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird

Premium Member

said by Mele20:

I see the Opera thread got locked. Why?...

Two reasons: first, the thread title wording did not describe a specific problem within Opera (it probably should have been worded along the lines of "URI exploitation vulnerability in Opera?"). This is a significant mod concern in forums like Opera's where virtually all the problem-solving is done by volunteer users who only want to enter a thread where they feel they have expertise in that area (or are having similar problems). Opera does have "lounge" forums for opinions or general discussion of Opera (or anything else,for that matter). Second, the problem was not deemed by the mod to be an Opera security/privacy problem (as explained in his post near the end of that thread, and the category of the forum in which the thread appeared). Because the URI performance within Opera (and many other browsers) fully meets the 1998 data URI standards, the problem (if any) exists as a standards problem, not a browser problem. That two other browser flavors limit the full implementation of that standard is a choice those designers have made (and not necessarily for the security question at hand). But Opera generally attempts to fully implement all the Internet/coding standards it can, and it probably believes this kind of issue should be addressed by the standards committee involved. Unilaterally choosing not to fully meet standards (even over a security issue) has all manner of implications with regard to breaking legitimate site code.
said by Mele20:

... I wanted to ask the poster who mentioned a "badge" in the address bar about it. What is he talking about? There is no badge in an address bar. ... BEFORE the address bar (adjacent on the left side) is a lock for secure sites and a strange looking gray ball for all other sites. ... But a badge?? Where? He says a "normal" URL shows a badge? I sure can't see a badge just as I can no longer see a favicon for the site. By "badge" does he perchance mean the strange looking gray ball that has replaced all favicons and more or less ruined Opera?

Indeed, the badge is the "gray ball" icon (which is actually a small, blue earth-globe) which appears when the text in the address bar is a legitimately-formatted "http" URL. If the URL is secure (https), a greenish lock icon will appear there. If the URL is something Opera is processing as code (such as a URI), a red Opera icon will appear there. This is what Opera terms a "badge", and it tells the user the nature of the page being displayed on his screen.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 edit

Mele20

Premium Member

That was a good explanation of why the thread was locked and I agree it could have had a better title for the forum that was chosen to post it in or it could have been posted in a more general Opera "opinion" discussion forum.

As to the badge, first off Opera needs to understand that a LOT of us do NOT have the cloud crap turned on and never will. So, I will never see anything "badge" wise except a strange looking ball or a gold or green background for the "badge" on ssl sites along with an "evil" black lock (should be gold if not evil). I do NOT see a warning red Opera icon with a URI and I don't see a dark, blue gray folder when a file from my computer is being displayed. All I see is, to be very precise, a MINT GREEN ball that has three gray dots inside it. My Opera theme is Standard but it correctly defaults to my Windows theme colors so if I change my Windows theme then Opera colors will change and I might see a bright red ball instead of mint green depending on my new Windows theme. My point being that Opera's crap about the colors in the address bar is just that UTTER CRAP. I have five other Opera themes besides standard and they don't use my Windows theme colors. I just tested every one of them and Opera is completely wrong with that color scheme they have in their new, extremely confusing to use, Help file for Opera 12. The colors for the badge change based on the THEME you use. The color of the ball and the background to the ball is dependent on the Theme used and the other badges are not there except the locks which are too small and should not be black as it is hard to tell at a glance if they are closed or open. They should be gold and taller. They are a funny too wide shape in the Opera Help file. On my monitor they are taller and not distorted looking like in the help file but they are too small for black color.

You don't happen to know if Opera has an extension that will add back the gold lock to the right end of the the address bar which shows black and unlocked if bad (and to the status bar) do you? I have such an extension for Fx and Sea Monkey and it is a godsend.

The Trusted site junk is crap also. Opera is NOT IE and should not imitate it. I have always hated that crap in IE regarding internet sites, trusted sites, and restricted sites. Utter stupidity. They are all internet sites and I never used Trusted or Restricted when I had to use IE (except when the only way to be able to access a site was to put it in trusted and almost ALL sites were like that...so what a joke "trusted" is in IE). I wouldn't give "trusted" sites more trust than other internet sites...all can be infected and compromised! Opera says the Trusted sites will be in the Trusted list and will show as Trusted sites by the badge next to the URL. BS. I have not put any sites in Trusted. Yet, when I looked at the list something had put Microsoft site into the Trusted list but it is not on the list (only 4 Opera sites are on the list and they should not be). NO site should EVER be trusted for immediate, without warning, downloads. Good heavens, Opera! That is very bad security. Plus, Opera should not be encouraging users to place sites in that list. It is bad security.

Microsoft live login site got invisibly in the Trusted sites list I assume because it is a "verified" site.

Now I am really angered. I just tried to remove those four sites that Opera placed in the Trusted sites. I can't do it. At least not from Preferences/Advanced/Trusted Websites. I want Trusted Websites to be turned OFF PERMANENTLY. Do you happen to know how I can do that? I do not want any website to be allowed to download without my EXPRESS PERMISSION EACH TIME!

Edit: Why the gross inconsistencies in that badge area? Certain Opera sites actually show the Opera favicon there. On other Opera sites there is no round ball or ANYTHING there! The badge area is BLANK. Then there is the related problems of many favicons NOT showing on the tab bar in Opera 12. They are just BLANKS. The only way to navigate is to use the mouse to see the tab thumbnail on hover. Even Dell site no longer has favicons on Opera tabs.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by Mele20:

...As to the badge, first off Opera needs to understand that a LOT of us do NOT have the cloud crap turned on and never will. So, I will never see anything "badge" wise except a strange looking ball or a gold or green background for the "badge" on ssl sites along with an "evil" black lock (should be gold if not evil). I do NOT see a warning red Opera icon with a URI and I don't see a dark, blue gray folder when a file from my computer is being displayed. All I see is, to be very precise, a MINT GREEN ball that has three gray dots inside it. My Opera theme is Standard but it correctly defaults to my Windows theme colors so if I change my Windows theme then Opera colors will change and I might see a bright red ball instead of mint green depending on my new Windows theme. ... I have five other Opera themes besides standard and they don't use my Windows theme colors. I just tested every one of them and Opera is completely wrong with that color scheme they have in their new, extremely confusing to use, Help file for Opera 12. The colors for the badge change based on the THEME you use. The color of the ball and the background to the ball is dependent on the Theme used and the other badges are not there except the locks which are too small
...
The Trusted site junk is crap also. ... I wouldn't give "trusted" sites more trust than other internet sites .. I have not put any sites in Trusted. Yet, when I looked at the list something had put Microsoft site into the Trusted list but it is not on the list (only 4 Opera sites are on the list and they should not be). NO site should EVER be trusted for immediate, without warning, downloads.
...
Now I am really angered. I just tried to remove those four sites that Opera placed in the Trusted sites. I can't do it. At least not from Preferences/Advanced/Trusted Websites. I want Trusted Websites to be turned OFF PERMANENTLY. Do you happen to know how I can do that? I do not want any website to be allowed to download without my EXPRESS PERMISSION EACH TIME!

Edit: Why the gross inconsistencies in that badge area? Certain Opera sites actually show the Opera favicon there. On other Opera sites there is no round ball or ANYTHING there! The badge area is BLANK. Then there is the related problems of many favicons NOT showing on the tab bar in Opera 12. They are just BLANKS. The only way to navigate is to use the mouse to see the tab thumbnail on hover. Even Dell site no longer has favicons on Opera tabs.

Hmm. I'm still using 11.52 for a variety of reasons (problems in subsequent versions), and it may be that you've just given me one more. I do know that a lot of users are "less than happy" with the new theme focus vs. skins in Opera... most of the older skins are not very (if at all) compatible with the 12.x Opera versions, and a lot of users are complaining about how Opera uses (or misuses) Windows themes.

I'm doubtful that the cloud is used for anything to do with Opera's initial (left-most) "badges"... in my understanding, that's an internal interpretation being done within Opera. However, the skin/theme elements may indeed have significant impact on the appearance of the badges (or what badge is shown for which internal Opera "call" code).

As far as trusted sites, my 11.52 version has no Microsoft sites showing in it, though it does have some Opera sites present. I believe user-created "trusted sites" are listed in the optrust.dat file located in the user-specific roaming folder for Opera, but the Opera sites (and perhaps your Microsoft sites in your version) seem to be hard-coded somewhere else and aren't shown in that file. With regard to Opera's listing their own "trusted" sites, I believe this is done because of the handshaking necessary in using Opera Unite, version updates, and the various addons/widgets/extensions obtained directly from Opera. I have no clue (at this point) why the Microsoft sites would be listed as "trusted" by Opera in your version, unless it's to eventually support handshaking for Windows updates (or something similar) via Opera at some point.

As far as inconsistencies in Opera's badge area, I'm not seeing the kind of problems that you describe, perhaps because I use a single custom skin (Opera.Fugue 5.1.0) that has consistently worked across all my Opera version through 11.52. All of Opera's sites show the blue Internet/http site badge on my system, except my OperaMail site (which shows the green https lock, as it should). If I enter the data:text/html,%3Ch1%3EHello%2C%20World!%3C%2Fh1%3E address (from the DMO site therube See Profile listed above - data URIs), I get Opera's red half-O symbol, again as it should be. I'm not sure if your issues are related to the 12.x version you're using or something else goofy with your installation.

MeDuZa
join:2003-06-13
Austria

MeDuZa to Mele20

Member

to Mele20
 
Click for full size
Click for full size
As stated before Opera's address bar will always show you the relevant URI.
So does Opera's tooltips if you hover over a link.
The (poor) phishing demo was even recognized by Opera.
All screenshots were taken from Opera 12.02 Final using the default skin.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 edit

Mele20

Premium Member

I had sort of forgotten you were still using 11.52. That means you have not seen the new Opera help file. That's good because it's a mess. Most of the time it won't load when called. First, I get a message that my version of Opera is not found (it's the latest 12.02.1578) so I am presented with a long list of Opera versions to choose from I click on the current version and get an error message about 80% of the time that says the server has rejected the connection. I try again, same thing. To not be able to reach a help file when you need it is bad and this appears to me as the same situation as Opera forums ...the Opera servers get overloaded easily and I am way off in Hawaii so I get rejected probably more than those who are closer to Opera servers.

Finally, I will be able to connect to Opera Help for version 12 but their new terminology, oh dear, maybe it is just because I am getting old but I think the new names for the help categories are confusing to say the least. Some of their new icons, I can't distinguish what they are (and my eyes are fine ever since I got these premium lens implants after cataract surgery a couple of years ago) and I don't understand the pairing of the icon chosen with that particular help category. Some make sense (like the clock for History) but many do not to me. The Index list is easier to use but it has nothing under "B" for "Badge" or "S" for Security Badge. The relevant page is »help.opera.com/Windows/1 ··· ion.html.

The cloud I was referring to is the Opera site that is contacted if you turn on phishing protection. Many antivirus programs do the same thing and I always turn that off as the blocking is based on user reports. The badge area shows red and a particular favicon/icon if the site is reported as a phishing site. But if I turned it on, I have doubts it would show properly since my Opera themes (Standard or other themes) are causing all sorts of problems with that badge area.

As for Opera Trusted sites, if I cannot get rid of the four Opera sites then Opera has become the worst of the browsers out there. It was always the most configurable so I am stunned that because of some handshake I have to allow Opera to download and install extensions without my express permission? That is outrageous. I recall now that I quit going to Opera extensions site partly because I noticed in an earlier version (some 11 flavor) that the extensions just download without warning. Opera Help file Trusted Website List for version 12 states: "You can also edit or delete sites in the list." So, I should be able to delete the four Opera sites in the list.

Microsoft accounts login website is not listed under Opera Trusted sites but Opera help file for version 12 states that because it uses extended validation and, thus, is a "verified" site that means it is part of Opera's trusted sites even though not listed as such. So, that means all extended validation sites are put by Opera under its Trusted Sites but not visibly listed there which makes little sense. If the sites are trusted then they should be listed as such. Plus, I interpret this to mean that Microsoft extended validation site (or any extended validation site) could download and install something without warning and without my express permission. That is a NO-NO!

EDIT: How did my reply to Blackbird See Profile end up as a reply to myself?

EDIT 2: How come when I went to User Preferences and checked the box for favicons to show inside the address bar they do not show?
Mele20

Mele20 to MeDuZa

Premium Member

to MeDuZa
I am using the default SKIN for Opera and I don 't see anything like what you have shown. But I am NOT using an Opera "persona" which is what Opera 12 calls a "THEME" and if I click on "Find More Themes" on Opera 12, I get taken, not to Opera Skins, but to those new Opera "Personas". Plus, I have next to "Color" on Appearance "Use System Colors" chosen. I don't think that works with 'THEMES/PERSONAS". It only works with Opera SKINS which is what I am using. But Opera 12 claims that my chosen SKIN is now somehow my chosen THEME. They are not the same at all and Opera 12 has made a complete MESS of the difference between SKINS and THEMES. An unforgivable MESS and Opera didn't even bother to warn us upgraders that this MESS would occur if we upgraded from 11x. Bad Opera, bad...really bad as this MESS I now believe is why the Badge area doesn't work right on Opera 12 for me.

Had I been told by Opera that I could not use my SKINS with Opera 12, I would not have upgraded. I like Fx Personas and I use them as well as my favorite Fx theme, but I don't like the Opera "personas" and I want to use the Standard SKIN instead or my other skins. Opera should have warned me before I upgraded that there would be a MESS if I used the default Opera SKIN in version 12. Why is it even there since, evidently, you cannot use the default SKIN in Opera 12? And why was it renamed to THEME when it is NOT a theme but a skin?

Opera's address bar is f**ked up in version 12 not only in the area of the "Badge" but generally f**ked up. It does NOT show me a URI but it does show me six million TOTALLY IRRELEVANT drop down guesses as to what I want when I type a few letters in the address bar. It is WORSE than what Firefox did when it first got the "awesome" bar. In version 12, Opera's address bar is rather worthless AND TOTALLY MESSED UP FOR MANY REASONS.

I should have done what Blackbird See Profile has been wise enough to do and not upgraded to version 12. I do have 11.00 and 11.50 as separate installations. I guess I should use one of those. Or I also have my favorite Opera version as another separate installation...that is version 10.0. But it doesn't have Unite which I like, otherwise, version 10.0 is the best of recent Opera versions.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to therube

Premium Member

to therube
Click for full size
said by therube:

OK, got it.
It brings up a "phish" site, wikimedia, which was made to look like wikipedia.

Here is the sample code, the same, just a bit easier to get to, »pastebin.com/pdkzuPjJ.

Oh, & do note that data: URI are perfectly legitimate.

Is this correct?

I only used a portion of that link and got this image?

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to Mele20

Premium Member

to Mele20
said by Mele20:

... Had I been told by Opera that I could not use my SKINS with Opera 12, I would not have upgraded. I like Fx Personas and I use them as well as my favorite Fx theme, but I don't like the Opera "personas" and I want to use the Standard SKIN instead or my other skins. Opera should have warned me before I upgraded that there would be a MESS if I used the default Opera SKIN in version 12. ...

Opera's address bar is f**ked up in version 12 not only in the area of the "Badge" but generally f**ked up. ...

I should have done what Blackbird See Profile has been wise enough to do and not upgraded to version 12. I do have 11.00 and 11.50 as separate installations. I guess I should use one of those. Or I also have my favorite Opera version as another separate installation...that is version 10.0. But it doesn't have Unite which I like, otherwise, version 10.0 is the best of recent Opera versions.

Since I make heavy use of my browser, and since I like the configurability of Opera (plus certain other aspects about it), I try to keep current with what's going on during the development phase of new Opera versions via their development blog and its user comments. In the course of monitoring that, as well as from checking out the change-logs of new alpha/beta versions as they emerge, one gets a pretty good sense of the design changes and problem areas being encountered by testers well before a version becomes final. Opera's design has been changing in two areas since 11.xx: major re-design of internal engines and the addition of major new "features"... but both categories of change have come with costs attached. From my observation, the two areas most negatively impacted for many users are stability and usability, though the details and specific kinds of impact are too numerous to go into here. What you describe regarding themes and badges, especially with information that appears in the address bar area, fall into the usability class of problems.

In my case, Opera version instability and hardware performance problems began hitting critical mass around the 11.6x version, so I've elected to stay with 11.52 as my "default" browser (which works completely fine on my systems), though I realize there are several security vulnerabilities associated with that old a version. I attempt to mitigate those by keeping the browser and system heavily locked down, and through other security layers. With the version 12.xx family, Opera problems seem to have multiplied greatly for many users, probably because of the cumulative side-effects of the changes being made combined with growing difficulty in debugging the complex interaction issues that get raised by all the new features and internal architectural changes. The net effect is that I'm choosing to stay on the sidelines with new Opera final versions until evidence accumulates in their problem-solving forums that show a final version that is solidly stable and once again highly usable (and 12.02 is not it). If that point isn't reached before I run out of patience with 11.52's growing security issues, there are certainly other browsers available, though I dislike making "default" use of any of the ones I've tried, since they all seem so limited in their configurability.

MeDuZa
join:2003-06-13
Austria

MeDuZa to Mele20

Member

to Mele20
said by Mele20:

I am using the default SKIN for Opera and I don 't see anything like what you have shown.

Can you make a screenshot of what you are seeing? Just curious.
BTW, norwegian's screenshot above looks like mine.
said by Mele20:

Opera 12 has made a complete MESS of the difference between SKINS and THEMES.

Opera 12: SKIN = THEME
said by Mele20:

Bad Opera, bad...really bad as this MESS I now believe is why the Badge area doesn't work right on Opera 12 for me.

It isn't unusual that after a major update some old browser skins or extensions aren't functional anymore since some code has changed. However you should be able to check by reverting to the default skin/THEME (Appearence\Themes).
said by Mele20:

Opera's address bar is f**ked up in version 12 not only in the area of the "Badge" but generally f**ked up. It does NOT show me a URI but it does show me six million TOTALLY IRRELEVANT drop down guesses as to what I want when I type a few letters in the address bar.

You can disable:
search suggestions - Preferences\Search\Enable search suggestions in the address field
Auto Dropdown
Autocomplete Be aware that this will disable Wand as well.
said by Mele20:

In version 12, Opera's address bar is rather worthless AND TOTALLY MESSED UP FOR MANY REASONS.

I'm using Opera since version 6 and all I can tell is that the functionality of the address bar didn't change for the worse since. IMO at least. The defaults for the address bar have changed (some sort of Google like idiot proof) but you still can configure the address bar to be as informative as it always was.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Blackbird

Premium Member

to Blackbird
So do I read in all this thread that Opera is vulnerable to this because it adheres to the web standards.. but don't worry cause a little red thing will popup and put you on your guard and then yet the article states .."Google’s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs"...and that is why they are not vulnerable ?

MeDuZa
join:2003-06-13
Austria

1 recommendation

MeDuZa to Mele20

Member

to Mele20
To sum it up, there are three different approaches for data URIs.

- The idiot proof approach. Block data URIs no matter if malicious or not.
- Limit the volume of data that can be packed into URIs. This method looks fine but can be easily circumvented.
- Let the user decide how to handle such a site. In case of a fishing site, if the user is stupid enough to hand over passwords and other sensitive information to a data URI page then he/she might be in big trouble.

Last but not least, since data URIs are very easy to discern there are more promising methods for fishers.

FF4m3
@bhn.net

FF4m3 to Mele20

Anon

to Mele20
Here's a possible solution for Firefox w/ ABP users:

In about:config access extensions.adblockplus.whitelistschemes.

Under 'values' remove data, thus deleting the term from the ABP default whitelist & resulting in ABP blocking it.

That's it.

Feedback would be appreciated.