Opera to Start Phoning Home? 197
An anonymous reader writes "Near the end of a story about Opera's determination to stay in the game: 'Earlier this week, Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said Tuesday in a blog that the next edition, Opera 9.1, will include beefed up anti-phishing and anti-fraud features. Rather than simply indicate that a site is secure with a notation in the address bar, Opera 9.1 will also query Opera-owned servers for information on any site visited. Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"
Hmm Suits in the waiting? (Score:5, Insightful)
Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"
Seems to recall this can lead Opera to trouble, like what happened with Spamhaus.
Re: (Score:3, Funny)
Our servers get the trust information from a database supplied by GeoTrust
HTTP/1.1 303 See Other
Re: (Score:3, Funny)
From the artcle: Our servers get the trust information from a database supplied by GeoTrust
However, to get at GeoTrust, a party would likely have to sue Opera. IANAL, but Opera would, likely be viewed as complicit.
Can you see the up-coming /. headline?
c4n4d14n ph4m4c13 Files Defamation Claim Against Opera and GeoTrust
Re:Hmm Suits in the waiting? (Score:5, Insightful)
Besides, I sometimes enjoy visiting phishing sites and giving them mountains of fake information.
It's fun, and something to do on weekends. It also means much more bunk data for the bad guys to sort through.
My civic duty I always say.
Don't you think a simple warning based on known patterns or wording is enough?
Re:Hmm Suits in the waiting? (Score:4, Insightful)
If this is your idea of "fun" on the weekends...you need to get out a little more
(he says as he plans to spend the weekend studying for a midterm exam)
Re: (Score:2)
Re: (Score:3, Insightful)
(and yes, it's rather stupid of them if they don't end up making this an option)
speaking as a user of Opera from 1999... (Score:2)
If I can't turn these features off, I'll stay in v9.0 until something better than Opera comes along or it can't be used with whichever Linux distro I'm going to be using.
I make the decisions about what my web browser downloads and
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Hmm Suits in the waiting? (Score:5, Insightful)
For the record: I've used Spamhaus to help protect our network for years. I've gotten NO false positives with their listings. Ever. That's more than I can say for the SPEWS list. I can't even count how many hours they've saved me over the years.
Anyway, back on topic: The only way I can see this causing trouble for Opera is if they don't provide a way for the user to turn the feature off. With that said, I think such a feature should be OFF BY DEFAULT, and left to the user to enable if they wish. The potential for abuse of this system (someone at Opera getting a wild hare up their tail, and listing a site they don't agree with for blocking) is mind-boggling.
Keep the peace(es).
Re: (Score:2)
Oh, and this is nothing new. They used to send every URL (except local URLs, intranet URLs, and https URLs) to Google...
Re: (Score:2)
If they implemented it similar to the way IE7 has implemented the Phishing option which is it asks you the FIRST time you run the browser (and everytime you upgrade to the lastest beta/rc/seemingly official release). And IE7 also does a *phone home* scenario to log and monitor the phishing sites just as opera will be doing, and the netcraft toolbar, etc.. This is nothing *new* or different. Heck this same concept and idea will be integrated into firefox 2.0 with the option to *phone home* to
Great feature realy. (Score:5, Insightful)
There's a reason I was willing to pay for Opera when it was still a commercial product. Now if only they would make a Symbian native version, the Java version has a hard time in landscape mode on my Nokia N93.
Re: (Score:2)
Version 8.60
Build: 1657
Platform Symbian/S60
Re:Great feature realy. (Score:5, Interesting)
Re:I'd like it better.... (Score:5, Insightful)
Re:I'd like it better.... (Score:5, Insightful)
Joe Sixpack will not use Opera; he'll use IE. That's why we harp on MS for being so lax in security. They're targeting the lowest common denominator.
Re: (Score:2)
Re: (Score:2)
The problem is easily solved with Opera asking (during the installation) if you want this feature turned on. The default choice would be "no."
Re: (Score:2)
I recall "us" bashing Microsoft for having spyware enabled. This "phoning home" is a form of spyware.
It's NOT phoning home. (Score:4, Insightful)
Phoning home means sending personal, identifying information back to the author of a program, usually with nefarious intent. This is a feature that uses an Opera server in a non-identifying way to determine if the site you're going to is fraudulent. Huge difference.
And you can probably turn it off. Yet another thing that you cannot do with software that is "phoning home" in the traditional definition.
Come on, folks. There's privacy and there's paranoia. I know a lot of you haven't left home in a few weeks, but try to stay in touch with reality, okay? The foil hats do nothing...
Re: (Score:2)
Sorry, no. Phoning home means the application is contacting its creators, regardless of what information is being sent or retrieved. The most common purpose of this is to check for updated versions of the software, and to notify the user when o
Re: (Score:2)
Just because that's what you call it doesn't make that the definition.
secure...says opera? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2, Insightful)
Re:secure...says opera? (Score:5, Informative)
"When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless."
It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.
Re:secure...says opera? (Score:5, Insightful)
If the hash is simply of the path, it should be fairly trivial to create a rainbow table. Most sites that use some sort of ID like:
http://foo.com/articles.bar?id=5003242 [foo.com]
would be trivial given a pattern, which would easily give you detailed tracking for many sites. And the domain name itself can tell quite a bit...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If it's only a hash, and not the full address, then won't there be collisions? Could this lead to falsely blocking harmless sites?
For example, what if the hash for yro.slashdot.com collides with www.pay_pal_lookalike.com?
Re: (Score:2)
http://001.phishing.example.com/clickme.php [example.com]
http://002.phishing.example.com/clickme.php [example.com]
http://003.phishing.example.com/clickme.php [example.com]
Or, without using DNS at all, just use unique paths:
http://172.16.255.42/001/clickme.php [172.16.255.42]
http://172.16.255.42/002/clickme.php [172.16.255.42]
http://172.16.255.42/003/clickme.php [172.16.255.42]
As an added bonus, if the spammer keeps a database of which unique URLs were sen
Re:secure...says opera? (Score:5, Interesting)
Re: (Score:2, Interesting)
I agree with your statement though. It would be nice to just update the list concurrently on the client.
Re: (Score:2)
Blacklist vs. Check-every-time (Score:2)
As several others have pointed out, Opera will be taking some pains to avoid doing anything that would even make it possible for them to track users. Not to go all Opera-fan-boy on you, but Opera has been relatively privacy-concious for longer than the other browser organizations. If yo
I'm sure that... (Score:5, Funny)
Re: (Score:2, Funny)
I'd definitely hit it up before IE, though!
Re:I'm sure that... (Score:4, Insightful)
If I used a Mac, the speed of Safari is not something I would overlook though. I would find one of those mousegesture additions (cocoa gestures or some such?) though.
eh, to each his own.
Indeed I do. (Score:4, Informative)
Would the second Opera user like to comment?
Re: (Score:2)
Re:I'm sure that... (Score:4, Insightful)
Yeah. I didn't start using it until:
1. It was free.
2. Firefox's developers pissed me off. This wasn't related to the memory leak bug, but that definitely contributed to me switching instead of just grinning and bearing it.
I blame #1 for me not discovering the greatness of Opera earlier.
That's fine if it's configurable and secure? (Score:4, Interesting)
Re:That's fine if it's configurable and secure? (Score:5, Funny)
It's not encrypted. (Score:2)
why wouldn't i trust him (Score:5, Funny)
Re: (Score:2, Funny)
Privacy concern (Score:2)
Re: (Score:3, Insightful)
If they did this then one of two things would happen.
1) Collisions where non-Phishing sites would be blocked as Phishing sites.
2) They would be able to figure out what the original site was anyway as they are the ones who created the hashes. Otherwise, they wouldn't be able to look for duplicate entries or not and the hashes wouldn't mean jack.
Everythings going to be in the clear. The only thing is to make sure th
Re: (Score:3, Insightful)
Okay... (Score:2)
When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.
So yeah.
Re:Privacy concern (Score:4, Informative)
When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.
Presumably, it's because of the following:
The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".
dont they all do this now? (Score:5, Informative)
I don't see how this is any different than what MS or mozilla is doing. As long as it can be disabled by the user it should be ok.
Re: (Score:3, Informative)
Opera checks each as you go.
Pro: it's updated as fast as GeoTrust is.. you don't have to wait for your nightly download (or whatever frequency) so you get the most reponsive phishing filter.
Con: The reason this is a headline at all.
Re: (Score:3, Informative)
So yes, each browser will have a mode which will send nearly every URL you visit to a third party for checking against phishing sites.
Re: (Score:2, Interesting)
If you have a slider with Safety/security on one side, and Privacy on the other, all three browsers let you adjust where that slider falls.
Browsers have to balance timeliness of updates against the fast moving phishing schemes with letting the users feel maintain a sense of security. It's strange though, like others have mentioned, Opera Mini seems to get away with this just fine as wel
Re: (Score:3, Informative)
Re:dont they all do this now? (Score:5, Informative)
Johan Borg???? (Score:3, Funny)
What an unfortunate surname to be working in the tech field.
Borg? (Score:2)
This forces a huge amount of trust in them... (Score:3, Interesting)
Second, we must trust they will not get hacked and this information stolen.
Third, we must trust them to be the judge of "good and bad".
Fourth, we must trust they won't get hacked and their list either modified by adding or removing site.
Don't fall into the trap of "Oh it's Opera, of course we trust them". Let me put it this way. If Microsoft announced this, what would your reaction be?
Re: (Score:2)
I trust you are aware that Microsoft announced similar antiphishing features [msdn.com] over a year ago, and just released them in IE7? And that Firefox 2 will also ship [slashdot.org] with similar functionality next week?
You don't have to imagine the reaction... just look back in the archives and read it.
Does anyone read anymore? (Score:5, Informative)
Re: (Score:2)
You must be new here.
IOW (Score:2)
Phone Home? (Score:2)
Blacklisting -vs- taking them down (Score:2)
It is unfortunate that the same thing can't happen to the web. I would rather the sites be taken down than blacklisted. Too bad Blue Security is gone...
I'm using it now (Score:2, Interesting)
Works great- slashdot is trusted by geotrust evidently.
There's a checkbox to "enable fraud protection." When this button is disabled you can still manually check the site via the same interface, but the check isn't automatic.
Open Trust Webs (Score:2)
If Opera also integrated structured personal info into trust levels, completin
This is for people who need protection against (Score:2)
People Like You (Score:2)
I said the trust servers, and vouchers for those servers, would ship with defaults. All a casual user would do would see whether a given page is trusted, as a function of those two layers they'd never see. More sophisticated users could set their "vouch servers", probably by their organizations tech support. Even more sophisticated users could pick their own trust serv
I smell BS (Score:2)
Do it yourself! (Score:2)
On the other hand, I think it's nice th
haven't they learned yet? (Score:2)
What makes them think they are flood-proof, against people that have thousands of zombies at their command?
a better idea (Score:2)
Re:Someone please cry foul (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You missed the point. It was to prove that ISP doesn't have to know everything you do.
Re: (Score:2)
Re: (Score:2)
In case you missed it, I didn't talk in regard to Opera. I responded to the statement that your ISP knows everything anyway. The point was that if you want, your ISP doesn't have to know everything.
Re:Someone please cry foul (Score:5, Insightful)
I expect that it will depend on the terms and conditions in the end, and that they will say 'we will not log or use your data in a user-specific manner (not even AOL style 'user == number' obfuscation, hehe), however we may use it to compile statistics on accesses to phishing sites', which could prove quite useful in anti-phisher court trials.
It's no different to IE7 or the next version of Safari. The best way to check a website is authentic is to check the URL against a blacklist and then tell the user in big red text in a way they'd be retarded to ignore about the threat. I do think it would be better to download the blacklist to the client and resync it often however.
How do the Firefox add-ins, IE7 and Safari 3 handle anti-phishing?
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2, Informative)
(according to Opera)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Re:Just matter of time (Score:5, Insightful)
Re: (Score:2)
Re:A respectful request to MOD PARENT UP. (Score:2)