[Privacy bug] The creating a bookmark in a private tab with VPN causes connection non through VPN

burnout426

burnout426 Volunteer last edited by burnout426

Okay. Thanks for the update. I'll test and test in Opera Developer too. Don't know if it's expected behavior or not yet though.

In Opera Developer, I'll see if opera://flags/#opera-doh makes a difference. Since the query goes over HTTPS, maybe it'll go through the VPN then. Maybe it won't though still if it's an issue with private window/normal window context where the VPN isn't on in the normal window.

I assume everything works fine if VPN is on by default and then you open a private window?

A Former User

A Former User @burnout426 last edited by A Former User

@burnout426
This happens then "VPN" enabled only in a private tab. Obviously, because the process of creating of a bookmark is going in common window that is wrong.

DNS over HTTPS is not a decision. Absolutely.

DNS resolve is just a part of connection to the site, the next step is HTTP/HTTPS connection that also in this case does not go through "VPN". In this case IP of the site and a content (in case HTTP) are visible for ISP.

A Former User

A Former User @Guest last edited by A Former User

DNS over HTTPS is not a decision. Absolutely.

Here is it.

HTTP (TCP) connection is visible too. It is unacceptable for any good VPN.

(I have used Wireshark.)

A Former User

A Former User last edited by

A bit more presentable screenshot (domain of images for the previews is the same as domain of the site):

This site is on HTTP so I (and ISP) can see the all content, not only IPs.

burnout426

burnout426 Volunteer last edited by burnout426

Thanks for all the details. Opera has confirmed your findings and they are investigating. I'll post if there are any updates.

burnout426

burnout426 Volunteer last edited by

Partial fix in https://blogs.opera.com/desktop/changelog-for-65/#b3459.0, but there's a little more to do, so sit tight.

A Former User

A Former User last edited by leocg

It does not fixed.
65.0.3467.48

burnout426

burnout426 Volunteer last edited by

Correct. It's still being worked on.

burnout426

burnout426 Volunteer last edited by

Can you test in https://blogs.opera.com/desktop/2020/03/opera-69-0-3638-0-developer-update/? There's "DNA-81409 Switch to Chromium’s favicon fetcher" in the changelog, which might help with this issue.

A Former User

A Former User last edited by A Former User

I don't think what it will fix this bug. The problem is not with favicons, but with images (that are used as a bookmark preview) that are loaded through a non incognito window.

It probably may fix this bug with favicons, but I have no desire to test it.

A Former User

A Former User last edited by A Former User

Yes, I was right, that fixed the bug with favicons (that were created in the incognito mode). But.

The bug is this topic about is still not fixed.

burnout426

burnout426 Volunteer @Guest last edited by

@anonan said in [Privacy bug] The creating a bookmark in a private tab with VPN causes connection non through VPN:

The bug is this topic about is still not fixed.

In the latest Opera Developer you still see favicon fetches bypassing the VPN?

A Former User

A Former User @burnout426 last edited by A Former User

Sorry, my previous message is about the latest release version (68), not develop (69).

---

you still see favicon fetches bypassing the VPN?

I have never said that. I talked only about previews (It are images for the bookmark, Opera parses the HTML for image URLs (not only img tags) and downloads them), but I have rechecked it, and the favicon is downloanig non through the incognito window too.

Opera 68:
I have created the bookmark in the incognito window with enabled "VPN", but Opera downloaded both the favicon and images for the preview through the default window, that has no enabled "VPN", so I can see HTTP connections to the site in Wireshark:

I did not test it in the Developer version.

burnout426

burnout426 Volunteer @Guest last edited by

@anonan said in [Privacy bug] The creating a bookmark in a private tab with VPN causes connection non through VPN:

I did not test it in the Developer version.

It's supposed to have everything fixed in this area and Opera doesn't know of any other cases where things leak. But, if you can still find a situation where Opera leaks, then Opera would like to know. Otherwise, it's considered fixed and you'll see it fixed in Opera Stable once stable reaches 69.

burnout426

burnout426 Volunteer last edited by

In testing I think I'm able to reproduce in both Opera stable and Opera Developer.

burnout426

burnout426 Volunteer last edited by

Filed DNA-86289 for this.

burnout426

burnout426 Volunteer last edited by

https://blogs.opera.com/desktop/2020/05/opera-70-0-3701-0-developer-update/ has a fix for your specific issue. Please test with it to confirm.

A Former User

A Former User last edited by A Former User

@burnout426
Maybe.

But in Opera 69 both bugs are.

• The connections for fetching images for the preview of a bookmark that was created in incognito tab with enabled "VPN" bypasses "VPN" – it goes through the non-incognito browser window (there "VPN" is disabled).

• There is no favicon for a bookmark that was created in incognito mode. (It's the regression or maybe I tested it wrong last time.)

---

Here is the example of bookmarks that I have created in incognito mode with enabled "VPN".
(Note: I visited these sites the first time, so there is no cached favicon or DNS query. It's random sites from duckduckgo.com/?q=tokyo+site)

The leak connections:

[1]

---

[2]

---

[3]

---

And missed favicons for these bookmarks (1st and 3nd sites should have the favicon):

leocg

leocg Moderator Volunteer @Guest last edited by

@anonan Opera 69 probably doesn't have the fix.

A Former User

A Former User last edited by A Former User

Unbelievable, but it looks fixed. (Only the leak connections)
(v70)