Opera browser’s VPN is just a proxy, here’s how it works

[Batu69]

Yesterday, Opera announced they’ve added a free VPN client with unlimited data usage in the latest developer version of their browser. Sounds great, doesn’t it?

Michal Špaček, a web developer and security engineer based in Prague, researched the way Opera’s VPN works and discovered there’s more marketing than security behind Opera’s claims.

 

“What Opera offers is not a VPN as such. It’s just a proxy for the browser. You still need a full VPN if privacy is what you care about (and you should care about your privacy). Other tools you use, including for example email clients like Outlook, won’t use this ‘VPN’,” Špaček told Help Net Security.

 

“There’s also a potential privacy issue: when setting up the VPN, the browser requests something called device_id, this is subsequently sent in every request to the proxy and it survives browser restarts and reinstalls unless you also delete your user data when uninstalling. This might be used for user tracking for whatever purpose,” Špaček added.

How the “VPN” works

Once the user enables the feature in settings, Opera VPN sends API requests to https://api.surfeasy.com to obtain credentials and proxy IPs. The browser then talks to a proxy like de0.opera-proxy.net, and its IP address can only be resolved from within Opera when the VPN feature is turned on. It’s an HTTP/S proxy that requires authentication.

 

When the Opera browser with enabled VPN loads a page, it sends many requests to de0.opera-proxy.net with a Proxy-Authorization request header.

The Proxy-Authorization header decoded:

CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE67
4A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3

Since we’re talking about a proxy, these credentials can be used with de0.opera-proxy.net even when connecting from a different machine. This means that if you use the proxy on a computer with no Opera installed, you’ll get the same IP as when using Opera’s VPN.

A caution on proxies

“I am a bit surprised by Opera in this case. A proxy is a proxy, usually for one specific service. A VPN is usually an encrypted tunnel for all services going out of our computer to a remote host, before it gets decrypted and then forwarded to its final destination. While Opera may have done this little tweak of definitions with the best intentions, end users should understand that this free service by Opera is nowhere near the security provided by a real VPN solution,” Per Thorsheim, founder of PasswordsCon, commented.

 

At the time of writing, Opera Software was not available for comment. We’ll update the story if we get an official statement.

 

Article source

[steven36]

6 hours ago, Batu69 said:

A VPN is usually an encrypted tunnel for all services going out of our computer to a remote host

According to this article  it depends  on the type of VPN  its does not exclusively have to run trough the whole computer  to be called a VPN  . A VPN  that only works in you're Web Browser  is a SSL VPN.

 

SSL

Quote

SSL or Secure Socket Layer is a VPN accessible via https over web browser. SSL creates a secure session from your PC browser to the application server you’re accessing. The major advantage of SSL is that it doesn’t need any software installed because it uses the web browser as the client application.

http://techpp.com/2010/07/16/different-types-of-vpn-protocols/

 

And if you read at Opera  they  already say they use proxies.

Quote

Our VPN is something we call a browser VPN. Under the hood it works by routing all the browser traffic properly encrypted via our secure proxies in various parts of the world. It will not route the traffic from other applications – as a system wide VPN would do – it’s a browser VPN after all.

http://www.opera.com/blogs/news/2016/04/opera-doubling-server-capacity-vpn/

 

Some features  of the browser they   dont have yet so you have install the  extension to install Google Chorme  extension and import them from there to block Canvas and Fully block WebRTC.