SECURITY CONCERN - Opera fraud check requests
-
stealth789 last edited by
add option to disable this Fraud check requests, with default to DISABLED!
Luckily, that's never going to happen. This is a basic protection and won't get disabled.
(Using https & post wouldn't hurt though)In Opera till 12x there was option to disable Fraud Check. Also other browsers doesn't use this kind of "extended" protection. Any functionality like this should be in options. If it's not, there reason for it. And if developers intensions are honest, there's no need to disable this specific setting.
But what concerns me, is that you are making decisions on your own!
No way! A company that decides how to design their product without you having the last word?
Didn't even think something that obscure could ever happen.And sure company can do decision on their own. But then I do mine. And if product is stated that does something, but it does also something I didn't approve, it's incorrect. Because if you approve this, even viruses are just fine. The question is, if I know, that some software does something that I don't like, if I'll use it anymore.
any software, that does something behind my back is dangerous.
No. Every software does a lot that you can't see. If you want to stop using software that does something that you can't see, than simply press that button with the circle and this little line at its 12 o'clock position in it.And sure a lot of software does a lot of things I can't see. But some parts of it can be controlled (Firewall, HIPS, ...). And yes, id i see that software does something strange, I start restricting, even for sandboxing level. Or just stop using it.
-
stealth789 last edited by
add option to disable this Fraud check requests, with default to DISABLED!
Luckily, that's never going to happen. This is a basic protection and won't get disabled.
(Using https & post wouldn't hurt though)>Https? and post? Not sure what that means, or why it wouldn't hurt. Is there a setting to change addresses to https?
Just technical details. I mean to user sercure SSL request over HTTP request. And even user POST request rather than GET.
I think people want to understand the reason for the fraud check on every use of the browser (new address)?
Yes it sends request for every address. Then got back time for how ling this site is valid. So again after this expiration request to same site is send. Some kind of cache.
Is it typical of browsers in general? -- such a check?
No it's not. But also Chrome (I don't mean Chromium!) use some call home and other stupid stuff. That's for me the reason not to use such product.
If it's new to Opera Blink, then why is it being done?
It was also in Presto Opera. Just with option to disable it.
Does the user have any options to protect their privacy, besides not using the browser? (Apparently the extensions I cited do not address the issue -- provide the protection)
-
stealth789 last edited by
Still waiting for some extension like NoScript for Firefox.
There was scriptweeder(which I like much more than noscript) for the old opera, but it doesn't look like it has been ported to 15+ and it wouldn't help with this problem at all, nothing would short of a feature to disable it or a firewall.
Not sure how https anywhere can even work if the server doesn't accept https connections.HTTPS anywhere sure won't work if server doesn't accept SSL. But it change requests from HTTP to HTTPS for known sites.
-
stealth789 last edited by
I tend to disable fraud protection anyway - I don't click unknown links, and at times the delay can be too long. Opera corporation itself doesn't record sitecheck information, but that doesn't mean a "man in the middle" - including someone at your ISP - couldn't record that. Though obviously your ISP would already know, so maybe that's redundant.(They have to route traffic between your computer/device and the destination, so of course they know where you are requesting pages from.)
I also hope that Opera won't save this data for third party or something like this.
But generally I want to be able to set some kind of check, only if I want it. If someone restrict access to this setting, it's just thing I don't like. -
samkook last edited by
HTTPS anywhere sure won't work if server doesn't accept SSL. But it change requests from HTTP to HTTPS for known sites.
Makes sense, thanks.
-
stealth789 last edited by
But sgunhouse, unlike the IE feature, where you can turn on or off the tracking protection (and Chrome's "Enable Phishing and Malware Protection") with Opera there is no option to disable it. I thought those third party extensions I cited in this thread were giving some of that tracking protection, but now I'm a bit confused on this. It sounds like they deal with a different matter entirely, not the browser's communication with Opera.
In every browser I disable requests I don't need. For example in Chromium I disabled all main Privacy settings like "Use a web service to help resolve navigation errors"/"Enable phishing and malware protection", ..... And there's option like "Send suspicious downloaded files to Google". And imagine if this is enabled by default, and no option to disable. And you can't control what is "suspicious". No way for me.
Also I really check all "security" extensions. And don't use many of them, because I just don't trust them. So use only extensions certified by time. Also new extensions, that act like blockers, but I can't see any settings what it does block? It's just madness. If some things that there's not reason to cover them are hidden, there's reason for it.
-
stealth789 last edited by
HTTPS anywhere sure won't work if server doesn't accept SSL. But it change requests from HTTP to HTTPS for known sites.
Makes sense, thanks.
In latest Chromium if I disable scripts in settings "Do not allow any site to run JavaScript", then on every site it's possible to enable specific ones on icon in address bar. There's icon that states that scripts are disabled. Similar to blocked 3rd party cookies. Still it's hard way, and far from what known extensions similar to NoScript can do. Opera has the same setting, but there's no easy access on from address bar icon like in Chromium.
-
colderwinters last edited by
I dont need Opera servers to check if the sites I visit are safe, I use WOT and the Comodo DNS Servers, What is the setting that enables or disables every site I visit be routed through Opera servers ? Also is this common among the various browers, or is Opera the only one doing this, I believe the old opera allowed you to disable that.
-
colderwinters last edited by
Ok, maybe it's not that big a deal, Srware Iron and Dragon has phishing and malware protection, but I leave it checkmarked as (ON), Ice Dragon has something similar that I leave (ON), Firefox has something similar also, but at least they give me the option to enable or disable it.
-
stealth789 last edited by
I dont need Opera servers to check if the sites I visit are safe, I use WOT and the Comodo DNS Servers, What is the setting that enables or disables every site I visit be routed through Opera servers ? Also is this common among the various browers, or is Opera the only one doing this, I believe the old opera allowed you to disable that.
In Blink (15+) Opera there's no setting to control this requests. And that's the problem. Setting was in older releases to 12.x.
But traffic is not practically routed through Opera servers. It works like this. You want to open site "www.abc.com". So Opera browser first send data to site "sitecheck2.opera.com" to Fraud Check of site "www.abc.com". Then your traffic is direct like in any other browser not routed to "www.abc.com". But destination address is still checked. And request are in pure non-encrypted form.
And Opera is only one using this kind of fraud check without option to disable it. Maybe it's good feature for someone (not for me), but still forcing me to use it is really not good policy for my privacy.
PS: I disabled requests in my firewall for now, as I cannot do it other way, and really don't like to send my browse data somewhere.
-
lem729 last edited by
If they gave me an option, I'd probably say don't collect the data. I'll take my chances. Colderwinters, if you're using WOT to review sites, then they're collecting your data.
-
stealth789 last edited by
Ok, maybe it's not that big a deal, Srware Iron and Dragon has phishing and malware protection, but I leave it checkmarked as (ON), Ice Dragon has something similar that I leave (ON), Firefox has something similar also, but at least they give me the option to enable or disable it.
First, from my point anything browser does to exploit my privacy is concern to me, and BIG DEAL. Approving this approach is precedence, that can lead right way down to hell.
And Srware Iron and Comodo Dragon are based on Chromium. Like new Opera. Chromium has mentioned feature of "Enable phishing and malware protection". Opera replaced it with Opera Fraud Check. And note that it's possible to disable this feature (my initial setting) anytime. I'm not forced to use it! But there are differences in usage:
a) Opera: FORCED / NON-SECURE ONLINE CHECK / PRIVACY COMPROMISED
Opera send every site I visit using non-secured traffic (over HTTP) to site "sitecheck2.opera.com"!b) Chromium / SRWare Iron / Comodo Dragon: OPTIONAL / Better concept for better privacy
Browser periodically download list of malware domains over HTTPS (secure) connection. This are coded HASH(coded and partial) strings. Then only site matched HASH, that is probably malware site is checked against Google online. But also only partial HASH of address is sent. So Google doesn't have full address. And is checking online only if site is one of suspected. Also I can simply disable this if I don't like it.Also in Opera I have installed extension "Adblock Plus" and enabled list of "Malware Domains". Which check domains locally (similar to Chromium check). Basically there's no reason for online checks of every site I visit. From my point is Opera doing this on purpose. And I don't need, like and want this kind of forced check behind my back.
-
lem729 last edited by admin
I posted in the suggestion box that the user should be given a choice on this collection of data for the Fraud Check of sites.
https://forums.opera.com/topic/3276/fraud-check-of-site-in-opera-22
If you feel strongly about it, or just think it would be fairer for the user to have the choice, then comment there also. That's the better place to be having this discussion.
-
browzer1 last edited by
Just so I understand this; I live in Ontario, Canada.
When I access my local newspaper, you mean the request first goes to Norway, is checked to make sure the site is valid, and if so, then goes to the news site and finally back to me. Is that correct?
If so, that is not acceptable.
Not because of privacy concerns, but because of response time concerns.
If there is no way to disable this "feature", then I will stick with Opera 12 and at some point move entirely to Firefox.
-
colderwinters last edited by
If they gave me an option, I'd probably say don't collect the data. I'll take my chances. Colderwinters, if you're using WOT to review sites, then they're collecting your data.
I trust WOT, and the decision to use WOT is an option to use or not to use
-
stealth789 last edited by admin
I posted in the suggestion box that the user should be given a choice on this collection of data for the Fraud Check of sites.
https://forums.opera.com/topic/3276/fraud-check-of-site-in-opera-22
If you feel strongly about it, or just think it would be fairer for the user to have the choice, then comment there also. That's the better place to be having this discussion.Thank you. I'll take a look there ;).
-
stealth789 last edited by
Just so I understand this; I live in Ontario, Canada.
When I access my local newspaper, you mean the request first goes to Norway, is checked to make sure the site is valid, and if so, then goes to the news site and finally back to me. Is that correct?Correct. Every new site you visit is checked. No matter where do you live.
If so, that is not acceptable.
Not because of privacy concerns, but because of response time concerns.Just to be correct. It's not checking one site on all requests. Basically if you request new site, it's sent to Opera. There is also parameter that stated for how long this request is cached = check valid (max-age-7200). Now it's for 7200 seconds (2 hours). So basically new request to same site is send after expiration of this period. It means after 2 hours.
I also see that some traffic uses HTTP and also there are some requests using HTTPS. This only indicates some kind of flaw. Now it see that it looks like, that it uses the same protocol as request itself. Strange. I mean if I'm visiting "http://www.abc.com" request to check is "http://sitecheck2.opera.com" -> non-secure. But when I'm visiting "https://www.def.com", then check is "https://sitecheck2.opera.com" -> at least secure.
If there is no way to disable this "feature", then I will stick with Opera 12 and at some point move entirely to Firefox.
Not possible to disable for now. But as many features, also this one is maybe in plan to add. But I just want to make sure, that this kind of forced functionality is not acceptable by me, or anyone who cares about security. Because if software is honest, it doesn't need to force you to use some setting. It can be set default, with warning for users. But forcing means that something is wrong.
And basically if I start to think of possibilities that Opera, ISP can do with such requests. Better not to.
Also the interesting question is, why Opera replaced default Chromium check "Enable phishing and malware protection" with Fraud check in first place? But its ok, because, they can have better collection of sites, or whatsoever. That's not main concern to me. But practical part of deployment of this feature is. So they have to finish this concept of checking, to make it right, secure, and optional.
-
Deleted User last edited by
After a lot of problems trying to figure out why I can't open my favorite forum I find this..
I've wasted much of a day trying to figure what was wrong.
Goodbye. I'm switching back to Chrome.