This page is intended to provide security and privacy recommendations to those of us who intend to keep using Opera 12 (or older) as long as we can. (For example, it is the best modern browser for computers with 512 MB of RAM or less and/or with a single-core processor. It also does not require SSE2!)
It might be a bit late to publish this now, but Opera 12.18 for Windows was released on and this encouraged me to finally do it.
Opera is not vulnerable to the Spectre attack! It does not support the APIs needed for it (performance.now and SharedArrayBuffer).
Getting the latest version
Windows (32-bit and 64-bit x86):
XP and later:12.18 (also works with ReactOS as of version 0.4.0 and probably with Wine too)
OpenBSD (i386): OpenBSD 5.7 is the last version whose ports tree includes Opera 12.16. If you upgrade to OpenBSD 5.8 or 5.9, it will continue to work. You should also be able to install it by putting its port directory into /usr/ports/www and executing "make" (sorry, Opera's EULA forbids me from sharing the generated package). OpenBSD 6.0 removed Linux emulation, so 5.9 is the last version Opera will run on.
FreeBSD (i386 and amd64):12.16 (may also be installed with pkg). For whatever reason, it is less stable on FreeBSD 12.0 than on FreeBSD 11.x.
NetBSD (i386 and amd64): 12.16 (Linux version in the ports tree)
I think version 12.16 is still secure enough on non-Windows operating systems if you follow the recommendations on this page, though some sites have mandatorily started using encryption protocols that it does not support, which is somewhat annoying (although I think this is also due to a bug in Opera, which I have yet to investigate). If you have enough computing power, you may want to run 12.18 for Windows in a virtual machine or with Wine (see above).
Opera now checks signature before installing the executable file (probably intended for automatic updates; not important)
Updates to OpenSSL versions (a welcome improvement)
The changes from 12.17 to 12.18 (for which there is no formal changelog) add support for new encryption protocols, remove support for some old ones, enable TLS 1.2 by default (which had to be done manually before), and fix a security vulnerability in M2 (the mail client) which was only present on Windows. I have also noticed it is faster at connecting to secure (HTTPS) sites.
Opera is compatible with EMET. EMET already includes a protection profile for Opera; you only need to import Popular Software.xml.
Note: these instructions primarily apply to versions 12.00 and later. Older versions may not have all the settings mentioned below.
Open the Preferences window. If your menu bar is set to be shown, choose "Preferences…" from the Tools menu, otherwise choose "Settings" and then "Preferences…" from the Opera menu.
On the "General" tab
"Pop-ups": set to "Block unwanted pop-ups". This is the default, but make sure anyway.
To make it harder for Web sites to uniquely identify you, you may choose to not let them know what your preferred languages are. Click "Details…" and remove all entries from the list titled "Preferred languages for webpages".
On the "Search" tab
Note: on certain older versions, these settings are on the "Advanced" tab in the "Content" section.
"Enable search suggestions in the address field": you may want to uncheck it. This feature works by sending search engines your search phrase before you actually decide to search. If you type a query and only then decide to change the query or search engine, you may accidentally leak information.
If possible, don't use Google, Bing, Yahoo!, etc. Use a search engine that doesn't log your searches (or at least claims not to), for example DuckDuckGo (which can also do searches with other search engines without telling them who you are).
Make sure that your search queries are submitted securely: for each search engine, click "Edit…", then "Details", and look at the address. Many sites and search engines now support HTTPS, which you can enable simply by making sure that the address starts with "https" instead of "http". These include: Amazon, Bing, eBay, Google, Stack Overflow (and other Stack Exchange sites), Yandex, YouTube, Wikipedia (and other Wikimedia sites).
On the "Advanced" tab
In the "Content" section
"Enable plug-ins": uncheck it and enable it only when you really need to, or use another browser (tip: you can watch YouTube in VLC or use YouTube-DL, which also works with other video sharing sites).
Click "Blocked Content…" and then:
(You may prefer to copy these filters directly to your urlfilter.ini file in your profile directory, but quit Opera first.)
Add the following entries to block most ads (warning: this may break some sites):
Add the following to prevent Google from tracking you (warning: this may break some or all Google services that you may or may not use):
Add the following to prevent Facebook from tracking you (if you have to use Facebook, I suggest you use another browser):
Alternatively, you may wish to use Dan Pollock's hosts file to block even more domains (though some operating systems have difficulties with a hosts file of that size). This will affect all programs. Another option is to use Privoxy (this takes some more system resources - you may want to run it on a separate computer).
In the "Cookies" section
Choose "Never accept cookies" and enable them only for sites that really need them (see below).
In the "Security" section
"Ask websites not to track me": decide for yourself. This does not force sites not to track you, but it probably can't hurt to ask.
"Enable Fraud and Malware Protection": uncheck it. This feature works by asking Opera's servers whether the site you are visiting is malicious, which means they know about every site you visit.
Click the "Security Protocols…" button. This is probably the most important part of this page!
"Enable SSL 3": make sure it is not checked.
"Enable TLS 1": make sure it is not checked (except if 1.1 is not available).
"Enable TLS 1.1": make sure it is not checked (except if 1.2 is not available).
"Enable TLS 1.2": make sure it is checked if available (it should already be on 12.18).
Now we are going to disable obsolete ciphers. We will use two services to tell us which ones to disable. The first is "How's My SSL?". At minimum, you should follow that one. The second is the Qualys SSL Client Test, which is stricter and recommends disabling even more ciphers, however that may break certain sites on Opera versions older than 12.18.
For Opera 12.18, click "Details" and make sure at least the following ciphers are unchecked:
"168 bit 3-DES (RSA/SHA)"
"256 bit AES (RSA/SHA)"
"128 bit AES (RSA/SHA)"
"128 bit AES GCM (RSA/SHA-256)"
For maximum security on 12.18, uncheck all except:
"128 bit AES GCM (DHE_RSA/SHA-256)"
"128 bit AES GCM (ECDHE_RSA/SHA-256)"
"128 bit AES GCM (ECDHE_ECDSA/SHA-256)" (the last one)
Note: the cipher list also includes some ciphers using ARC4, which is obsolete. However, those ciphers will not actually be used unless "Enable RC4 support" in opera:config is checked. It is unchecked by default and you should leave it that way. Therefore, you do not actually have to disable those ciphers as long as that option is checked.
For Opera 12.17 and earlier, click "Details" and make sure at least the following ciphers are unchecked:
"0 bit Authentication Only (RSA/SHA)" (off by default)
"0 bit Authentication Only (RSA/SHA-256)" (off by default)
"168 bit 3-DES (Anonymous DH/SHA)" (off by default)
"128 bit AES (Anonymous DH/SHA-256)" (off by default)
"256 bit AES (Anonymous DH/SHA-256)" (off by default)
"168 bit 3-DES (RSA/SHA)"
"168 bit 3-DES (DH_RSA/SHA)"
"168 bit 3-DES (DHE_RSA/SHA)"
"168 bit 3-DES (DH_DSS/SHA)"
"168 bit 3-DES (DHE_DSS/SHA)"
"128 bit ARC4 (RSA/MD5)"
"128 bit ARC4 (RSA/SHA)"
"128 bit AES (RSA/SHA-256)"
"256 bit AES (RSA/SHA)"
"256 bit AES (RSA/SHA-256)"
Any others with less than 128 bits or that apply to SSL 2 (if available)
For maximum security on 12.17 and earlier, uncheck all except:
"128 bit AES (DHE_RSA/SHA)"
"128 bit AES (DHE_RSA/SHA-256)"
"256 bit AES (DHE_RSA/SHA)"
"256 bit AES (DHE_RSA/SHA-256)"
The four ciphers above are those which provide forward secrecy (reference). However, you may need to enable some others for certain sites, even though they are "weak":
For DuckDuckGo: "256 bit AES (RSA/SHA-256)"
For Reddit: "256 bit AES (RSA/SHA)"
Verify your security protocol settings by visiting those two services again. "How's My SSL?" should say "Probably Okay" for Opera 12. If it says "Bad", you did something wrong (try again) or my recommendations are out of date (in that case, contact me). The Qualys SSL Client Test is a stricter test and will, as of January 2020, mark all ciphers in 12.17 and earlier as "weak". However, the ones I recommend disabling above were already considered "weak" much before that.
"Auto-update": set to "Do not check for updates". You do not want to accidentally "upgrade" to Chrome Opera 35 (or whatever ridiculously high-numbered version they are offering by the time you're reading this). It is also rumored that the automatic update check disables TLS 1.1 and TLS 1.2, which is very bad. (Alternatively, choose "Notify me about available updates" to let Opera (the company) know you still use the real Opera.)
In the "Network" section
"Send referrer information": uncheck it. This lets sites know what site you came from. Some sites don't work without it, so enable it for them only when necessary (see below).
In the "Storage" section
Periodically clear persistent storage by clicking "Clear All". Checking "Delete persistent storage" in the "Delete Private Data" window does not clear it; this is a bug.
On the "Network" section, you may want to disable "DNS Prefetching". Normally, when you point your mouse at a hyperlink, Opera gets the server's address even if you don't click on it, which speeds up page loading if you do.
On the "User Prefs" section, you may want to set Custom User-Agent to something that won't identify you as an Opera user (important for privacy), or will at least mask you as a Windows user if you are using Opera on some other operating system. Some examples:
Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.18 (Opera 12.18 on Windows XP)
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko (Internet Explorer 11 on 64-bit Windows 7)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0 (Firefox 73 on 64-bit Windows 10; note that Firefox version numbers inflate quickly, so you will have to update it often to mask well)
Windows NT versions are 5.1 for XP, 6.0 for Vista, 6.1 for 7, 6.2 for 8, 10.0 for 10.
For cookies, I recommend you choose "Accept cookies only from the site I visit" to block cookies from third-party sites (such as advertisers) whose content may be embedded in the page.
You can see the list of all the sites you have set specific preferences for (and delete them) by opening the Preferences window (see above) and clicking "Manage Site Preferences…" on the "Content" section of the "Advanced" tab.
To only temporarily enable something for a site without permanently adding it to the list of exceptions, use the "Quick Preferences" menu, which you can open from the Tools menu or by pressing F12. Make sure to revert those preferences when you're done, because they will affect all pages loaded from that point on until you do.
Make sure your communications with mail servers are encrypted. From the "Tools" menu, choose "Mail and Chat Accounts…". Inspect the properties for each mail account and make sure that on the "Servers" tab, "Secure connection (TLS)" is checked. The port numbers depend on your mail provider; refer to their documentation for information.
Note: this only ensures a secure connection between you and your mail servers. Encrypting the messages themselves is outside the scope of this page.
You may want to use Stunnel to get better encryption than what Opera can provide.
Make sure you get feeds through HTTPS. From the "Feeds" menu, choose "Manage Feeds…". For each feed, choose "Edit…" and make sure the address starts with "https".
Make sure your communications with IRC servers are encrypted. From the "Tools" menu, choose "Mail and Chat Accounts…". Inspect the properties for each IRC account and make sure that on the "Servers" tab, "Secure connection (TLS)" is checked. However, this alone does not guarantee a secure connection; you have to use the correct port number, which depends on the server (look for TLS or SSL):
You may want to use Stunnel to get better encryption than what Opera can provide.
Dragonfly tracks usage by default. You can turn that off by clicking the Settings icon and unchecking "Track usage".
You can also compile and use it locally (by default it is downloaded from Opera's servers), though this by itself doesn't disable usage tracking.
If you don't use Dragonfly or don't know what it is, you don't need to do this.
If for any reason the majority of the Web becomes incompatible with Opera (highly unlikely unless HTTP, HTML, and TLS as we know them today get replaced by something completely different), we will have no choice but to switch (or maybe just use a proxy).
Vivaldi, a browser by ex-Opera employees (does not support Windows XP anymore, probably requires SSE2)