[Privacy bug] The creating a bookmark in a private tab with VPN causes connection non through VPN
-
A Former User last edited by A Former User Aug 31, 2019, 3:03 PM Aug 31, 2019, 2:37 PM
When you are in incognito mode (private tab in Opera) and use Opera "VPN" if you add a bookmark it causes connection non through VPN to this site for the image preview.
It can be easy detected by DNS leaking. (You need only DNSQuerySniffer)
- Run DNSQuerySniffer (as Administrator)
- Opera a private tab
- Open any site
- Bookmark the tab
- See that the site domain was resolved non through VPN so you see DNS resolve in DNSQuerySniffer.
It's a bug. PRIVACY BUG.
(Just for SEO: security bug)
-
A Former User last edited by A Former User Aug 31, 2019, 2:40 PM Aug 31, 2019, 2:40 PM
Sad to say, but it is not a new bug. Opera 58 has it too.
-
A Former User last edited by A Former User Aug 31, 2019, 3:04 PM Aug 31, 2019, 2:58 PM
The related topics:
[1]
Bookmarking a new site (which you din’t visit in non-incognito mode before), bookmarks will not have a favorite icon.[2]
The creepy bookmark warning when you create a bookmarks and have at least one incognito tab.
Better change the text what creating a bookmark in incognito mode will cause the privacy leak. -
A Former User last edited by A Former User Aug 31, 2019, 3:16 PM Aug 31, 2019, 3:13 PM
It can be easy detected by DNS leaking. (You need only DNSQuerySniffer)
....The additional:
The private tab is with enabled "VPN".
The non-private tab (window) is without enabled "VPN".So, the problem is obvious – сreating of a bookmark happens in common window even you add it in an incognito tab.
-
brz7fvuw3o last edited by brz7fvuw3o Sep 1, 2019, 7:56 AM Sep 1, 2019, 7:30 AM
You know that search engines circumvent the VPN by default in Opera?
Ridiculous default of course, that goes for much more in Opera.
[The most serious thing is that Opera starts by default as a scheduled task to check for updates.
In practice, this means that every time Windows Opera starts up, it always checks automatically for updates.
How you dare to call yourself a privacy browser remains a mystery to me.
By the way, Brave and I think Chrome (you can find it anywhere in Windows where you don't want it anyway) as well.
Actually it's a pity Opera doesn't have these things in order, in itself it's a pretty nice browser.] -
A Former User last edited by A Former User Sep 16, 2019, 5:30 AM Sep 16, 2019, 5:29 AM
You know that search engines circumvent the VPN by default in Opera?
I don't think that is a problem.
- It can be easily found in the options (It's not a hidden option).
- It can be disabled (It's the important part).
- It has benefits - you get a relevant search result (for based on your IP location) and no captcha.
The most serious thing is that Opera starts by default as a scheduled task to check for updates
I also want an option to easily disable auto-updates, for example, future Manifest V3 can break a lot of extensions that get you better privacy (not only ads blockers).
-
A Former User last edited by A Former User Sep 25, 2019, 11:20 AM Sep 25, 2019, 11:20 AM
Bump.
Or Opera team think that it is an appropriate behavior?
-
burnout426 Volunteer last edited by Sep 25, 2019, 1:55 PM
Can you double-check that this is still the case now since the bookmarks manager now loads in the private window again when you open it from the private window?
-
A Former User last edited by A Former User Sep 25, 2019, 4:39 PM Sep 25, 2019, 4:36 PM
I opened a private tab, enable "VPN", opened a site. Connection is through "VPN". There is no log in DNSQuerySniffer about the connection to the site.
Bookmark the site:
The image for the bookmark are loaded non through "VPN".
As a result the part of the connection – DNS resolve – is showed in DNSQuerySniffer log. -
burnout426 Volunteer last edited by burnout426 Sep 25, 2019, 6:03 PM Sep 25, 2019, 6:02 PM
Okay. Thanks for the update. I'll test and test in Opera Developer too. Don't know if it's expected behavior or not yet though.
In Opera Developer, I'll see if
opera://flags/#opera-doh
makes a difference. Since the query goes over HTTPS, maybe it'll go through the VPN then. Maybe it won't though still if it's an issue with private window/normal window context where the VPN isn't on in the normal window.I assume everything works fine if VPN is on by default and then you open a private window?
-
A Former User last edited by A Former User Sep 25, 2019, 6:41 PM Sep 25, 2019, 6:35 PM
@burnout426
This happens then "VPN" enabled only in a private tab. Obviously, because the process of creating of a bookmark is going in common window that is wrong.DNS over HTTPS is not a decision. Absolutely.
DNS resolve is just a part of connection to the site, the next step is HTTP/HTTPS connection that also in this case does not go through "VPN". In this case IP of the site and a content (in case HTTP) are visible for ISP.
-
A Former User last edited by A Former User Sep 25, 2019, 6:59 PM Sep 25, 2019, 6:57 PM
DNS over HTTPS is not a decision. Absolutely.
Here is it.
HTTP (TCP) connection is visible too. It is unacceptable for any good VPN.(I have used Wireshark.)
-
A Former User last edited by Sep 25, 2019, 8:19 PM
A bit more presentable screenshot (domain of images for the previews is the same as domain of the site):
This site is on HTTP so I (and ISP) can see the all content, not only IPs. -
burnout426 Volunteer last edited by burnout426 Sep 26, 2019, 6:10 PM Sep 26, 2019, 6:10 PM
Thanks for all the details. Opera has confirmed your findings and they are investigating. I'll post if there are any updates.
-
burnout426 Volunteer last edited by Oct 2, 2019, 10:02 PM
Partial fix in https://blogs.opera.com/desktop/changelog-for-65/#b3459.0, but there's a little more to do, so sit tight.
-
A Former User last edited by leocg Nov 23, 2019, 7:21 PM Nov 23, 2019, 6:07 PM
It does not fixed.
65.0.3467.48 -
burnout426 Volunteer last edited by Mar 24, 2020, 10:45 PM
Can you test in https://blogs.opera.com/desktop/2020/03/opera-69-0-3638-0-developer-update/? There's "DNA-81409 Switch to Chromium’s favicon fetcher" in the changelog, which might help with this issue.
-
A Former User last edited by A Former User Mar 28, 2020, 9:32 AM Mar 28, 2020, 9:23 AM
I don't think what it will fix this bug. The problem is not with favicons, but with images (that are used as a bookmark preview) that are loaded through a non incognito window.
It probably may fix this bug with favicons, but I have no desire to test it.
-
A Former User last edited by A Former User May 4, 2020, 6:54 AM May 4, 2020, 6:52 AM
Yes, I was right, that fixed the bug with favicons (that were created in the incognito mode). But.
The bug is this topic about is still not fixed.