Opera to Start Phoning Home?

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Friday October 20, 2006 @05:46AM from the they-know-what's-good-for-you dept.

An anonymous reader writes "Near the end of a story about Opera's determination to stay in the game: 'Earlier this week, Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said Tuesday in a blog that the next edition, Opera 9.1, will include beefed up anti-phishing and anti-fraud features. Rather than simply indicate that a site is secure with a notation in the address bar, Opera 9.1 will also query Opera-owned servers for information on any site visited. Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

53 of 197 comments (clear)

Hmm Suits in the waiting? by ackthpt · 2006-10-20 05:47 · Score: 5, Insightful

Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

Seems to recall this can lead Opera to trouble, like what happened with Spamhaus.

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:Hmm Suits in the waiting? by Raumkraut · 2006-10-20 05:56 · Score: 3, Funny
  
  From the artcle:
  Our servers get the trust information from a database supplied by GeoTrust
  
  HTTP/1.1 303 See Other
2. Re:Hmm Suits in the waiting? by ackthpt · 2006-10-20 06:01 · Score: 3, Funny
  
  From the artcle: Our servers get the trust information from a database supplied by GeoTrust
  
  However, to get at GeoTrust, a party would likely have to sue Opera. IANAL, but Opera would, likely be viewed as complicit.
  
  Can you see the up-coming /. headline?
  c4n4d14n ph4m4c13 Files Defamation Claim Against Opera and GeoTrust
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
3. Re:Hmm Suits in the waiting? by cshark · 2006-10-20 07:25 · Score: 4, Insightful
  
  I hate to ask an obvious question, but what if I didn't want this feature? I mean, aside from telling Opera everything I decide to do online, which gives me the heebeejeebees, I don't see the value that comes from giving up my browsing privacy entirely like this. Opera has been benign until now, however who is to say that the list of sites you visited wouldn't end up in the hands of certain entities whom you would rather not have them. Department of Homeland Security comes to mind. Blah bla Military Commissions act s950v, blah bla conspiracy, blah bla, etc.
  
  Besides, I sometimes enjoy visiting phishing sites and giving them mountains of fake information.
  It's fun, and something to do on weekends. It also means much more bunk data for the bad guys to sort through.
  My civic duty I always say.
  
  Don't you think a simple warning based on known patterns or wording is enough?
  
  --
  This signature has Super Cow Powers
4. Re:Hmm Suits in the waiting? by frdmfghtr · 2006-10-20 07:34 · Score: 3, Insightful
  
  It's fun, and something to do on weekends.
  
  If this is your idea of "fun" on the weekends...you need to get out a little more :)
  
  (he says as he plans to spend the weekend studying for a midterm exam)
  
  --
  Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
5. Re:Hmm Suits in the waiting? by KC7GR · 2006-10-20 07:37 · Score: 4, Insightful
  
  Not necessarily. The Spamhaus suit was utterly without merit, as no one is forced to use the Spamhaus database. Mail blocking occurs ONLY if (a), the SysAdmin(s) at the ISP or host in question choose to check incoming mail connections against the Spamhaus database; And (b), if Spamhaus has listed the IP address(es) being checked in said database.
  
  For the record: I've used Spamhaus to help protect our network for years. I've gotten NO false positives with their listings. Ever. That's more than I can say for the SPEWS list. I can't even count how many hours they've saved me over the years.
  
  Anyway, back on topic: The only way I can see this causing trouble for Opera is if they don't provide a way for the user to turn the feature off. With that said, I think such a feature should be OFF BY DEFAULT, and left to the user to enable if they wish. The potential for abuse of this system (someone at Opera getting a wild hare up their tail, and listing a site they don't agree with for blocking) is mind-boggling.
  
  Keep the peace(es).
  
  --
  Bruce Lane, KC7GR,
  
  Blue Feather Technologies
6. Re:Hmm Suits in the waiting? by Psykosys · 2006-10-20 08:47 · Score: 3, Insightful
  
  You could disable the feature.
  (and yes, it's rather stupid of them if they don't end up making this an option)
Great feature realy. by Kenja · 2006-10-20 05:50 · Score: 5, Insightful

I relay like this idea, so long as it can be turned off. Based on my experiance with Opera so far I'd say that not only will it be able to be turned off, but that you can disable it on a server by server baises.

There's a reason I was willing to pay for Opera when it was still a commercial product. Now if only they would make a Symbian native version, the Java version has a hard time in landscape mode on my Nokia N93.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Great feature realy. by Ksevio · 2006-10-20 06:23 · Score: 5, Interesting
  
  Another thing mentioned in the blog posting is this: --- The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home". --- So it's not like they're sending everything back to opera without telling you what it is.
secure...says opera? by otacon · 2006-10-20 05:52 · Score: 5, Insightful

Well the fact that opera will check EVERY site someone goes to against their own server might work in theory...but does anyone really want all their web use data to be tracked by a server?

--
In a world of acronyms, the words are the real victims.
1. Re:secure...says opera? by otacon · 2006-10-20 06:10 · Score: 3, Interesting
  
  Well, anyone could easily say the traffic isn't being logged and the server is just processing requests, which could easily be true. But how easy would it be to log that data and no one be the wiser?
  
  --
  In a world of acronyms, the words are the real victims.
2. Re:secure...says opera? by Anonymous Coward · 2006-10-20 06:19 · Score: 2, Informative
  
  As easy as Opera operating from Norway, which is a country with extremely strict privacy laws? Also, as easy as Opera not being known to abuse user data in the first place, and already having Opera Mini, which means that ALL sites you visit have to go through Opera's servers, and Opera Mini probably has more users than the PC browser anyway?
3. Re:secure...says opera? by techno-vampire · 2006-10-20 06:21 · Score: 2, Interesting
  
  It shouldn't be hard to find out the server's IP address and the format of the request. Once you have that, DDOS and every single person using Opera is hosed. Not exactly a smooth move, Mr. Exlax!
  
  --
  Good, inexpensive web hosting
4. Re:secure...says opera? by CastrTroy · 2006-10-20 06:24 · Score: 2, Interesting
  
  Also, unless the requests are sent encrypted I imagine that somebody sitting outside opera's server, could intercept the requests and use them for whatever they wanted.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
5. Re:secure...says opera? by bubkus_jones · 2006-10-20 06:33 · Score: 3, Insightful
  
  Even if Opera was automatically logging every site you go to, you still have a say in the matter. You can either choose to use Opera, and put up with their possibly knowing every website you visit, and potentially locking you out of a site that someone may find questionable, OR you can choose not to use Opera, and use something that respects your privacy.
6. Re:secure...says opera? by sammydee · 2006-10-20 06:35 · Score: 5, Informative
  
  RTFA:
  "When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless."
  It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.
  
  --
  This is how the loudness war is killing music.
7. Re:secure...says opera? by hkmwbz · 2006-10-20 06:44 · Score: 3, Insightful
  
  Or you can disable the feature. Or you can choose to not trust anyone, and simply disconnect your PC completely because you can't trust anyone (which includes your ISP).
  
  --
  Clever signature text goes here.
8. Re:secure...says opera? by timeOday · 2006-10-20 06:47 · Score: 4, Interesting
  
  It might be better if Opera simply maintained an client-side blacklist of fradulent sites/domains, which was updated in the background while the browser is running. That way they wouldn't have to track your browsing at all. If these fraudlent sites are verified by hand by people at Opera, there could only number in the tens of thousands.
9. Re:secure...says opera? by elcid73 · 2006-10-20 06:54 · Score: 2, Interesting
  
  They are verified by GeoTrust.
  
  I agree with your statement though. It would be nice to just update the list concurrently on the client.
10. Re:secure...says opera? by nine-times · 2006-10-20 06:59 · Score: 2, Interesting
  
  That's why I think it should be optional as well.
11. Re:secure...says opera? by Kjella · 2006-10-20 07:40 · Score: 4, Insightful
  
  It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.
  
  If the hash is simply of the path, it should be fairly trivial to create a rainbow table. Most sites that use some sort of ID like:
  http://foo.com/articles.bar?id=5003242
  would be trivial given a pattern, which would easily give you detailed tracking for many sites. And the domain name itself can tell quite a bit...
  
  --
  Live today, because you never know what tomorrow brings
12. Re:secure...says opera? by risk+one · 2006-10-20 08:09 · Score: 2, Insightful
  
  Hosed? Surely the service would fail gracefully, inform the user of the problem and Opera users would simply have to browse as they do now, without having their traffic checked. Doesn't really qualify as 'hosed' to me, or any decent reason to go through all the trouble of ddossing a service that is used to serving data every time an Opera user loads a page. It would take more than a simple bot net to get that down.
I'm sure that... by justinbach · 2006-10-20 05:53 · Score: 5, Funny

the Opera users among us will have some interesting things to say about this. Both of them!

--
I left my wallet in El Sigundo!
1. Re:I'm sure that... by justinbach · 2006-10-20 06:13 · Score: 2, Funny
  
  Yeah, I know. I actually use Opera too, and I didn't mean any harm by...wait a minute. I DON'T use Opera. I've had it installed for quite a while, but I'd only use it if Safari, Firefox, and Camino all bit the bullet.
  I'd definitely hit it up before IE, though!
  
  --
  I left my wallet in El Sigundo!
2. Re:I'm sure that... by elcid73 · 2006-10-20 06:23 · Score: 4, Insightful
  
  It's the native mouse gestures,MDI tabs (I can tile them with a mouse gesture!) and excellent caching of history (I'll tell you when to reload the page dammit.. I *want* the old data) that got me.
  
  If I used a Mac, the speed of Safari is not something I would overlook though. I would find one of those mousegesture additions (cocoa gestures or some such?) though.
  
  eh, to each his own.
3. Re:I'm sure that... by VGPowerlord · 2006-10-20 07:03 · Score: 3, Insightful
  
  I've found that since Opera went free, and people keep talking about this "Firefox memory leak" thing, the voices in support of Opera on Slashdot have grown considerably.
  
  Yeah. I didn't start using it until:
  1. It was free.
  2. Firefox's developers pissed me off. This wasn't related to the memory leak bug, but that definitely contributed to me switching instead of just grinning and bearing it.
  
  I blame #1 for me not discovering the greatness of Opera earlier.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
That's fine if it's configurable and secure? by djh101010 · 2006-10-20 05:54 · Score: 3, Interesting

As long as I can turn it off, or turn it off for certain types of sites, that's fine. I'm not sure what this does for me that, say, Netcraft Toolbar doesn't. Is the data stream encrypted back to Opera? Can others intercept that and use it as a spam-target tool somehow? All questions I'd want answered before I'd use it.
1. Re:That's fine if it's configurable and secure? by TheoMurpse · 2006-10-20 07:03 · Score: 4, Funny
  
  I'm not sure what this does for me that, say, Netcraft Toolbar doesn't.
  Opera confirms: Netcraft is dead.
why wouldn't i trust him by Anonymous Coward · 2006-10-20 05:57 · Score: 5, Funny

Well, with a name like Borg, I can't think of a reason why I wouldn't trust what he has to say...
1. Re:why wouldn't i trust him by Anonymous Coward · 2006-10-20 06:27 · Score: 2, Funny
  
  Good job #1845829 - you shouldn't be thinking for yourself anyway. Now get your ass back on this goddamned flying box so we can assimilate our next target.
Re:Privacy concern by Ironsides · 2006-10-20 06:03 · Score: 2, Insightful

Tell me what they send to their server is actually a hash of the URL with a huge salt.

If they did this then one of two things would happen.
1) Collisions where non-Phishing sites would be blocked as Phishing sites.
2) They would be able to figure out what the original site was anyway as they are the ones who created the hashes. Otherwise, they wouldn't be able to look for duplicate entries or not and the hashes wouldn't mean jack.

Everythings going to be in the clear. The only thing is to make sure that the feature is optional.

--
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Re:Privacy concern by Anonymous Coward · 2006-10-20 06:09 · Score: 4, Informative

Tell me what they send to their server is actually a hash of the URL with a huge salt.
From the linked blog:

When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

Presumably, it's because of the following:

The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".
dont they all do this now? by Deathlizard · 2006-10-20 06:10 · Score: 5, Informative

I know IE7 phones home, and fireefox 2 does too for anti-phishing. They both can also be disabled by the user.

I don't see how this is any different than what MS or mozilla is doing. As long as it can be disabled by the user it should be ok.

--
In Soviet Russia, Trojan exploits YOU!
1. Re:dont they all do this now? by elcid73 · 2006-10-20 06:14 · Score: 3, Informative
  
  They use white or blacklists. Meaning it phone's home just to get a big list of all at once.
  
  Opera checks each as you go.
  
  Pro: it's updated as fast as GeoTrust is.. you don't have to wait for your nightly download (or whatever frequency) so you get the most reponsive phishing filter.
  
  Con: The reason this is a headline at all. ..Still, it will be able to be turned off and it's largely not all that different from MS or FF.
2. Re:dont they all do this now? by AKAImBatman · 2006-10-20 06:23 · Score: 2, Informative
  
  Geez, everyone is phoning home these days. Who's next, E.T.?!?
  
  --
  Javascript + Nintendo DSi = DSiCade
3. Re:dont they all do this now? by Vexorian · 2006-10-20 06:25 · Score: 4, Informative
  
  1 How does the Phishing Protection feature work in Firefox 2?
  Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there's also an option to check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Security preferences pane.
  http://www.mozilla.org/projects/bonecho/anti-phish ing/
  
  --
  
  Copyright infringement is "piracy" in the same way DRM is "consumer rape"
4. Re:dont they all do this now? by Kelson · 2006-10-20 07:13 · Score: 2, Informative
  
  Actually, IE7 can check each site as you go, and Firefox 2 has two modes: one that checks against the blacklist, and one that checks each site as you go (look in Tools/Preferences/Security).
  
  So yes, each browser will have a mode which will send nearly every URL you visit to a third party for checking against phishing sites.
5. Re:dont they all do this now? by elcid73 · 2006-10-20 07:21 · Score: 2, Interesting
  
  Yeah. I made note of that in one of the other responses I had in here. I don't really see why this is a headline at all.
  
  If you have a slider with Safety/security on one side, and Privacy on the other, all three browsers let you adjust where that slider falls.
  
  Browsers have to balance timeliness of updates against the fast moving phishing schemes with letting the users feel maintain a sense of security. It's strange though, like others have mentioned, Opera Mini seems to get away with this just fine as well as your local ISP.
  
  I wish we could just say "nothing to see here, move along..." for this article. Or at least properly word the headline to something like:
  
  "Opera to default to real-time phishing filter" or something along those lines.
Johan Borg???? by gstoddart · 2006-10-20 06:11 · Score: 2, Funny

Johan Borg??? Oh, the irony. The diversity of your websites will be added to our own. Resistance is futile.

What an unfortunate surname to be working in the tech field. :-P

--
Lost at C:>. Found at C.
This forces a huge amount of trust in them... by Pvt_Waldo · 2006-10-20 06:21 · Score: 2, Interesting

First, we must trust they will not leak the data of "who surfs what".

Second, we must trust they will not get hacked and this information stolen.

Third, we must trust them to be the judge of "good and bad".

Fourth, we must trust they won't get hacked and their list either modified by adding or removing site.

Don't fall into the trap of "Oh it's Opera, of course we trust them". Let me put it this way. If Microsoft announced this, what would your reaction be?
Re:Someone please cry foul by hkmwbz · 2006-10-20 06:28 · Score: 5, Insightful

Your ISP can track everything you do. That must mean that they are abusing their position. Why get Opera to track your surfing when your ISP could do so much more efficiently?

--
Clever signature text goes here.
Re:Someone please cry foul by bestinshow · 2006-10-20 06:28 · Score: 5, Insightful

That's if they log the requests - given that they're a Norwegian company, they have some pretty tough privacy laws to content with.

I expect that it will depend on the terms and conditions in the end, and that they will say 'we will not log or use your data in a user-specific manner (not even AOL style 'user == number' obfuscation, hehe), however we may use it to compile statistics on accesses to phishing sites', which could prove quite useful in anti-phisher court trials.

It's no different to IE7 or the next version of Safari. The best way to check a website is authentic is to check the URL against a blacklist and then tell the user in big red text in a way they'd be retarded to ignore about the threat. I do think it would be better to download the blacklist to the client and resync it often however.

How do the Firefox add-ins, IE7 and Safari 3 handle anti-phishing?
Re:Privacy concern by Arthur+B. · 2006-10-20 06:29 · Score: 2, Insightful

1) very unlikely with a good hash or combined hashes 2) no they wouldn't, they'd try to hash every phishing site with every salt to see if it matches your hash... sure they could see if you watch specific sites, but it certainly mitigates the amount of information they can get about you, they can't know exactly all the sites you look at. If their entry are user submitted, the user submission can be done in clear text, no problem.

--
\u262D = \u5350
Does anyone read anymore? by scoobrs · 2006-10-20 06:31 · Score: 5, Informative

Does anyone bother reading before commenting anymore? The feature will be able to be switched off at will, even on a site-by-site basis, and they will toss out source IPs at Opera if you choose to use it. The main reason they do it this way instead of downloading lists like mozilla and IE is that lists can be obsolete and phishers can be onto promoting their next scam by the time the lists are updated on clients. Besides, Opera is in Norway and outside Department of Justice jurisdiction for spying requests. If you don't like it or are sophisticated enough that you don't need it, turn it off.

--
-Those who would give up essential liberty to purchase temporary safety deserve neither. -Ben Franklin
Re:I'd like it better.... by Shemmie · 2006-10-20 06:43 · Score: 5, Insightful

Isn't this against everything we say when it comes to Microsoft? We're meant to be protecting Joe Six-Pack. Various features should ship with the default to 'on', so that those in the know are free to turn it off, but it still protects those who it would most likely benefit?
Re:Optional, please? by elcid73 · 2006-10-20 06:49 · Score: 2, Informative

"Why not have users download a list every so often?" ...because "every so often" is "not often enough" when it comes to phishing.

(according to Opera)
Re:Someone please cry foul by The+Masked+Marauder · 2006-10-20 06:52 · Score: 2, Insightful

Why the hell would a Norwegian company hand anything over to the US DOJ? America can't really tell the rest of the world what to do you know, Bush just wants you to think that!
Re:Mmnn features by hkmwbz · 2006-10-20 06:57 · Score: 2, Informative

Your ISP is as much of a "random company" as Opera Software is. Opera Software is located in Norway, which apparently has extremely strict privacy laws. You also need to consider a company's track record. Opera Software also has the mobile browser Opera Mini which always goes through Opera's servers which do the rendering for the Mini client, and no one has cried foul so far.

--
Clever signature text goes here.
Re:I'd like it better.... by foamrotreturns · 2006-10-20 07:07 · Score: 5, Insightful

One problem with your argument:
Joe Sixpack will not use Opera; he'll use IE. That's why we harp on MS for being so lax in security. They're targeting the lowest common denominator.
Indeed I do. by Poromenos1 · 2006-10-20 07:10 · Score: 3, Informative

The request Opera sends is a hash of the URL instead of the URL itself.

Would the second Opera user like to comment?

--
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Re:Just matter of time by animaal · 2006-10-20 07:10 · Score: 4, Insightful

Which government? Norway isn't (yet) subject to the U.S. government.
I'm using it now by elcid73 · 2006-10-20 07:53 · Score: 2, Interesting

I'm using the weekly build. So far, nobody has knocked on my door.

Works great- slashdot is trusted by geotrust evidently.

There's a checkbox to "enable fraud protection." When this button is disabled you can still manually check the site via the same interface, but the check isn't automatic.
It's NOT phoning home. by ahknight · 2006-10-20 12:41 · Score: 3, Insightful

It's not phoning home. There's been a lot of idiocy about that statement lately and the phrase is starting to suffer the fate of the apostrophe: people are just using it whenever they think it might apply.

Phoning home means sending personal, identifying information back to the author of a program, usually with nefarious intent. This is a feature that uses an Opera server in a non-identifying way to determine if the site you're going to is fraudulent. Huge difference.

And you can probably turn it off. Yet another thing that you cannot do with software that is "phoning home" in the traditional definition.

Come on, folks. There's privacy and there's paranoia. I know a lot of you haven't left home in a few weeks, but try to stay in touch with reality, okay? The foil hats do nothing...