Opera data exposure through search engine behavior
-
nobody2 last edited by
All,
After spending a couple hours with the latest version of Opera, reading posts, not finding any answers, seeing numerous posts on this topic…. The issue is when a user (coming from one of the various mainstream browsers) tries to enter an FQDN into Omnibox and the result is a device or namespace being sent to a 3rd party. In today’s environments where concerns around security are on the rise, this can be considered a form of data exfiltration. eg: exposing sensitive namespace(s), device names, etc. to a 3rd party, in addition could be in violation of a security policy.
Unfortunately, there does not seem to be any configuration option to protect against this behavior. At least in Chrome (which Opera appears to share roots for Omnibox), you can specify a new search engine and make it the default: URL being “http://127.0.0.1/%s” which simply causes the request to fail. Opera prevents creation of a new search being configured as the default, thus removing any possibility of protecting against this condition. Furthermore, Chrome and many browsers remember visited sites and it's faster to start typing the FQDN and then hit <enter> on the first entry (as you've entered enough data for the entry to match) vs. scanning through bookmarks (time savings).
Unless there’s a solution that isn’t clearly documented, the only option appears to be using one of the default search engines and blackhole’ing the entire namespace in one’s DNS servers. eg: create a zone (www.bing.com as example) and make bing the default search engine. This at least prevents Opera’s behavior of trying to submit data to a 3rd party. It’s a crude workaround, but protects against this behavior.
If there’s a configuration option somewhere to protect against this behavior, would like to know.
Thanks!
-
