Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Opera to Start Phoning Home? 197

Posted by Zonk
from the they-know-what's-good-for-you dept.
An anonymous reader writes "Near the end of a story about Opera's determination to stay in the game: 'Earlier this week, Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said Tuesday in a blog that the next edition, Opera 9.1, will include beefed up anti-phishing and anti-fraud features. Rather than simply indicate that a site is secure with a notation in the address bar, Opera 9.1 will also query Opera-owned servers for information on any site visited. Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"
This discussion has been archived. No new comments can be posted.

Opera to Start Phoning Home?

Comments Filter:
  • by ackthpt (218170) * on Friday October 20, 2006 @12:47PM (#16518663) Homepage Journal

    Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

    Seems to recall this can lead Opera to trouble, like what happened with Spamhaus.

    • Re: (Score:3, Funny)

      by Raumkraut (518382)
      From the artcle:
      Our servers get the trust information from a database supplied by GeoTrust

        HTTP/1.1 303 See Other
      • Re: (Score:3, Funny)

        by ackthpt (218170) *

        From the artcle: Our servers get the trust information from a database supplied by GeoTrust

        However, to get at GeoTrust, a party would likely have to sue Opera. IANAL, but Opera would, likely be viewed as complicit.

        Can you see the up-coming /. headline?

        c4n4d14n ph4m4c13 Files Defamation Claim Against Opera and GeoTrust

        • by cshark (673578) on Friday October 20, 2006 @02:25PM (#16520175)
          I hate to ask an obvious question, but what if I didn't want this feature? I mean, aside from telling Opera everything I decide to do online, which gives me the heebeejeebees, I don't see the value that comes from giving up my browsing privacy entirely like this. Opera has been benign until now, however who is to say that the list of sites you visited wouldn't end up in the hands of certain entities whom you would rather not have them. Department of Homeland Security comes to mind. Blah bla Military Commissions act s950v, blah bla conspiracy, blah bla, etc.

          Besides, I sometimes enjoy visiting phishing sites and giving them mountains of fake information.
          It's fun, and something to do on weekends. It also means much more bunk data for the bad guys to sort through.
          My civic duty I always say.

          Don't you think a simple warning based on known patterns or wording is enough?

          • by frdmfghtr (603968) on Friday October 20, 2006 @02:34PM (#16520289)
            It's fun, and something to do on weekends.


            If this is your idea of "fun" on the weekends...you need to get out a little more :)

            (he says as he plans to spend the weekend studying for a midterm exam)
          • Re: (Score:3, Insightful)

            by Psykosys (667390)
            You could disable the feature.

            (and yes, it's rather stupid of them if they don't end up making this an option)

          • I've enjoyed the cutting edge technology that somehow seems to work despite its being cutting edge for years. I've taken it along with me when I went from Windows to Linux. I've encouraged people to try it out both as a user and a technology writer for the last several years.

            If I can't turn these features off, I'll stay in v9.0 until something better than Opera comes along or it can't be used with whichever Linux distro I'm going to be using.

            I make the decisions about what my web browser downloads and
          • by Afty0r (263037)
            I hate to ask an obvious question, but what if I didn't want this feature?
            Then you turn it off in preferences?
            • by cshark (673578)
              Why yes! But short of an application level firewall, how do you know that it's working?
    • by KC7GR (473279) on Friday October 20, 2006 @02:37PM (#16520323) Homepage Journal
      Not necessarily. The Spamhaus suit was utterly without merit, as no one is forced to use the Spamhaus database. Mail blocking occurs ONLY if (a), the SysAdmin(s) at the ISP or host in question choose to check incoming mail connections against the Spamhaus database; And (b), if Spamhaus has listed the IP address(es) being checked in said database.

      For the record: I've used Spamhaus to help protect our network for years. I've gotten NO false positives with their listings. Ever. That's more than I can say for the SPEWS list. I can't even count how many hours they've saved me over the years.

      Anyway, back on topic: The only way I can see this causing trouble for Opera is if they don't provide a way for the user to turn the feature off. With that said, I think such a feature should be OFF BY DEFAULT, and left to the user to enable if they wish. The potential for abuse of this system (someone at Opera getting a wild hare up their tail, and listing a site they don't agree with for blocking) is mind-boggling.

      Keep the peace(es).

  • by Kenja (541830) on Friday October 20, 2006 @12:50PM (#16518697)
    I relay like this idea, so long as it can be turned off. Based on my experiance with Opera so far I'd say that not only will it be able to be turned off, but that you can disable it on a server by server baises.

    There's a reason I was willing to pay for Opera when it was still a commercial product. Now if only they would make a Symbian native version, the Java version has a hard time in landscape mode on my Nokia N93.
    • Im pretty sure the version on my N70 is native, could be wrong though...
      Version 8.60
      Build: 1657
      Platform Symbian/S60
    • by Ksevio (865461) on Friday October 20, 2006 @01:23PM (#16519229) Homepage
      Another thing mentioned in the blog posting is this: --- The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home". --- So it's not like they're sending everything back to opera without telling you what it is.
  • by otacon (445694) on Friday October 20, 2006 @12:52PM (#16518715)
    Well the fact that opera will check EVERY site someone goes to against their own server might work in theory...but does anyone really want all their web use data to be tracked by a server?
    • I guess it makes some difference whether they are, in fact, tracking web-use data. If Opera chooses, they could respond to requests without logging user information or IP addresses.
      • Re: (Score:3, Interesting)

        by otacon (445694)
        Well, anyone could easily say the traffic isn't being logged and the server is just processing requests, which could easily be true. But how easy would it be to log that data and no one be the wiser?
        • Re: (Score:2, Informative)

          by Anonymous Coward
          As easy as Opera operating from Norway, which is a country with extremely strict privacy laws? Also, as easy as Opera not being known to abuse user data in the first place, and already having Opera Mini, which means that ALL sites you visit have to go through Opera's servers, and Opera Mini probably has more users than the PC browser anyway?
        • Re: (Score:3, Interesting)

          by CastrTroy (595695)
          Also, unless the requests are sent encrypted I imagine that somebody sitting outside opera's server, could intercept the requests and use them for whatever they wanted.
        • Re: (Score:3, Interesting)

          by nine-times (778537)
          That's why I think it should be optional as well.
    • Re: (Score:3, Interesting)

      It shouldn't be hard to find out the server's IP address and the format of the request. Once you have that, DDOS and every single person using Opera is hosed. Not exactly a smooth move, Mr. Exlax!
      • Re: (Score:2, Insightful)

        by risk one (1013529)
        Hosed? Surely the service would fail gracefully, inform the user of the problem and Opera users would simply have to browse as they do now, without having their traffic checked. Doesn't really qualify as 'hosed' to me, or any decent reason to go through all the trouble of ddossing a service that is used to serving data every time an Opera user loads a page. It would take more than a simple bot net to get that down.
    • by sammydee (930754) <seivadmas+slashdotNO@SPAMgmail.com> on Friday October 20, 2006 @01:35PM (#16519423) Homepage
      RTFA:

      "When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless."

      It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.

    • by timeOday (582209) on Friday October 20, 2006 @01:47PM (#16519623)
      It might be better if Opera simply maintained an client-side blacklist of fradulent sites/domains, which was updated in the background while the browser is running. That way they wouldn't have to track your browsing at all. If these fraudlent sites are verified by hand by people at Opera, there could only number in the tens of thousands.
      • Re: (Score:2, Interesting)

        by elcid73 (599126)
        They are verified by GeoTrust.

        I agree with your statement though. It would be nice to just update the list concurrently on the client.
      • by perler (80090)
        problem is, that this would be the first file a spyware would alter/delete. see %sysvol%\%system32%\drivers\etc\hosts PAT
      • It might be better if Opera simply maintained an client-side blacklist of fradulent sites/domains, which was updated in the background while the browser is running. That way they wouldn't have to track your browsing at all.

        As several others have pointed out, Opera will be taking some pains to avoid doing anything that would even make it possible for them to track users. Not to go all Opera-fan-boy on you, but Opera has been relatively privacy-concious for longer than the other browser organizations. If yo

  • by justinbach (1002761) on Friday October 20, 2006 @12:53PM (#16518753) Homepage
    the Opera users among us will have some interesting things to say about this. Both of them!
    • Re: (Score:2, Funny)

      by justinbach (1002761)
      Yeah, I know. I actually use Opera too, and I didn't mean any harm by...wait a minute. I DON'T use Opera. I've had it installed for quite a while, but I'd only use it if Safari, Firefox, and Camino all bit the bullet.
      I'd definitely hit it up before IE, though!
      • by elcid73 (599126) on Friday October 20, 2006 @01:23PM (#16519219) Homepage
        It's the native mouse gestures,MDI tabs (I can tile them with a mouse gesture!) and excellent caching of history (I'll tell you when to reload the page dammit.. I *want* the old data) that got me.

        If I used a Mac, the speed of Safari is not something I would overlook though. I would find one of those mousegesture additions (cocoa gestures or some such?) though.

        eh, to each his own.
    • Indeed I do. (Score:4, Informative)

      by Poromenos1 (830658) on Friday October 20, 2006 @02:10PM (#16519975) Homepage
      The request Opera sends is a hash of the URL instead of the URL itself.

      Would the second Opera user like to comment?
  • by djh101010 (656795) * on Friday October 20, 2006 @12:54PM (#16518757) Homepage Journal
    As long as I can turn it off, or turn it off for certain types of sites, that's fine. I'm not sure what this does for me that, say, Netcraft Toolbar doesn't. Is the data stream encrypted back to Opera? Can others intercept that and use it as a spam-target tool somehow? All questions I'd want answered before I'd use it.
  • by Anonymous Coward on Friday October 20, 2006 @12:57PM (#16518815)
    Well, with a name like Borg, I can't think of a reason why I wouldn't trust what he has to say...
    • Re: (Score:2, Funny)

      by Anonymous Coward
      Good job #1845829 - you shouldn't be thinking for yourself anyway. Now get your ass back on this goddamned flying box so we can assimilate our next target.
  • Tell me what they send to their server is actually a hash of the URL with a huge salt.
    • Re: (Score:3, Insightful)

      by Ironsides (739422)
      Tell me what they send to their server is actually a hash of the URL with a huge salt.

      If they did this then one of two things would happen.
      1) Collisions where non-Phishing sites would be blocked as Phishing sites.
      2) They would be able to figure out what the original site was anyway as they are the ones who created the hashes. Otherwise, they wouldn't be able to look for duplicate entries or not and the hashes wouldn't mean jack.

      Everythings going to be in the clear. The only thing is to make sure th
      • Re: (Score:3, Insightful)

        by Arthur B. (806360)
        1) very unlikely with a good hash or combined hashes 2) no they wouldn't, they'd try to hash every phishing site with every salt to see if it matches your hash... sure they could see if you watch specific sites, but it certainly mitigates the amount of information they can get about you, they can't know exactly all the sites you look at. If their entry are user submitted, the user submission can be done in clear text, no problem.
      • From Opera's RSS feed:

        When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

        So yeah.
    • Re:Privacy concern (Score:4, Informative)

      by Anonymous Coward on Friday October 20, 2006 @01:09PM (#16518991)
      Tell me what they send to their server is actually a hash of the URL with a huge salt.
      From the linked blog [opera.com]:

      When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

      Presumably, it's because of the following:

      The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".
  • by Deathlizard (115856) on Friday October 20, 2006 @01:10PM (#16519003) Homepage Journal
    I know IE7 phones home, and fireefox 2 does too for anti-phishing. They both can also be disabled by the user.

    I don't see how this is any different than what MS or mozilla is doing. As long as it can be disabled by the user it should be ok.
    • Re: (Score:3, Informative)

      by elcid73 (599126)
      They use white or blacklists. Meaning it phone's home just to get a big list of all at once.

      Opera checks each as you go.

      Pro: it's updated as fast as GeoTrust is.. you don't have to wait for your nightly download (or whatever frequency) so you get the most reponsive phishing filter.

      Con: The reason this is a headline at all. ..Still, it will be able to be turned off and it's largely not all that different from MS or FF.
      • Re: (Score:3, Informative)

        by Kelson (129150) *
        Actually, IE7 can check each site as you go [microsoft.com], and Firefox 2 has two modes: one that checks against the blacklist, and one that checks each site as you go (look in Tools/Preferences/Security).

        So yes, each browser will have a mode which will send nearly every URL you visit to a third party for checking against phishing sites.
        • Re: (Score:2, Interesting)

          by elcid73 (599126)
          Yeah. I made note of that in one of the other responses I had in here. I don't really see why this is a headline at all.

          If you have a slider with Safety/security on one side, and Privacy on the other, all three browsers let you adjust where that slider falls.

          Browsers have to balance timeliness of updates against the fast moving phishing schemes with letting the users feel maintain a sense of security. It's strange though, like others have mentioned, Opera Mini seems to get away with this just fine as wel
    • Re: (Score:3, Informative)

      by AKAImBatman (238306) *
      Geez, everyone is phoning home these days. Who's next, E.T.?!?
    • by Vexorian (959249) on Friday October 20, 2006 @01:25PM (#16519253)
      1 How does the Phishing Protection feature work in Firefox 2?
      Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there's also an option to check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Security preferences pane.
      http://www.mozilla.org/projects/bonecho/anti-phish ing/ [mozilla.org]
  • by gstoddart (321705) on Friday October 20, 2006 @01:11PM (#16519015) Homepage
    Johan Borg??? Oh, the irony. The diversity of your websites will be added to our own. Resistance is futile.

    What an unfortunate surname to be working in the tech field. :-P
  • by Pvt_Waldo (459439) on Friday October 20, 2006 @01:21PM (#16519183)
    First, we must trust they will not leak the data of "who surfs what".

    Second, we must trust they will not get hacked and this information stolen.

    Third, we must trust them to be the judge of "good and bad".

    Fourth, we must trust they won't get hacked and their list either modified by adding or removing site.

    Don't fall into the trap of "Oh it's Opera, of course we trust them". Let me put it this way. If Microsoft announced this, what would your reaction be?
  • by scoobrs (779206) on Friday October 20, 2006 @01:31PM (#16519363)
    Does anyone bother reading before commenting anymore? The feature will be able to be switched off at will, even on a site-by-site basis, and they will toss out source IPs at Opera if you choose to use it. The main reason they do it this way instead of downloading lists like mozilla and IE is that lists can be obsolete and phishers can be onto promoting their next scam by the time the lists are updated on clients. Besides, Opera is in Norway and outside Department of Justice jurisdiction for spying requests. If you don't like it or are sophisticated enough that you don't need it, turn it off.
    • by Nimey (114278)
      Does anyone bother reading before commenting anymore?


      You must be new here.
  • by evronm (530821)
    Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said
    I think he was misquoted. What he really said was "Firefox and IE are irrelevant."
  • well I'll be damned if I use this software on a computer with a network connection then!
  • If there is a store in my neighborhood that is known to pickpocket customers, the police come and arrest the pickpocketers. They don't hand-out a blacklist of those stores.

    It is unfortunate that the same thing can't happen to the web. I would rather the sites be taken down than blacklisted. Too bad Blue Security is gone...
  • I'm using it now (Score:2, Interesting)

    by elcid73 (599126)
    I'm using the weekly build. So far, nobody has knocked on my door.

    Works great- slashdot is trusted by geotrust evidently.

    There's a checkbox to "enable fraud protection." When this button is disabled you can still manually check the site via the same interface, but the check isn't automatic.
  • Why does Opera have to own the servers? Why can't it include several defaults, like its own servers, for "trust ratings", factoring in webserver certificate status (exists, expired, corrupt, etc)? And let users choose which "trust servers" they want to use to validate trust. Even better would be another layer which reviews trust servers for trustworthiness, to which users can subscribe to decide how much to trust which webservers.

    If Opera also integrated structured personal info into trust levels, completin
    • phishing. Do you seriously think these are the sort of people capable of making competent, informed decisions about "trust servers"?
      Even better would be another layer
      For fucks sake, what planet are you on? This sort of thing needs to "just work" otherwise it is useless for 99% of the people who would actually benefit from it.
      • Why don't you stop talking out of your fucking ass, and just read my post which makes clear how my system makes it totally easy for the user?

        I said the trust servers, and vouchers for those servers, would ship with defaults. All a casual user would do would see whether a given page is trusted, as a function of those two layers they'd never see. More sophisticated users could set their "vouch servers", probably by their organizations tech support. Even more sophisticated users could pick their own trust serv
  • Why doesn't Opera just push out a current list of badly behaving links, rather than having users ping their site each time? Seems like browser-local cache is better in every regard except for the staleness problem. Unless you have ulterior motives...
  • I did a little writeup [scovettalabs.com] on this kind of thing a while back. Since all of the major browsers support a "proxy autoconfiguration" file, you simply a flat file on some server that returns a non-existent proxy address for URLs that you want to "block". So you don't need to use Opera's, just have someone run such a service and point your autoconfig there. A general "URL/IP Blacklist" could easily be built into browsers (as I'm sure there's a Firefox extension around for it).

    On the other hand, I think it's nice th
  • Every time some single internet entity tries something to stop spam, banners, or viruses, the dark forces they are trying to stop collaborate against them and next thing you know your server is a smouldering pile od slag attached to what's left of the stain on the table that was your router.

    What makes them think they are flood-proof, against people that have thousands of zombies at their command?
  • A better idea would be to offer a plugin (which might be included by default but turned off by the user at installation time) that periodically syncronizes with a remote database of "bad" sites. This is basically what AdBlock + FilterSet.g plugin does for firefox, only it deals with ad blocking instead of phishing sites....

If an experiment works, something has gone wrong.

Working...