Opera to Start Phoning Home?

An anonymous reader writes "Near the end of a story about Opera's determination to stay in the game: 'Earlier this week, Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said Tuesday in a blog that the next edition, Opera 9.1, will include beefed up anti-phishing and anti-fraud features. Rather than simply indicate that a site is secure with a notation in the address bar, Opera 9.1 will also query Opera-owned servers for information on any site visited. Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

Hmm Suits in the waiting?

[ackthpt]

Those that Opera has identifies as fraudulent will be automatically blocked by the browser.'"

Seems to recall this can lead Opera to trouble, like what happened with Spamhaus.

Re:

[Raumkraut]

From the artcle:
Our servers get the trust information from a database supplied by GeoTrust

  HTTP/1.1 303 See Other

Re:

[ackthpt]

From the artcle: Our servers get the trust information from a database supplied by GeoTrust

However, to get at GeoTrust, a party would likely have to sue Opera. IANAL, but Opera would, likely be viewed as complicit.

Can you see the up-coming /. headline?

c4n4d14n ph4m4c13 Files Defamation Claim Against Opera and GeoTrust

Re:Hmm Suits in the waiting?

[cshark]

I hate to ask an obvious question, but what if I didn't want this feature? I mean, aside from telling Opera everything I decide to do online, which gives me the heebeejeebees, I don't see the value that comes from giving up my browsing privacy entirely like this. Opera has been benign until now, however who is to say that the list of sites you visited wouldn't end up in the hands of certain entities whom you would rather not have them. Department of Homeland Security comes to mind. Blah bla Military Commissions act s950v, blah bla conspiracy, blah bla, etc.

Besides, I sometimes enjoy visiting phishing sites and giving them mountains of fake information.
It's fun, and something to do on weekends. It also means much more bunk data for the bad guys to sort through.
My civic duty I always say.

Don't you think a simple warning based on known patterns or wording is enough?

Re:Hmm Suits in the waiting?

[frdmfghtr]

It's fun, and something to do on weekends.

If this is your idea of "fun" on the weekends...you need to get out a little more :)

(he says as he plans to spend the weekend studying for a midterm exam)

Re:

[cshark]

I do. I have absolutely no life.

Re:

[Psykosys]

You could disable the feature.

(and yes, it's rather stupid of them if they don't end up making this an option)

speaking as a user of Opera from 1999...

[alizard]

I've enjoyed the cutting edge technology that somehow seems to work despite its being cutting edge for years. I've taken it along with me when I went from Windows to Linux. I've encouraged people to try it out both as a user and a technology writer for the last several years.

If I can't turn these features off, I'll stay in v9.0 until something better than Opera comes along or it can't be used with whichever Linux distro I'm going to be using.

I make the decisions about what my web browser downloads and

Re:

[cshark]

If I couldn't read, how would I post a flippant response to your flippant response? Get over yourself. You know they have clinics for people who take themselves too seriously.

Re:

[Afty0r]

I hate to ask an obvious question, but what if I didn't want this feature?

Then you turn it off in preferences?

Re:

[cshark]

Why yes! But short of an application level firewall, how do you know that it's working?

Re:Hmm Suits in the waiting?

[KC7GR]

Not necessarily. The Spamhaus suit was utterly without merit, as no one is forced to use the Spamhaus database. Mail blocking occurs ONLY if (a), the SysAdmin(s) at the ISP or host in question choose to check incoming mail connections against the Spamhaus database; And (b), if Spamhaus has listed the IP address(es) being checked in said database.

For the record: I've used Spamhaus to help protect our network for years. I've gotten NO false positives with their listings. Ever. That's more than I can say for the SPEWS list. I can't even count how many hours they've saved me over the years.

Anyway, back on topic: The only way I can see this causing trouble for Opera is if they don't provide a way for the user to turn the feature off. With that said, I think such a feature should be OFF BY DEFAULT, and left to the user to enable if they wish. The potential for abuse of this system (someone at Opera getting a wild hare up their tail, and listing a site they don't agree with for blocking) is mind-boggling.

Keep the peace(es).

Re:

[bhtooefr]

The people that need this feature are the ones that will be calling us to delete their OMGZSPYWAREZOHNOES!!111oneone1eleven! off of their PC, and then we install Opera and turn this on.

Oh, and this is nothing new. They used to send every URL (except local URLs, intranet URLs, and https URLs) to Google...

Re:

[EMR]

Depends..

If they implemented it similar to the way IE7 has implemented the Phishing option which is it asks you the FIRST time you run the browser (and everytime you upgrade to the lastest beta/rc/seemingly official release). And IE7 also does a *phone home* scenario to log and monitor the phishing sites just as opera will be doing, and the netcraft toolbar, etc.. This is nothing *new* or different. Heck this same concept and idea will be integrated into firefox 2.0 with the option to *phone home* to

Great feature realy.

[Kenja]

I relay like this idea, so long as it can be turned off. Based on my experiance with Opera so far I'd say that not only will it be able to be turned off, but that you can disable it on a server by server baises.

There's a reason I was willing to pay for Opera when it was still a commercial product. Now if only they would make a Symbian native version, the Java version has a hard time in landscape mode on my Nokia N93.

Re:

[mallardtheduck]

Im pretty sure the version on my N70 is native, could be wrong though...
Version 8.60
Build: 1657
Platform Symbian/S60

Re:Great feature realy.

[Ksevio]

Another thing mentioned in the blog posting is this: --- The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home". --- So it's not like they're sending everything back to opera without telling you what it is.

Re:I'd like it better....

[Shemmie]

Isn't this against everything we say when it comes to Microsoft? We're meant to be protecting Joe Six-Pack. Various features should ship with the default to 'on', so that those in the know are free to turn it off, but it still protects those who it would most likely benefit?

Re:I'd like it better....

[foamrotreturns]

One problem with your argument:
Joe Sixpack will not use Opera; he'll use IE. That's why we harp on MS for being so lax in security. They're targeting the lowest common denominator.

Re:

[krell]

Shemmie was equating "having spyware feature in browser turned on" with "increased security".

Re:

[krell]

Such spyware should not be turned on in the first place unless it asks. Browsers have no business connecting to anything other than material you directly link to, material that is linked to specifically in the pages you go to, and the DNS itself....unless you choose to make special exceptions.

The problem is easily solved with Opera asking (during the installation) if you want this feature turned on. The default choice would be "no."

Re:

[krell]

"Isn't this against everything we say when it comes to Microsoft?"

I recall "us" bashing Microsoft for having spyware enabled. This "phoning home" is a form of spyware.

It's NOT phoning home.

[ahknight]

It's not phoning home. There's been a lot of idiocy about that statement lately and the phrase is starting to suffer the fate of the apostrophe: people are just using it whenever they think it might apply.

Phoning home means sending personal, identifying information back to the author of a program, usually with nefarious intent. This is a feature that uses an Opera server in a non-identifying way to determine if the site you're going to is fraudulent. Huge difference.

And you can probably turn it off. Yet another thing that you cannot do with software that is "phoning home" in the traditional definition.

Come on, folks. There's privacy and there's paranoia. I know a lot of you haven't left home in a few weeks, but try to stay in touch with reality, okay? The foil hats do nothing...

Re:

[Phroggy]

Phoning home means sending personal, identifying information back to the author of a program, usually with nefarious intent. This is a feature that uses an Opera server in a non-identifying way to determine if the site you're going to is fraudulent. Huge difference.

Sorry, no. Phoning home means the application is contacting its creators, regardless of what information is being sent or retrieved. The most common purpose of this is to check for updated versions of the software, and to notify the user when o

Re:

[ahknight]

Sorry, no, it's not that [wikipedia.org].

Just because that's what you call it doesn't make that the definition.

secure...says opera?

[otacon]

Well the fact that opera will check EVERY site someone goes to against their own server might work in theory...but does anyone really want all their web use data to be tracked by a server?

Re:

[nine-times]

I guess it makes some difference whether they are, in fact, tracking web-use data. If Opera chooses, they could respond to requests without logging user information or IP addresses.

Re:

[otacon]

Well, anyone could easily say the traffic isn't being logged and the server is just processing requests, which could easily be true. But how easy would it be to log that data and no one be the wiser?

Re:

[Anonymous Coward]

As easy as Opera operating from Norway, which is a country with extremely strict privacy laws? Also, as easy as Opera not being known to abuse user data in the first place, and already having Opera Mini, which means that ALL sites you visit have to go through Opera's servers, and Opera Mini probably has more users than the PC browser anyway?

Re:

[bubkus_jones]

Even if Opera was automatically logging every site you go to, you still have a say in the matter. You can either choose to use Opera, and put up with their possibly knowing every website you visit, and potentially locking you out of a site that someone may find questionable, OR you can choose not to use Opera, and use something that respects your privacy.

Re:

[hkmwbz]

Or you can disable the feature. Or you can choose to not trust anyone, and simply disconnect your PC completely because you can't trust anyone (which includes your ISP).

Re:

[CastrTroy]

Also, unless the requests are sent encrypted I imagine that somebody sitting outside opera's server, could intercept the requests and use them for whatever they wanted.

Re:

[nine-times]

That's why I think it should be optional as well.

Re:

[techno-vampire]

It shouldn't be hard to find out the server's IP address and the format of the request. Once you have that, DDOS and every single person using Opera is hosed. Not exactly a smooth move, Mr. Exlax!

Re:

[risk one]

Hosed? Surely the service would fail gracefully, inform the user of the problem and Opera users would simply have to browse as they do now, without having their traffic checked. Doesn't really qualify as 'hosed' to me, or any decent reason to go through all the trouble of ddossing a service that is used to serving data every time an Opera user loads a page. It would take more than a simple bot net to get that down.

Re:secure...says opera?

[sammydee]

RTFA:

"When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless."

It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.

Re:secure...says opera?

[Kjella]

It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.

If the hash is simply of the path, it should be fairly trivial to create a rainbow table. Most sites that use some sort of ID like:
http://foo.com/articles.bar?id=5003242 [foo.com]
would be trivial given a pattern, which would easily give you detailed tracking for many sites. And the domain name itself can tell quite a bit...

Re:

[Alchemar]

They have to extrapolate it. How else do they know it is valid. The only way for this to work is to have table of hash values for know phishing sites. It is nothing to include a second table for all the sites you want tracked.

Re:

[Schraegstrichpunkt]

On the other hand, it's trivial to search for particular URLs. Getting a list of users who have visited a specific site in the last 30 days wouldn't exactly be hard.

Re:

[Rudolf]

It only sends a hash of the web address. It would be difficult to extrapolate the whole address from a hash.

If it's only a hash, and not the full address, then won't there be collisions? Could this lead to falsely blocking harmless sites?

For example, what if the hash for yro.slashdot.com collides with www.pay_pal_lookalike.com?

Re:

[Phroggy]

So all the spammer has to do is set up wildcard DNS so *.phishing.example.com all points to the same place, then send e-mails with unique URLs:

http://001.phishing.example.com/clickme.php [example.com]
http://002.phishing.example.com/clickme.php [example.com]
http://003.phishing.example.com/clickme.php [example.com]

Or, without using DNS at all, just use unique paths:

http://172.16.255.42/001/clickme.php [172.16.255.42]
http://172.16.255.42/002/clickme.php [172.16.255.42]
http://172.16.255.42/003/clickme.php [172.16.255.42]

As an added bonus, if the spammer keeps a database of which unique URLs were sen

Re:secure...says opera?

[timeOday]

It might be better if Opera simply maintained an client-side blacklist of fradulent sites/domains, which was updated in the background while the browser is running. That way they wouldn't have to track your browsing at all. If these fraudlent sites are verified by hand by people at Opera, there could only number in the tens of thousands.

Re:

[elcid73]

They are verified by GeoTrust.

I agree with your statement though. It would be nice to just update the list concurrently on the client.

Re:

[perler]

problem is, that this would be the first file a spyware would alter/delete. see %sysvol%\%system32%\drivers\etc\hosts PAT

Blacklist vs. Check-every-time

[Lagged2Death]

It might be better if Opera simply maintained an client-side blacklist of fradulent sites/domains, which was updated in the background while the browser is running. That way they wouldn't have to track your browsing at all.

As several others have pointed out, Opera will be taking some pains to avoid doing anything that would even make it possible for them to track users. Not to go all Opera-fan-boy on you, but Opera has been relatively privacy-concious for longer than the other browser organizations. If yo

I'm sure that...

[justinbach]

the Opera users among us will have some interesting things to say about this. Both of them!

Re:

[justinbach]

Yeah, I know. I actually use Opera too, and I didn't mean any harm by...wait a minute. I DON'T use Opera. I've had it installed for quite a while, but I'd only use it if Safari, Firefox, and Camino all bit the bullet.
I'd definitely hit it up before IE, though!

Re:I'm sure that...

[elcid73]

It's the native mouse gestures,MDI tabs (I can tile them with a mouse gesture!) and excellent caching of history (I'll tell you when to reload the page dammit.. I *want* the old data) that got me.

If I used a Mac, the speed of Safari is not something I would overlook though. I would find one of those mousegesture additions (cocoa gestures or some such?) though.

eh, to each his own.

Indeed I do.

[Poromenos1]

The request Opera sends is a hash of the URL instead of the URL itself.

Would the second Opera user like to comment?

Re:

[Poromenos1]

Well, obviously. If they didn't know, how would they check?

Re:I'm sure that...

[VGPowerlord]

I've found that since Opera went free, and people keep talking about this "Firefox memory leak" thing, the voices in support of Opera on Slashdot have grown considerably.

Yeah. I didn't start using it until:
1. It was free.
2. Firefox's developers pissed me off. This wasn't related to the memory leak bug, but that definitely contributed to me switching instead of just grinning and bearing it.

I blame #1 for me not discovering the greatness of Opera earlier.

That's fine if it's configurable and secure?

[djh101010]

As long as I can turn it off, or turn it off for certain types of sites, that's fine. I'm not sure what this does for me that, say, Netcraft Toolbar doesn't. Is the data stream encrypted back to Opera? Can others intercept that and use it as a spam-target tool somehow? All questions I'd want answered before I'd use it.

Re:That's fine if it's configurable and secure?

[TheoMurpse]

I'm not sure what this does for me that, say, Netcraft Toolbar doesn't.

Opera confirms: Netcraft is dead.

It's not encrypted.

[Poromenos1]

The data is not encrypted. They wanted you to be able to see what your PC is sending. Plus I doubt they'll be useful to anyone else.

why wouldn't i trust him

[Anonymous Coward]

Well, with a name like Borg, I can't think of a reason why I wouldn't trust what he has to say...

Re:

[Anonymous Coward]

Good job #1845829 - you shouldn't be thinking for yourself anyway. Now get your ass back on this goddamned flying box so we can assimilate our next target.

Privacy concern

[Arthur B.]

Tell me what they send to their server is actually a hash of the URL with a huge salt.

Re:

[Ironsides]

Tell me what they send to their server is actually a hash of the URL with a huge salt.

If they did this then one of two things would happen.
1) Collisions where non-Phishing sites would be blocked as Phishing sites.
2) They would be able to figure out what the original site was anyway as they are the ones who created the hashes. Otherwise, they wouldn't be able to look for duplicate entries or not and the hashes wouldn't mean jack.

Everythings going to be in the clear. The only thing is to make sure th

Re:

[Arthur B.]

1) very unlikely with a good hash or combined hashes 2) no they wouldn't, they'd try to hash every phishing site with every salt to see if it matches your hash... sure they could see if you watch specific sites, but it certainly mitigates the amount of information they can get about you, they can't know exactly all the sites you look at. If their entry are user submitted, the user submission can be done in clear text, no problem.

Okay...

[Poromenos1]

From Opera's RSS feed:

When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

So yeah.

Re:Privacy concern

[Anonymous Coward]

Tell me what they send to their server is actually a hash of the URL with a huge salt.

From the linked blog [opera.com]:

When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

Presumably, it's because of the following:

The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".

dont they all do this now?

[Deathlizard]

I know IE7 phones home, and fireefox 2 does too for anti-phishing. They both can also be disabled by the user.

I don't see how this is any different than what MS or mozilla is doing. As long as it can be disabled by the user it should be ok.

Re:

[elcid73]

They use white or blacklists. Meaning it phone's home just to get a big list of all at once.

Opera checks each as you go.

Pro: it's updated as fast as GeoTrust is.. you don't have to wait for your nightly download (or whatever frequency) so you get the most reponsive phishing filter.

Con: The reason this is a headline at all. ..Still, it will be able to be turned off and it's largely not all that different from MS or FF.

Re:

[Kelson]

Actually, IE7 can check each site as you go [microsoft.com], and Firefox 2 has two modes: one that checks against the blacklist, and one that checks each site as you go (look in Tools/Preferences/Security).

So yes, each browser will have a mode which will send nearly every URL you visit to a third party for checking against phishing sites.

Re:

[elcid73]

Yeah. I made note of that in one of the other responses I had in here. I don't really see why this is a headline at all.

If you have a slider with Safety/security on one side, and Privacy on the other, all three browsers let you adjust where that slider falls.

Browsers have to balance timeliness of updates against the fast moving phishing schemes with letting the users feel maintain a sense of security. It's strange though, like others have mentioned, Opera Mini seems to get away with this just fine as wel

Re:

[AKAImBatman]

Geez, everyone is phoning home these days. Who's next, E.T.?!?

Re:dont they all do this now?

[Vexorian]

1 How does the Phishing Protection feature work in Firefox 2?
Phishing Protection is turned on by default in Firefox 2, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled. Since phishing attacks can occur very quickly, there's also an option to check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Security preferences pane.

http://www.mozilla.org/projects/bonecho/anti-phish ing/ [mozilla.org]

Johan Borg????

[gstoddart]

Johan Borg??? Oh, the irony. The diversity of your websites will be added to our own. Resistance is futile.

What an unfortunate surname to be working in the tech field. :-P

Borg?

[Akardam]

Sounds Swedish...

This forces a huge amount of trust in them...

[Pvt_Waldo]

First, we must trust they will not leak the data of "who surfs what".

Second, we must trust they will not get hacked and this information stolen.

Third, we must trust them to be the judge of "good and bad".

Fourth, we must trust they won't get hacked and their list either modified by adding or removing site.

Don't fall into the trap of "Oh it's Opera, of course we trust them". Let me put it this way. If Microsoft announced this, what would your reaction be?

Re:

[Kelson]

Let me put it this way. If Microsoft announced this, what would your reaction be?

I trust you are aware that Microsoft announced similar antiphishing features [msdn.com] over a year ago, and just released them in IE7? And that Firefox 2 will also ship [slashdot.org] with similar functionality next week?

You don't have to imagine the reaction... just look back in the archives and read it.

Does anyone read anymore?

[scoobrs]

Does anyone bother reading before commenting anymore? The feature will be able to be switched off at will, even on a site-by-site basis, and they will toss out source IPs at Opera if you choose to use it. The main reason they do it this way instead of downloading lists like mozilla and IE is that lists can be obsolete and phishers can be onto promoting their next scam by the time the lists are updated on clients. Besides, Opera is in Norway and outside Department of Justice jurisdiction for spying requests. If you don't like it or are sophisticated enough that you don't need it, turn it off.

Re:

[Nimey]

Does anyone bother reading before commenting anymore?

You must be new here.

IOW

[evronm]

Opera announced an addition that will keep it in step with its rivals. Johan Borg, a developer working on the browser, said

I think he was misquoted. What he really said was "Firefox and IE are irrelevant."

Phone Home?

[e2ka]

well I'll be damned if I use this software on a computer with a network connection then!

Blacklisting -vs- taking them down

[MobyDisk]

If there is a store in my neighborhood that is known to pickpocket customers, the police come and arrest the pickpocketers. They don't hand-out a blacklist of those stores.

It is unfortunate that the same thing can't happen to the web. I would rather the sites be taken down than blacklisted. Too bad Blue Security is gone...

I'm using it now

[elcid73]

I'm using the weekly build. So far, nobody has knocked on my door.

Works great- slashdot is trusted by geotrust evidently.

There's a checkbox to "enable fraud protection." When this button is disabled you can still manually check the site via the same interface, but the check isn't automatic.

Open Trust Webs

[Doc Ruby]

Why does Opera have to own the servers? Why can't it include several defaults, like its own servers, for "trust ratings", factoring in webserver certificate status (exists, expired, corrupt, etc)? And let users choose which "trust servers" they want to use to validate trust. Even better would be another layer which reviews trust servers for trustworthiness, to which users can subscribe to decide how much to trust which webservers.

If Opera also integrated structured personal info into trust levels, completin

This is for people who need protection against

[Chuck Chunder]

phishing. Do you seriously think these are the sort of people capable of making competent, informed decisions about "trust servers"?

Even better would be another layer

For fucks sake, what planet are you on? This sort of thing needs to "just work" otherwise it is useless for 99% of the people who would actually benefit from it.

People Like You

[Doc Ruby]

Why don't you stop talking out of your fucking ass, and just read my post which makes clear how my system makes it totally easy for the user?

I said the trust servers, and vouchers for those servers, would ship with defaults. All a casual user would do would see whether a given page is trusted, as a function of those two layers they'd never see. More sophisticated users could set their "vouch servers", probably by their organizations tech support. Even more sophisticated users could pick their own trust serv

I smell BS

[GodfatherofSoul]

Why doesn't Opera just push out a current list of badly behaving links, rather than having users ping their site each time? Seems like browser-local cache is better in every regard except for the staleness problem. Unless you have ulterior motives...

Do it yourself!

[scovetta]

I did a little writeup [scovettalabs.com] on this kind of thing a while back. Since all of the major browsers support a "proxy autoconfiguration" file, you simply a flat file on some server that returns a non-existent proxy address for URLs that you want to "block". So you don't need to use Opera's, just have someone run such a service and point your autoconfig there. A general "URL/IP Blacklist" could easily be built into browsers (as I'm sure there's a Firefox extension around for it).

On the other hand, I think it's nice th

haven't they learned yet?

[v1]

Every time some single internet entity tries something to stop spam, banners, or viruses, the dark forces they are trying to stop collaborate against them and next thing you know your server is a smouldering pile od slag attached to what's left of the stain on the table that was your router.

What makes them think they are flood-proof, against people that have thousands of zombies at their command?

a better idea

[NynexNinja]

A better idea would be to offer a plugin (which might be included by default but turned off by the user at installation time) that periodically syncronizes with a remote database of "bad" sites. This is basically what AdBlock + FilterSet.g plugin does for firefox, only it deals with ad blocking instead of phishing sites....

Re:Someone please cry foul

[hkmwbz]

Your ISP can track everything you do. That must mean that they are abusing their position. Why get Opera to track your surfing when your ISP could do so much more efficiently?

Re:

[trifish]

Actually, no. If you open a SSL connection (you know, the https thing), the URLs you request from the server are encrypted (so your ISP donesn't know what files or documents you download from the server).

Re:

[trifish]

And if you connect to a proxy via SSL, you can browse any sites without your ISP knowing. The ISP will only know you connected to a proxy in China (or wherever) and that's it. No URLs, no domains, just strongly encrypted packets.

Re:

[trifish]

Why via proxy and via SSL? Because why would a nerdy admin working for your ISP should be allowed to read everything I read, download and upload, and why should he know the URLs where I do?

You missed the point. It was to prove that ISP doesn't have to know everything you do.

Re:

[trifish]

Yes, and do you expect a proxy admin in North Korea to disclose your searching habits to someone from the US?

Re:

[trifish]

> Besides, setting up a secure proxy is a hell of a lot more work than simply disabling the anti-phishing feature in Opera.

In case you missed it, I didn't talk in regard to Opera. I responded to the statement that your ISP knows everything anyway. The point was that if you want, your ISP doesn't have to know everything.

Re:Someone please cry foul

[bestinshow]

That's if they log the requests - given that they're a Norwegian company, they have some pretty tough privacy laws to content with.

I expect that it will depend on the terms and conditions in the end, and that they will say 'we will not log or use your data in a user-specific manner (not even AOL style 'user == number' obfuscation, hehe), however we may use it to compile statistics on accesses to phishing sites', which could prove quite useful in anti-phisher court trials.

It's no different to IE7 or the next version of Safari. The best way to check a website is authentic is to check the URL against a blacklist and then tell the user in big red text in a way they'd be retarded to ignore about the threat. I do think it would be better to download the blacklist to the client and resync it often however.

How do the Firefox add-ins, IE7 and Safari 3 handle anti-phishing?

Re:

[The Masked Marauder]

Why the hell would a Norwegian company hand anything over to the US DOJ? America can't really tell the rest of the world what to do you know, Bush just wants you to think that!

Re:

[CastrTroy]

Would you be fine with it if MS had the same feature in IE, had it enabled by default, but allowed it to be turned off? Never mind most users wouldn't know about it, but they could turn it off. It's not like MS would ever use this kind of data for Evil purposes, or surrender the data to the DOJ on request. Shouldn't something like this only be explicitly opt-in, and only if the user goes searching for it? I wouldn't even bother building a system like this. Too many problems that can happen with it. Wh

Re:

[elcid73]

"Why not have users download a list every so often?" ...because "every so often" is "not often enough" when it comes to phishing.

(according to Opera)

Re:

[CastrTroy]

How often does opera update it's servers? Is it often enough? Is it immediately after the site is put up, even before anybody knows about it? How about every time you want to visit a URL, it gets a list of everything that's been added since you last clicked, probably a short or empty list most times, and uses that. That way, you don't have to update every so often, because it updates before you go to any site, and you don't have to worry about them finding out which sites your visiting.

Re:

[CastrTroy]

The point is, is that maybe not you, but many other people would be crying foul if MS was doing this, because there's simply no way of knowing what they are doing with the data. Because it's opera, we assume that they aren'd doing anything, or we just hope they are, or we assume that their users are smarter than average and will know to turn it off if they don't want it. However, I think that if MS put in the same feature, we'd be saying that it was a breach of privacy, because most people are too uninfor

Re:

[hkmwbz]

Your ISP is as much of a "random company" as Opera Software is. Opera Software is located in Norway, which apparently has extremely strict privacy laws. You also need to consider a company's track record. Opera Software also has the mobile browser Opera Mini which always goes through Opera's servers which do the rendering for the Mini client, and no one has cried foul so far.

Re:Just matter of time

[animaal]

Which government? Norway isn't (yet) subject to the U.S. government.

Re:

[hkmwbz]

What logs? Who says that they are logging anything?

Re:A respectful request to MOD PARENT UP.

[symbolic]

This stuff is not trivial.