Opera to Start Phoning Home?

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Friday October 20, 2006 @05:46AM from the they-know-what's-good-for-you dept.

An anonymous reader writes "Near the end of a story about Opera's determination to stay in the game: 'Earlier this week, Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said Tuesday in a blog that the next edition, Opera 9.1, will include beefed up anti-phishing and anti-fraud features. Rather than simply indicate that a site is secure with a notation in the address bar, Opera 9.1 will also query Opera-owned servers for information on any site visited. Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

34 of 197 comments (clear)

Hmm Suits in the waiting? by ackthpt · 2006-10-20 05:47 · Score: 5, Insightful

Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

Seems to recall this can lead Opera to trouble, like what happened with Spamhaus.

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:Hmm Suits in the waiting? by Raumkraut · 2006-10-20 05:56 · Score: 3, Funny
  
  From the artcle:
  Our servers get the trust information from a database supplied by GeoTrust
  
  HTTP/1.1 303 See Other
2. Re:Hmm Suits in the waiting? by ackthpt · 2006-10-20 06:01 · Score: 3, Funny
  
  From the artcle: Our servers get the trust information from a database supplied by GeoTrust
  
  However, to get at GeoTrust, a party would likely have to sue Opera. IANAL, but Opera would, likely be viewed as complicit.
  
  Can you see the up-coming /. headline?
  c4n4d14n ph4m4c13 Files Defamation Claim Against Opera and GeoTrust
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
3. Re:Hmm Suits in the waiting? by cshark · 2006-10-20 07:25 · Score: 4, Insightful
  
  I hate to ask an obvious question, but what if I didn't want this feature? I mean, aside from telling Opera everything I decide to do online, which gives me the heebeejeebees, I don't see the value that comes from giving up my browsing privacy entirely like this. Opera has been benign until now, however who is to say that the list of sites you visited wouldn't end up in the hands of certain entities whom you would rather not have them. Department of Homeland Security comes to mind. Blah bla Military Commissions act s950v, blah bla conspiracy, blah bla, etc.
  
  Besides, I sometimes enjoy visiting phishing sites and giving them mountains of fake information.
  It's fun, and something to do on weekends. It also means much more bunk data for the bad guys to sort through.
  My civic duty I always say.
  
  Don't you think a simple warning based on known patterns or wording is enough?
  
  --
  This signature has Super Cow Powers
4. Re:Hmm Suits in the waiting? by frdmfghtr · 2006-10-20 07:34 · Score: 3, Insightful
  
  It's fun, and something to do on weekends.
  
  If this is your idea of "fun" on the weekends...you need to get out a little more :)
  
  (he says as he plans to spend the weekend studying for a midterm exam)
  
  --
  Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
5. Re:Hmm Suits in the waiting? by KC7GR · 2006-10-20 07:37 · Score: 4, Insightful
  
  Not necessarily. The Spamhaus suit was utterly without merit, as no one is forced to use the Spamhaus database. Mail blocking occurs ONLY if (a), the SysAdmin(s) at the ISP or host in question choose to check incoming mail connections against the Spamhaus database; And (b), if Spamhaus has listed the IP address(es) being checked in said database.
  
  For the record: I've used Spamhaus to help protect our network for years. I've gotten NO false positives with their listings. Ever. That's more than I can say for the SPEWS list. I can't even count how many hours they've saved me over the years.
  
  Anyway, back on topic: The only way I can see this causing trouble for Opera is if they don't provide a way for the user to turn the feature off. With that said, I think such a feature should be OFF BY DEFAULT, and left to the user to enable if they wish. The potential for abuse of this system (someone at Opera getting a wild hare up their tail, and listing a site they don't agree with for blocking) is mind-boggling.
  
  Keep the peace(es).
  
  --
  Bruce Lane, KC7GR,
  
  Blue Feather Technologies
6. Re:Hmm Suits in the waiting? by Psykosys · 2006-10-20 08:47 · Score: 3, Insightful
  
  You could disable the feature.
  (and yes, it's rather stupid of them if they don't end up making this an option)
Great feature realy. by Kenja · 2006-10-20 05:50 · Score: 5, Insightful

I relay like this idea, so long as it can be turned off. Based on my experiance with Opera so far I'd say that not only will it be able to be turned off, but that you can disable it on a server by server baises.

There's a reason I was willing to pay for Opera when it was still a commercial product. Now if only they would make a Symbian native version, the Java version has a hard time in landscape mode on my Nokia N93.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Great feature realy. by Ksevio · 2006-10-20 06:23 · Score: 5, Interesting
  
  Another thing mentioned in the blog posting is this: --- The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home". --- So it's not like they're sending everything back to opera without telling you what it is.
secure...says opera? by otacon · 2006-10-20 05:52 · Score: 5, Insightful

Well the fact that opera will check EVERY site someone goes to against their own server might work in theory...but does anyone really want all their web use data to be tracked by a server?

--
In a world of acronyms, the words are the real victims.
1. Re:secure...says opera? by otacon · 2006-10-20 06:10 · Score: 3, Interesting
  
  Well, anyone could easily say the traffic isn't being logged and the server is just processing requests, which could easily be true. But how easy would it be to log that data and no one be the wiser?
  
  --
  In a world of acronyms, the words are the real victims.
2. Re:secure...says opera? by bubkus_jones · 2006-10-20 06:33 · Score: 3, Insightful
  
  Even if Opera was automatically logging every site you go to, you still have a say in the matter. You can either choose to use Opera, and put up with their possibly knowing every website you visit, and potentially locking you out of a site that someone may find questionable, OR you can choose not to use Opera, and use something that respects your privacy.
3. Re:secure...says opera? by sammydee · 2006-10-20 06:35 · Score: 5, Informative
  
  RTFA:
  "When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless."
  It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.
  
  --
  This is how the loudness war is killing music.
4. Re:secure...says opera? by hkmwbz · 2006-10-20 06:44 · Score: 3, Insightful
  
  Or you can disable the feature. Or you can choose to not trust anyone, and simply disconnect your PC completely because you can't trust anyone (which includes your ISP).
  
  --
  Clever signature text goes here.
5. Re:secure...says opera? by timeOday · 2006-10-20 06:47 · Score: 4, Interesting
  
  It might be better if Opera simply maintained an client-side blacklist of fradulent sites/domains, which was updated in the background while the browser is running. That way they wouldn't have to track your browsing at all. If these fraudlent sites are verified by hand by people at Opera, there could only number in the tens of thousands.
6. Re:secure...says opera? by Kjella · 2006-10-20 07:40 · Score: 4, Insightful
  
  It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.
  
  If the hash is simply of the path, it should be fairly trivial to create a rainbow table. Most sites that use some sort of ID like:
  http://foo.com/articles.bar?id=5003242
  would be trivial given a pattern, which would easily give you detailed tracking for many sites. And the domain name itself can tell quite a bit...
  
  --
  Live today, because you never know what tomorrow brings
I'm sure that... by justinbach · 2006-10-20 05:53 · Score: 5, Funny

the Opera users among us will have some interesting things to say about this. Both of them!

--
I left my wallet in El Sigundo!
1. Re:I'm sure that... by elcid73 · 2006-10-20 06:23 · Score: 4, Insightful
  
  It's the native mouse gestures,MDI tabs (I can tile them with a mouse gesture!) and excellent caching of history (I'll tell you when to reload the page dammit.. I *want* the old data) that got me.
  
  If I used a Mac, the speed of Safari is not something I would overlook though. I would find one of those mousegesture additions (cocoa gestures or some such?) though.
  
  eh, to each his own.
2. Re:I'm sure that... by VGPowerlord · 2006-10-20 07:03 · Score: 3, Insightful
  
  I've found that since Opera went free, and people keep talking about this "Firefox memory leak" thing, the voices in support of Opera on Slashdot have grown considerably.
  
  Yeah. I didn't start using it until:
  1. It was free.
  2. Firefox's developers pissed me off. This wasn't related to the memory leak bug, but that definitely contributed to me switching instead of just grinning and bearing it.
  
  I blame #1 for me not discovering the greatness of Opera earlier.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
That's fine if it's configurable and secure? by djh101010 · 2006-10-20 05:54 · Score: 3, Interesting

As long as I can turn it off, or turn it off for certain types of sites, that's fine. I'm not sure what this does for me that, say, Netcraft Toolbar doesn't. Is the data stream encrypted back to Opera? Can others intercept that and use it as a spam-target tool somehow? All questions I'd want answered before I'd use it.
1. Re:That's fine if it's configurable and secure? by TheoMurpse · 2006-10-20 07:03 · Score: 4, Funny
  
  I'm not sure what this does for me that, say, Netcraft Toolbar doesn't.
  Opera confirms: Netcraft is dead.
why wouldn't i trust him by Anonymous Coward · 2006-10-20 05:57 · Score: 5, Funny

Well, with a name like Borg, I can't think of a reason why I wouldn't trust what he has to say...
Re:Privacy concern by Anonymous Coward · 2006-10-20 06:09 · Score: 4, Informative

Tell me what they send to their server is actually a hash of the URL with a huge salt.
From the linked blog:

When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

Presumably, it's because of the following:

The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".
dont they all do this now? by Deathlizard · 2006-10-20 06:10 · Score: 5, Informative

I know IE7 phones home, and fireefox 2 does too for anti-phishing. They both can also be disabled by the user.

I don't see how this is any different than what MS or mozilla is doing. As long as it can be disabled by the user it should be ok.

--
In Soviet Russia, Trojan exploits YOU!
1. Re:dont they all do this now? by elcid73 · 2006-10-20 06:14 · Score: 3, Informative
  
  They use white or blacklists. Meaning it phone's home just to get a big list of all at once.
  
  Opera checks each as you go.
  
  Pro: it's updated as fast as GeoTrust is.. you don't have to wait for your nightly download (or whatever frequency) so you get the most reponsive phishing filter.
  
  Con: The reason this is a headline at all. ..Still, it will be able to be turned off and it's largely not all that different from MS or FF.
2. Re:dont they all do this now? by Vexorian · 2006-10-20 06:25 · Score: 4, Informative
  
  1 How does the Phishing Protection feature work in Firefox 2?
  Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there's also an option to check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Security preferences pane.
  http://www.mozilla.org/projects/bonecho/anti-phish ing/
  
  --
  
  Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Re:Someone please cry foul by hkmwbz · 2006-10-20 06:28 · Score: 5, Insightful

Your ISP can track everything you do. That must mean that they are abusing their position. Why get Opera to track your surfing when your ISP could do so much more efficiently?

--
Clever signature text goes here.
Re:Someone please cry foul by bestinshow · 2006-10-20 06:28 · Score: 5, Insightful

That's if they log the requests - given that they're a Norwegian company, they have some pretty tough privacy laws to content with.

I expect that it will depend on the terms and conditions in the end, and that they will say 'we will not log or use your data in a user-specific manner (not even AOL style 'user == number' obfuscation, hehe), however we may use it to compile statistics on accesses to phishing sites', which could prove quite useful in anti-phisher court trials.

It's no different to IE7 or the next version of Safari. The best way to check a website is authentic is to check the URL against a blacklist and then tell the user in big red text in a way they'd be retarded to ignore about the threat. I do think it would be better to download the blacklist to the client and resync it often however.

How do the Firefox add-ins, IE7 and Safari 3 handle anti-phishing?
Does anyone read anymore? by scoobrs · 2006-10-20 06:31 · Score: 5, Informative

Does anyone bother reading before commenting anymore? The feature will be able to be switched off at will, even on a site-by-site basis, and they will toss out source IPs at Opera if you choose to use it. The main reason they do it this way instead of downloading lists like mozilla and IE is that lists can be obsolete and phishers can be onto promoting their next scam by the time the lists are updated on clients. Besides, Opera is in Norway and outside Department of Justice jurisdiction for spying requests. If you don't like it or are sophisticated enough that you don't need it, turn it off.

--
-Those who would give up essential liberty to purchase temporary safety deserve neither. -Ben Franklin
Re:I'd like it better.... by Shemmie · 2006-10-20 06:43 · Score: 5, Insightful

Isn't this against everything we say when it comes to Microsoft? We're meant to be protecting Joe Six-Pack. Various features should ship with the default to 'on', so that those in the know are free to turn it off, but it still protects those who it would most likely benefit?
Re:I'd like it better.... by foamrotreturns · 2006-10-20 07:07 · Score: 5, Insightful

One problem with your argument:
Joe Sixpack will not use Opera; he'll use IE. That's why we harp on MS for being so lax in security. They're targeting the lowest common denominator.
Indeed I do. by Poromenos1 · 2006-10-20 07:10 · Score: 3, Informative

The request Opera sends is a hash of the URL instead of the URL itself.

Would the second Opera user like to comment?

--
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Re:Just matter of time by animaal · 2006-10-20 07:10 · Score: 4, Insightful

Which government? Norway isn't (yet) subject to the U.S. government.
It's NOT phoning home. by ahknight · 2006-10-20 12:41 · Score: 3, Insightful

It's not phoning home. There's been a lot of idiocy about that statement lately and the phrase is starting to suffer the fate of the apostrophe: people are just using it whenever they think it might apply.

Phoning home means sending personal, identifying information back to the author of a program, usually with nefarious intent. This is a feature that uses an Opera server in a non-identifying way to determine if the site you're going to is fraudulent. Huge difference.

And you can probably turn it off. Yet another thing that you cannot do with software that is "phoning home" in the traditional definition.

Come on, folks. There's privacy and there's paranoia. I know a lot of you haven't left home in a few weeks, but try to stay in touch with reality, okay? The foil hats do nothing...