SECURITY CONCERN - Opera fraud check requests

stealth789

stealth789 last edited by

Hi,

I've been using Opera from a long time ago. I was used to secure browser, so I didn't need to concern much about doing something behind my back, or do something insecure, without asking me first. But now by using new versions based on Chromium project, something has changed. Not only rendering engine, core or whatsoever. But I'm starting to have feeling, that also whole concept of dealing with security is starting to break down.

I discover some times back, that Opera is sending request to site "sitecheck2.opera.com". It's so called Fraud check for current opening site. So basically any site I visit, can be logged to opera servers!!! So basically browser send request to this page with link you're opening in parameter. This is example of request:

GET /?host=www.opera.com&hdn= HTTP/1.1
Host: sitecheck2.opera.com

From this opera can track your browsing. And this request are HTTP. At lest you should use HTTPS, while sending links in parameters. Also use safer POST requests.

So please, stop doing things I didn't enabled!!! And add option to disable this Fraud check requests, with default to DISABLED!

And sure. You can argue, that this is just little thing. And even, that these requests are secure. But what concerns me, is that you are making decisions on your own! And this is really not something that I'd like!!! And from this point, any software, that does something behind my back is dangerous. Because now it's just small requests. You can even say for my security (the hell it's not !!!). But from my point it means, that one day, there could be much worse things to concerns about. And I don't need for everyday use product, to use network analysing tools to see what product is doing, and then use firewall to disable it. This is the way product is burden for me, not something to make my life easier.

So take this as warning, that this is wrong way. For now I disabled this in my firewall. But you're really starting to lose points, while doing these kind of decisions :(.

Best regards,
Long time Opera user, but really not happy one with changes I can see lately :(...

lem729

lem729 last edited by

Try an OPera extension, designed to protect privacy, like:

Disconnect https://addons.opera.com/en/extensions/details/disconnect/?display=en

Disconnect Search https://addons.opera.com/en/extensions/details/disconnect-search/?display=en

Do Not Track Me https://addons.opera.com/en/extensions/details/donottrackme-online-privacy-protection/?display=en

Zen Mate for Opera https://addons.opera.com/en/extensions/details/zenmate-for-operatm/?display=en

Ghostery https://addons.opera.com/en/extensions/details/ghostery/?display=en

samkook

samkook last edited by

Those will only block things from webpage(maybe some of them can at best hide that it's you that made the request), not what the browser does internally.

It's pretty disturbing to hear it calls back home for every website you visit. At this rate, I'm beginning to wonder if I should keep it installed at all even if I only use it very lightly for testing.

lem729

lem729 last edited by

How about Settings (Alt P), Privacy and Security, and put a check in: "Send a ‘Do Not Track’ request with your browsing traffic." Doesn't that help?

christoph142

christoph142 last edited by

add option to disable this Fraud check requests, with default to DISABLED!
Luckily, that's never going to happen. This is a basic protection and won't get disabled.
(Using https & post wouldn't hurt though)
But what concerns me, is that you are making decisions on your own!
No way! A company that decides how to design their product without you having the last word?
Didn't even think something that obscure could ever happen.
any software, that does something behind my back is dangerous.
No. Every software does a lot that you can't see. If you want to stop using software that does something that you can't see, than simply press that button with the circle and this little line at its 12 o'clock position in it.

lem729

lem729 last edited by

add option to disable this Fraud check requests, with default to DISABLED!
Luckily, that's never going to happen. This is a basic protection and won't get disabled.
(Using https & post wouldn't hurt though)>

Https? and post? Not sure what that means, or why it wouldn't hurt. Is there a setting to change addresses to https?

I think people want to understand the reason for the fraud check on every use of the browser (new address)?

Is it typical of browsers in general? -- such a check?

If it's new to Opera Blink, then why is it being done?

Does the user have any options to protect their privacy, besides not using the browser? (Apparently the extensions I cited do not address the issue -- provide the protection)

samkook

samkook last edited by

https has to be set on the server side and is a secure version of the standard http, it help prevent people from intercepting the data from you to the destination server.

Fraud check is a good thing to have enabled by default since it helps making sure the website you're visiting won't screw you over, but it comes at the price of less privacy and slower browsing which some people aren't comfortable with.

Personally, I don't find this useful since I'm careful with the site I visit and there's already ssl verified certificates to protect me on the important sites so having my browsing slowed down by checking on an extra server and waiting for an answer before displaying it as safe(well, it's my assumption of how it would logically work, it might be different) and wasting bandwidth in the process is not something I want.

I know Win8 does this for every software you install(it can be disabled though), but I'm not sure if other browsers have such an option.

As for an option to protect their privacy, the only way I can think of besides not using the browser would be to block the access to opera sitecheck server, but that might have undesirable consequences like webpage not loading or taking much longer.

lem729

lem729 last edited by

Https has to be set on the server side? Do you mean it's something your internet provider would have to do?

If Opera blink is the only one doing this, is it a plus or minus -- the protection versus the loss of privacy? There are extensions that can supposedly check for the safety of sites. Of course, if you go that route, you're giving your data (requested site) to the one who runs that extension. I would think, though, that this Opera feature ought to be an option, that people can turn off if they don't want it.

Now if none of the other browsers do this, and Opera Blink does (maybe the others do?), then it's a feature differential -- forced (lol) tracking protection
I've just seen where IE 11 has a Safety feature (under safety tab), "turn on tracking protection.". So they provide a perhaps similar feature, but let the user turn it off. That's a more user-friendly feature.

sgunhouse

sgunhouse Moderator Volunteer last edited by

I tend to disable fraud protection anyway - I don't click unknown links, and at times the delay can be too long. Opera corporation itself doesn't record sitecheck information, but that doesn't mean a "man in the middle" - including someone at your ISP - couldn't record that. Though obviously your ISP would already know, so maybe that's redundant.(They have to route traffic between your computer/device and the destination, so of course they know where you are requesting pages from.)

lem729

lem729 last edited by

But sgunhouse, unlike the IE feature, where you can turn on or off the tracking protection (and Chrome's "Enable Phishing and Malware Protection") with Opera there is no option to disable it. I thought those third party extensions I cited in this thread were giving some of that tracking protection, but now I'm a bit confused on this. It sounds like they deal with a different matter entirely, not the browser's communication with Opera.

samkook

samkook last edited by

The website makers are the one who decide if their website use a secure connection(slower) or not, nothing to do with the ISP.

Depending on which side you're on, it's either a plus or a minus, but with an option to disable it, then it magically becomes a plus pretty much no matter where you stand(some people will still complain if it's the default setting or not though).

@sgunhouse Are you saying there's an option to disable it in the new opera?

And it doesn't matter if they record it or not, it's the fact that they could that matters and the less people that can, the better.

@lem729 The extensions can prevent/lessen the ability of the websites themselves from tracking you, but this is an internal opera thing which the extensions don't have any control over so the browser itself can track you no matter what.

sgunhouse

sgunhouse Moderator Volunteer last edited by

Are you saying there's an option to disable it in the new opera?
And it doesn't matter if they record it or not, it's the fact that they could that matters and the less people that can, the better.

I thought there was such an option, but I don't see it now.

Laws in Norway are such that they can't record personal information without permission, and then only for a specific stated purpose - as soon as that purpose has been accomplished they must destroy the recorded information. (They have sent me Christmas presents for helping in the forum, every year they have to ask me for my address again. So I asked them why ...)

lem729

lem729 last edited by

That's good to hear.

Here's something I found on Opera and privacy.

http://www.opera.com/privacy

And thank you, @Sgunhouse, for your years of being a moderator, and putting up with us sometimes impossible users. It seems like only yesterday, you were explaining to me how to put a widget in a sidepanel. Those were the days.

samkook

samkook last edited by

Those privacy policies are still talking about my opera which doesn't exist anymore so it doesn't inspire much confidence.

You can put all the policies you want and it might be illegal, but people with bad intention can be anywhere and if one of such people happens to have access to your information, they can do as they wish with it, even if the company or the law doesn't agree.

I know it's an unlikely scenario, but some people might not want to have such a risk imposed on them.

Still, it's good to know the company takes privacy that seriously even when it doesn't seem like it with some of the features they force upon us.

And I also thank you @Sgunhouse, you've helped me quite a few times over the years, especially to not give up on this forum even though it drives me crazy most of the time.

stealth789

stealth789 last edited by

Try an OPera extension, designed to protect privacy, like:
Disconnect https://addons.opera.com/en/extensions/details/disconnect/?display=en
Disconnect Search https://addons.opera.com/en/extensions/details/disconnect-search/?display=en
Do Not Track Me https://addons.opera.com/en/extensions/details/donottrackme-online-privacy-protection/?display=en
Zen Mate for Opera https://addons.opera.com/en/extensions/details/zenmate-for-operatm/?display=en
Ghostery https://addons.opera.com/en/extensions/details/ghostery/?display=en

This extensions won't override core application requests. But FYI I use Adblock Plus and HTTPS Everywhere. Plus good Firewall and Antivirus is enougt for me. Still waiting for some extension like NoScript for Firefox.

stealth789

stealth789 last edited by

How about Settings (Alt P), Privacy and Security, and put a check in: "Send a ‘Do Not Track’ request with your browsing traffic." Doesn't that help?

It won't stop Fraud check. And this set only header of my requests. Basically any site can ignore this. It's good to use this, but id doesn't mean, that site won't track. It's decision of site implementation to read this parameter and decide what to do with it. And for sure even ignore it at all.

samkook

samkook last edited by

Still waiting for some extension like NoScript for Firefox.

There was scriptweeder(which I like much more than noscript) for the old opera, but it doesn't look like it has been ported to 15+ and it wouldn't help with this problem at all, nothing would short of a feature to disable it or a firewall.

Not sure how https anywhere can even work if the server doesn't accept https connections.

stealth789

stealth789 last edited by

add option to disable this Fraud check requests, with default to DISABLED!
Luckily, that's never going to happen. This is a basic protection and won't get disabled.
(Using https & post wouldn't hurt though)

In Opera till 12x there was option to disable Fraud Check. Also other browsers doesn't use this kind of "extended" protection. Any functionality like this should be in options. If it's not, there reason for it. And if developers intensions are honest, there's no need to disable this specific setting.

But what concerns me, is that you are making decisions on your own!
No way! A company that decides how to design their product without you having the last word?
Didn't even think something that obscure could ever happen.

And sure company can do decision on their own. But then I do mine. And if product is stated that does something, but it does also something I didn't approve, it's incorrect. Because if you approve this, even viruses are just fine. The question is, if I know, that some software does something that I don't like, if I'll use it anymore.

any software, that does something behind my back is dangerous.
No. Every software does a lot that you can't see. If you want to stop using software that does something that you can't see, than simply press that button with the circle and this little line at its 12 o'clock position in it.

And sure a lot of software does a lot of things I can't see. But some parts of it can be controlled (Firewall, HIPS, ...). And yes, id i see that software does something strange, I start restricting, even for sandboxing level. Or just stop using it.

stealth789

stealth789 last edited by

add option to disable this Fraud check requests, with default to DISABLED!
Luckily, that's never going to happen. This is a basic protection and won't get disabled.
(Using https & post wouldn't hurt though)>

Https? and post? Not sure what that means, or why it wouldn't hurt. Is there a setting to change addresses to https?

Just technical details. I mean to user sercure SSL request over HTTP request. And even user POST request rather than GET.

I think people want to understand the reason for the fraud check on every use of the browser (new address)?

Yes it sends request for every address. Then got back time for how ling this site is valid. So again after this expiration request to same site is send. Some kind of cache.

Is it typical of browsers in general? -- such a check?

No it's not. But also Chrome (I don't mean Chromium!) use some call home and other stupid stuff. That's for me the reason not to use such product.

If it's new to Opera Blink, then why is it being done?

It was also in Presto Opera. Just with option to disable it.

Does the user have any options to protect their privacy, besides not using the browser? (Apparently the extensions I cited do not address the issue -- provide the protection)

stealth789

stealth789 last edited by

Still waiting for some extension like NoScript for Firefox.

There was scriptweeder(which I like much more than noscript) for the old opera, but it doesn't look like it has been ported to 15+ and it wouldn't help with this problem at all, nothing would short of a feature to disable it or a firewall.
Not sure how https anywhere can even work if the server doesn't accept https connections.

HTTPS anywhere sure won't work if server doesn't accept SSL. But it change requests from HTTP to HTTPS for known sites.