Opera to Start Phoning Home?

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Friday October 20, 2006 @05:46AM from the they-know-what's-good-for-you dept.

An anonymous reader writes "Near the end of a story about Opera's determination to stay in the game: 'Earlier this week, Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said Tuesday in a blog that the next edition, Opera 9.1, will include beefed up anti-phishing and anti-fraud features. Rather than simply indicate that a site is secure with a notation in the address bar, Opera 9.1 will also query Opera-owned servers for information on any site visited. Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

22 of 197 comments (clear)

Hmm Suits in the waiting? by ackthpt · 2006-10-20 05:47 · Score: 5, Insightful

Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

Seems to recall this can lead Opera to trouble, like what happened with Spamhaus.

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:Hmm Suits in the waiting? by cshark · 2006-10-20 07:25 · Score: 4, Insightful
  
  I hate to ask an obvious question, but what if I didn't want this feature? I mean, aside from telling Opera everything I decide to do online, which gives me the heebeejeebees, I don't see the value that comes from giving up my browsing privacy entirely like this. Opera has been benign until now, however who is to say that the list of sites you visited wouldn't end up in the hands of certain entities whom you would rather not have them. Department of Homeland Security comes to mind. Blah bla Military Commissions act s950v, blah bla conspiracy, blah bla, etc.
  
  Besides, I sometimes enjoy visiting phishing sites and giving them mountains of fake information.
  It's fun, and something to do on weekends. It also means much more bunk data for the bad guys to sort through.
  My civic duty I always say.
  
  Don't you think a simple warning based on known patterns or wording is enough?
  
  --
  This signature has Super Cow Powers
2. Re:Hmm Suits in the waiting? by KC7GR · 2006-10-20 07:37 · Score: 4, Insightful
  
  Not necessarily. The Spamhaus suit was utterly without merit, as no one is forced to use the Spamhaus database. Mail blocking occurs ONLY if (a), the SysAdmin(s) at the ISP or host in question choose to check incoming mail connections against the Spamhaus database; And (b), if Spamhaus has listed the IP address(es) being checked in said database.
  
  For the record: I've used Spamhaus to help protect our network for years. I've gotten NO false positives with their listings. Ever. That's more than I can say for the SPEWS list. I can't even count how many hours they've saved me over the years.
  
  Anyway, back on topic: The only way I can see this causing trouble for Opera is if they don't provide a way for the user to turn the feature off. With that said, I think such a feature should be OFF BY DEFAULT, and left to the user to enable if they wish. The potential for abuse of this system (someone at Opera getting a wild hare up their tail, and listing a site they don't agree with for blocking) is mind-boggling.
  
  Keep the peace(es).
  
  --
  Bruce Lane, KC7GR,
  
  Blue Feather Technologies
Great feature realy. by Kenja · 2006-10-20 05:50 · Score: 5, Insightful

I relay like this idea, so long as it can be turned off. Based on my experiance with Opera so far I'd say that not only will it be able to be turned off, but that you can disable it on a server by server baises.

There's a reason I was willing to pay for Opera when it was still a commercial product. Now if only they would make a Symbian native version, the Java version has a hard time in landscape mode on my Nokia N93.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Great feature realy. by Ksevio · 2006-10-20 06:23 · Score: 5, Interesting
  
  Another thing mentioned in the blog posting is this: --- The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home". --- So it's not like they're sending everything back to opera without telling you what it is.
secure...says opera? by otacon · 2006-10-20 05:52 · Score: 5, Insightful

Well the fact that opera will check EVERY site someone goes to against their own server might work in theory...but does anyone really want all their web use data to be tracked by a server?

--
In a world of acronyms, the words are the real victims.
1. Re:secure...says opera? by sammydee · 2006-10-20 06:35 · Score: 5, Informative
  
  RTFA:
  "When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless."
  It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.
  
  --
  This is how the loudness war is killing music.
2. Re:secure...says opera? by timeOday · 2006-10-20 06:47 · Score: 4, Interesting
  
  It might be better if Opera simply maintained an client-side blacklist of fradulent sites/domains, which was updated in the background while the browser is running. That way they wouldn't have to track your browsing at all. If these fraudlent sites are verified by hand by people at Opera, there could only number in the tens of thousands.
3. Re:secure...says opera? by Kjella · 2006-10-20 07:40 · Score: 4, Insightful
  
  It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.
  
  If the hash is simply of the path, it should be fairly trivial to create a rainbow table. Most sites that use some sort of ID like:
  http://foo.com/articles.bar?id=5003242
  would be trivial given a pattern, which would easily give you detailed tracking for many sites. And the domain name itself can tell quite a bit...
  
  --
  Live today, because you never know what tomorrow brings
I'm sure that... by justinbach · 2006-10-20 05:53 · Score: 5, Funny

the Opera users among us will have some interesting things to say about this. Both of them!

--
I left my wallet in El Sigundo!
1. Re:I'm sure that... by elcid73 · 2006-10-20 06:23 · Score: 4, Insightful
  
  It's the native mouse gestures,MDI tabs (I can tile them with a mouse gesture!) and excellent caching of history (I'll tell you when to reload the page dammit.. I *want* the old data) that got me.
  
  If I used a Mac, the speed of Safari is not something I would overlook though. I would find one of those mousegesture additions (cocoa gestures or some such?) though.
  
  eh, to each his own.
why wouldn't i trust him by Anonymous Coward · 2006-10-20 05:57 · Score: 5, Funny

Well, with a name like Borg, I can't think of a reason why I wouldn't trust what he has to say...
Re:Privacy concern by Anonymous Coward · 2006-10-20 06:09 · Score: 4, Informative

Tell me what they send to their server is actually a hash of the URL with a huge salt.
From the linked blog:

When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

Presumably, it's because of the following:

The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".
dont they all do this now? by Deathlizard · 2006-10-20 06:10 · Score: 5, Informative

I know IE7 phones home, and fireefox 2 does too for anti-phishing. They both can also be disabled by the user.

I don't see how this is any different than what MS or mozilla is doing. As long as it can be disabled by the user it should be ok.

--
In Soviet Russia, Trojan exploits YOU!
1. Re:dont they all do this now? by Vexorian · 2006-10-20 06:25 · Score: 4, Informative
  
  1 How does the Phishing Protection feature work in Firefox 2?
  Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there's also an option to check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Security preferences pane.
  http://www.mozilla.org/projects/bonecho/anti-phish ing/
  
  --
  
  Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Re:Someone please cry foul by hkmwbz · 2006-10-20 06:28 · Score: 5, Insightful

Your ISP can track everything you do. That must mean that they are abusing their position. Why get Opera to track your surfing when your ISP could do so much more efficiently?

--
Clever signature text goes here.
Re:Someone please cry foul by bestinshow · 2006-10-20 06:28 · Score: 5, Insightful

That's if they log the requests - given that they're a Norwegian company, they have some pretty tough privacy laws to content with.

I expect that it will depend on the terms and conditions in the end, and that they will say 'we will not log or use your data in a user-specific manner (not even AOL style 'user == number' obfuscation, hehe), however we may use it to compile statistics on accesses to phishing sites', which could prove quite useful in anti-phisher court trials.

It's no different to IE7 or the next version of Safari. The best way to check a website is authentic is to check the URL against a blacklist and then tell the user in big red text in a way they'd be retarded to ignore about the threat. I do think it would be better to download the blacklist to the client and resync it often however.

How do the Firefox add-ins, IE7 and Safari 3 handle anti-phishing?
Does anyone read anymore? by scoobrs · 2006-10-20 06:31 · Score: 5, Informative

Does anyone bother reading before commenting anymore? The feature will be able to be switched off at will, even on a site-by-site basis, and they will toss out source IPs at Opera if you choose to use it. The main reason they do it this way instead of downloading lists like mozilla and IE is that lists can be obsolete and phishers can be onto promoting their next scam by the time the lists are updated on clients. Besides, Opera is in Norway and outside Department of Justice jurisdiction for spying requests. If you don't like it or are sophisticated enough that you don't need it, turn it off.

--
-Those who would give up essential liberty to purchase temporary safety deserve neither. -Ben Franklin
Re:I'd like it better.... by Shemmie · 2006-10-20 06:43 · Score: 5, Insightful

Isn't this against everything we say when it comes to Microsoft? We're meant to be protecting Joe Six-Pack. Various features should ship with the default to 'on', so that those in the know are free to turn it off, but it still protects those who it would most likely benefit?
Re:That's fine if it's configurable and secure? by TheoMurpse · 2006-10-20 07:03 · Score: 4, Funny

I'm not sure what this does for me that, say, Netcraft Toolbar doesn't.
Opera confirms: Netcraft is dead.
Re:I'd like it better.... by foamrotreturns · 2006-10-20 07:07 · Score: 5, Insightful

One problem with your argument:
Joe Sixpack will not use Opera; he'll use IE. That's why we harp on MS for being so lax in security. They're targeting the lowest common denominator.
Re:Just matter of time by animaal · 2006-10-20 07:10 · Score: 4, Insightful

Which government? Norway isn't (yet) subject to the U.S. government.