SECURITY CONCERN - Opera fraud check requests

stealth789

stealth789 last edited by

HTTPS anywhere sure won't work if server doesn't accept SSL. But it change requests from HTTP to HTTPS for known sites.

Makes sense, thanks.

In latest Chromium if I disable scripts in settings "Do not allow any site to run JavaScript", then on every site it's possible to enable specific ones on icon in address bar. There's icon that states that scripts are disabled. Similar to blocked 3rd party cookies. Still it's hard way, and far from what known extensions similar to NoScript can do. Opera has the same setting, but there's no easy access on from address bar icon like in Chromium.

colderwinters

colderwinters last edited by

I dont need Opera servers to check if the sites I visit are safe, I use WOT and the Comodo DNS Servers, What is the setting that enables or disables every site I visit be routed through Opera servers ? Also is this common among the various browers, or is Opera the only one doing this, I believe the old opera allowed you to disable that.

colderwinters

colderwinters last edited by

Ok, maybe it's not that big a deal, Srware Iron and Dragon has phishing and malware protection, but I leave it checkmarked as (ON), Ice Dragon has something similar that I leave (ON), Firefox has something similar also, but at least they give me the option to enable or disable it.

stealth789

stealth789 last edited by

I dont need Opera servers to check if the sites I visit are safe, I use WOT and the Comodo DNS Servers, What is the setting that enables or disables every site I visit be routed through Opera servers ? Also is this common among the various browers, or is Opera the only one doing this, I believe the old opera allowed you to disable that.

In Blink (15+) Opera there's no setting to control this requests. And that's the problem. Setting was in older releases to 12.x.

But traffic is not practically routed through Opera servers. It works like this. You want to open site "www.abc.com". So Opera browser first send data to site "sitecheck2.opera.com" to Fraud Check of site "www.abc.com". Then your traffic is direct like in any other browser not routed to "www.abc.com". But destination address is still checked. And request are in pure non-encrypted form.

And Opera is only one using this kind of fraud check without option to disable it. Maybe it's good feature for someone (not for me), but still forcing me to use it is really not good policy for my privacy.

PS: I disabled requests in my firewall for now, as I cannot do it other way, and really don't like to send my browse data somewhere.

lem729

lem729 last edited by

If they gave me an option, I'd probably say don't collect the data. I'll take my chances. Colderwinters, if you're using WOT to review sites, then they're collecting your data.

stealth789

stealth789 last edited by

Ok, maybe it's not that big a deal, Srware Iron and Dragon has phishing and malware protection, but I leave it checkmarked as (ON), Ice Dragon has something similar that I leave (ON), Firefox has something similar also, but at least they give me the option to enable or disable it.

First, from my point anything browser does to exploit my privacy is concern to me, and BIG DEAL. Approving this approach is precedence, that can lead right way down to hell.

And Srware Iron and Comodo Dragon are based on Chromium. Like new Opera. Chromium has mentioned feature of "Enable phishing and malware protection". Opera replaced it with Opera Fraud Check. And note that it's possible to disable this feature (my initial setting) anytime. I'm not forced to use it! But there are differences in usage:

a) Opera: FORCED / NON-SECURE ONLINE CHECK / PRIVACY COMPROMISED
Opera send every site I visit using non-secured traffic (over HTTP) to site "sitecheck2.opera.com"!

b) Chromium / SRWare Iron / Comodo Dragon: OPTIONAL / Better concept for better privacy
Browser periodically download list of malware domains over HTTPS (secure) connection. This are coded HASH(coded and partial) strings. Then only site matched HASH, that is probably malware site is checked against Google online. But also only partial HASH of address is sent. So Google doesn't have full address. And is checking online only if site is one of suspected. Also I can simply disable this if I don't like it.

Also in Opera I have installed extension "Adblock Plus" and enabled list of "Malware Domains". Which check domains locally (similar to Chromium check). Basically there's no reason for online checks of every site I visit. From my point is Opera doing this on purpose. And I don't need, like and want this kind of forced check behind my back.

lem729

lem729 last edited by admin

I posted in the suggestion box that the user should be given a choice on this collection of data for the Fraud Check of sites.

https://forums.opera.com/topic/3276/fraud-check-of-site-in-opera-22

If you feel strongly about it, or just think it would be fairer for the user to have the choice, then comment there also. That's the better place to be having this discussion.

browzer1

browzer1 last edited by

Just so I understand this; I live in Ontario, Canada.

When I access my local newspaper, you mean the request first goes to Norway, is checked to make sure the site is valid, and if so, then goes to the news site and finally back to me. Is that correct?

If so, that is not acceptable.

Not because of privacy concerns, but because of response time concerns.

If there is no way to disable this "feature", then I will stick with Opera 12 and at some point move entirely to Firefox.

colderwinters

colderwinters last edited by

If they gave me an option, I'd probably say don't collect the data. I'll take my chances. Colderwinters, if you're using WOT to review sites, then they're collecting your data.

I trust WOT, and the decision to use WOT is an option to use or not to use

stealth789

stealth789 last edited by admin

I posted in the suggestion box that the user should be given a choice on this collection of data for the Fraud Check of sites.
https://forums.opera.com/topic/3276/fraud-check-of-site-in-opera-22
If you feel strongly about it, or just think it would be fairer for the user to have the choice, then comment there also. That's the better place to be having this discussion.

Thank you. I'll take a look there ;).

stealth789

stealth789 last edited by

Just so I understand this; I live in Ontario, Canada.
When I access my local newspaper, you mean the request first goes to Norway, is checked to make sure the site is valid, and if so, then goes to the news site and finally back to me. Is that correct?

Correct. Every new site you visit is checked. No matter where do you live.

If so, that is not acceptable.
Not because of privacy concerns, but because of response time concerns.

Just to be correct. It's not checking one site on all requests. Basically if you request new site, it's sent to Opera. There is also parameter that stated for how long this request is cached = check valid (max-age-7200). Now it's for 7200 seconds (2 hours). So basically new request to same site is send after expiration of this period. It means after 2 hours.

I also see that some traffic uses HTTP and also there are some requests using HTTPS. This only indicates some kind of flaw. Now it see that it looks like, that it uses the same protocol as request itself. Strange. I mean if I'm visiting "http://www.abc.com" request to check is "http://sitecheck2.opera.com" -> non-secure. But when I'm visiting "https://www.def.com", then check is "https://sitecheck2.opera.com" -> at least secure.

If there is no way to disable this "feature", then I will stick with Opera 12 and at some point move entirely to Firefox.

Not possible to disable for now. But as many features, also this one is maybe in plan to add. But I just want to make sure, that this kind of forced functionality is not acceptable by me, or anyone who cares about security. Because if software is honest, it doesn't need to force you to use some setting. It can be set default, with warning for users. But forcing means that something is wrong.

And basically if I start to think of possibilities that Opera, ISP can do with such requests. Better not to.

Also the interesting question is, why Opera replaced default Chromium check "Enable phishing and malware protection" with Fraud check in first place? But its ok, because, they can have better collection of sites, or whatsoever. That's not main concern to me. But practical part of deployment of this feature is. So they have to finish this concept of checking, to make it right, secure, and optional.

Deleted User

Deleted User last edited by

After a lot of problems trying to figure out why I can't open my favorite forum I find this..

I've wasted much of a day trying to figure what was wrong.

Goodbye. I'm switching back to Chrome.

leocg

leocg Moderator Volunteer last edited by

Goodbye. I'm switching back to Chrome.

Goodbye! Hope you have enjoyed your staying.

mtu346

mtu346 last edited by

It's been nearly a year and this problem has not been solved!

luctur

luctur last edited by

It's been nearly a year and this problem has not been solved!

Maybe, they simply don't want to solve it.

Other browsers have unique browser ids that is not clear how they are used and where and how long data is stored.

Simply privacy is not a high priority for many browser vendors.

browzer1

browzer1 last edited by

Let's see what version 30 brings.

If the option to disable is not included, some people will simply switch to something else.

This feature (option) could be implemented with an hour of programming time.

If Opera refuses, then there is something going on behind the scenes.

leocg

leocg Moderator Volunteer last edited by

It's been nearly a year and this problem has not been solved!

Maybe because it's not considered a problem.

leocg

leocg Moderator Volunteer last edited by

Let's see what version 30 brings.
If the option to disable is not included, some people will simply switch to something else.

It won't be included. And i also don't think it will be included in 31.

luctur

luctur last edited by

It's been nearly a year and this problem has not been solved!

Maybe because it's not considered a problem.

I think so too, but it should.

The current approach maybe unlawful according to European Union laws, because data are sent outside the Union without any knowledge of a large part of the users who live there and use Opera.

Pay attention, I don't say Opera is doing something unlawful with those data, but not giving detailed info about how those data are managed and stored is nevertheless an infraction.

Everything I know about this issue is written in this thread and I cannot consider it a "official statement" from Opera.

However, each modern browser has serious privacy problems while managing a big amount of "personal data" outside the European Union (open source ones like Firefox too).

Even Vivaldi will add in the future a unique id to the browser in order to track what users do while on line, though it should have an option to deactivate it. This info is taken from Vivaldi dev blog.

leocg

leocg Moderator Volunteer last edited by

The current approach maybe unlawful according to European Union laws, because data are sent outside the Union without any knowledge of a large part of the users who live there and use Opera.

Well, EULA (browser://about/eula) and Privacy Policy (browser://about/privacy) says something about data being collected, even by third parts.

Everything I know about this issue is written in this thread and I cannot consider it a "official statement" from Opera.

Well, i don't think there will be one.

However, each modern browser has serious privacy problems while managing a big amount of "personal data" outside the European Union (open source ones like Firefox too).

What kind of personal data? An url is not a personal data.

Even Vivaldi will add in the future a unique id to the browser in order to track what users do while on line

Welcome to the real world.