Opera Backstage: Opera 9.1 will include Fraud Protection

By borg. Tuesday, 17. October 2006, 13:11:05

anti-phishing, fraud protection, anti-spoofing

As presented at the Opera Backstage event in London today, Opera 9.1 will include enhanced fraud protection. Today we display the name of the certificate owner in the right end of the address field when you're on a secure site. In 9.1 we will reuse that field to display more information about the trust level of the site you visit.

When you go to a new site for the first time, Opera will check against a database if the site is trusted or if it is a known fraud site. If we know the site, there will be a small information "i" in the right end of the address field. If it's unknown/not verified there will be a "?" and if it's known as a fraudulent site we will display a warning and block the user from accessing the site.

The browser sends only the minimum information the database needs to identify a fraud site. When a result is received by the browser, it will be cached there for some time, so it doesn't have to check again if you go to the same site often.

- Why don't we use a downloaded blacklist like Firefox 2?

Firefox 2 only checks against a blacklist unless you turn on real-time protection from Google or other providers. We feel that only real-time protection is real protection, since phishing attacks tend to be more and more like virus attacks, most of their damage is done in a very short time.

- Why don't we use a downloaded whitelist like IE 7?

This makes some sense, especially to save bandwidth for our servers. But for the privacy-concerned user, we don't think it changes anything, since it's typically the more obscure sites that you really want to keep to yourself. We've made it easy to turn on and off the fraud protection from the information dialog you get when clicking the icon.

More technical details:

When you browse to a site you have not visited before, the browser sends a request for site information to our server. The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

The reply from the server is an XML document containing the trust level of the domain. This reply will be cached by Opera for a time indicated by our server. This means that information about well-trusted sites can be cached for a longer period than for unknown sites.

We don't store information on our servers that let us track individual users. IP addresses are discarded and we don't use cookies or other session information. No information goes directly to third parties, all communication goes through our own servers. Our servers get the trust information from a database supplied by GeoTrust, who have a long experience with anti-fraud solutions.

The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".

Yeah, yeah, next week we should have something..Introducing new bugs

Comments

Yeah!
Great!
Regards

By vladann, # 17. October 2006, 19:15:20

cannot wait any more for the new version!

By cloudssunshine, # 17. October 2006, 19:19:17

@cloudssunshine: I cross my fingers that we can give you a weekly with it this friday

By borg, # 17. October 2006, 19:22:11

won't make this browsing abit slower?and then opera wouldn't be the fasted browser on earth.

Can this be disactivated?

By shadowk, # 17. October 2006, 19:23:15

Shadowk was first out of the shoot with the questions that I'm sure everyone is going to be asking with exception to privacy concerns that, even though you address them quite clearly, will still be asked.

Will there be demo URLs for use to play around with so we can see the expected behavoir?

By Eddie_Lopez, # 17. October 2006, 19:26:13

shadowk: "We've made it easy to turn on and off the fraud protection from the information dialog you get when clicking the icon."

This sounds very cool. Although I believe that common sense is the greatest defense, this will prevent mistakes and hopefully eliminate (or greatly reduce) people entering bank details into fraud sites.

By AndrewNi, # 17. October 2006, 19:27:51

@shadowk: 1. Opera displays the page even if the fraud-check-server didn't response yet, so it will in no way be slower. 2. the text says whether it can be disabled or not

By larskl, # 17. October 2006, 19:30:00

Speed will not be affected, everything is done asynchronously and the content load is really minimal.

We can publish demo URLs for the blocking screen, yes.

Common sense is the best defense, and many of you here may not need it, but when we install Opera for our friends and family it's an extra layer of protection.

By borg, # 17. October 2006, 19:32:03

Great! More security! It appears that although it will be annoying at first these changes won't wreck something else (unlike any Microsoft security update).

By klingoncowboy4, # 17. October 2006, 19:33:20

@fearphage: The 'Stop executing scripts on this page' checkbox is intended to help you out of neverending scripts. It's a last resort to regain control of your browser, not intended to be used to set site preferences.

By borg, # 17. October 2006, 19:49:42

I see. Is there any way to re-enable scripts on the page without closing the browser?

By fearphage, # 17. October 2006, 19:55:11

I'd really like to see two new options:
1. minimize to tray when closing,
2. editable User Agent string - usefull for example in phpBB with OS icons, when I want to be more specyfic (Gentoo Linux instead of Linux x86_64).

Both don't require much coding.

By manwe_, # 17. October 2006, 19:55:58

I'm not sure if I like the UI.

It adds even more clutter in addressbar. RSS, widgetize and now trust level. I have other items on my address toolbar and my address input box is getting too short

GeoTrust probably doesn't have information about most websites I visit, so I'd have [?] in UI most of the time. I find this symbol intriguing and calling for attention. I'd prefer more neutral UI (nothing added to addressbar?) for unchecked websites.

Why send domain in clear text and not hash as well?

Whitelist of safe domains makes sense to me. With 16 bytes per domain hash, you can include plenty in the default install.

BTW: is that a full-blown pop-up window? Will it be modal or always-on-top? If not, what if user clicks main window? What if user closes or navigates away from suspectd page without closing alert?
How about alert made similar to "block content" toolbar?

By porneL, # 17. October 2006, 19:56:17

I think this is a good feature with the climate of the internet today. Thanks

By Michael83815, # 17. October 2006, 19:56:30

Please do not use this blog post for unrelated feature requests, bug reports, or questions. If you have questions or comments about the fraud filter, this is the right place.

By Junyor, # 17. October 2006, 20:01:51

@porneL: *One* of the reasons for not using a hash for the domain part is that we're not entirely sure that you can't create another domain that "steals" the good rating of a site with the same hash value. You don't have that problem with blacklisted URLs: nobody would try to get a hash that matches a bad rating.

The warning takes over the entire tab, so you really can't miss it. Even if you choose to continue to the fraud site, the right end of the address bar will be red and display a warning.

By borg, # 17. October 2006, 20:07:24

Will this protection include scam e-mails ??
Like, I got this for paypal, scam of course !
http://ogk-duffel.be/img/.www.paypal.com/webscr=auth/index.html

By xErath, # 17. October 2006, 20:15:19

@xErath: Opera will not check a URL in an e-mail before you visit it, but then we will block you from seeing it if the page is a known fraud.

By borg, # 17. October 2006, 20:19:52

@xErath: They already got to that site (404'd). Very few spoofs stay up for long. Paypal, ebay, etc have huge teams working on that.

By fearphage, # 17. October 2006, 20:20:09

nobody would try to get a hash that matches a bad rating

Except websites that are rebeling against their parent (website) by exhibiting bad behavoir:

Parent website: Young site! You are *not* going live with that hash value! Now you march right back to your development server and rethink your hash.

Rebel: When am I going to ~~be old enough~~have enough google ranking to use the subdomains that *I* want. You can't choose my paths!

Parent: As long as you're in my domain, you'll follow *my* paths!

Rebel: *under breath* As soon as I go live, I'm *totally* changing my hash value to some paypal scam site. See what *that* does for your precious customer relations..

By Eddie_Lopez, # 17. October 2006, 20:22:21

Great Work!!!
Impressive feature

By ThArGos, # 17. October 2006, 20:25:40

@Eddie_Lopez: Hehe

As long as we send the domain name, we at least have some flexibility to automatically double-check such special cases on the server side.

By borg, # 17. October 2006, 20:28:03

@xErath: Just tested your paypal scam link in Opera 9.1, and I was instantly blocked by the fraud protection feature. It works

@Eddie_Lopez: You'll get your chance to try it out pretty soon..

By borg, # 17. October 2006, 20:31:41

Just tested your paypal scam link in Opera 9.1

Well.. I'm suspicous by nature. My father told me not to take things at face value and to get out and try and explore them myself.

So if you'll just email me the installer for 9.1, we'll get to the bottom of this.

By Eddie_Lopez, # 17. October 2006, 20:33:16

Great...Secuiry is big deal. Congrats !!

and what about compatibility ?

Bye.

Andres Ruiz

By andresruiz, # 17. October 2006, 20:36:49

BORG:
"...Our servers get the trust information from a database supplied by GeoTrust, who have a long experience with anti-fraud solutions."

http://www.geotrust.com/ :
"July 25, 2006, GeoTrust’s TrustWatch Search Extension Now Available for Top Three Search Engines in Mozilla Firefox and Flock Browsers"

bye

Andres Ruiz

By andresruiz, # 17. October 2006, 20:42:35

When computing the hash value, does it just consider the path in the URL, or CGI parameters as well?

(Assuming I already know the answer to this, since you guys aren't idiots

)

By MagicM, # 17. October 2006, 20:44:56

Originally posted by Eddie_Lopez:

So if you'll just email me the installer for 9.1, we'll get to the bottom of this.

Nice try

By haavard, # 17. October 2006, 20:45:16

Will there be a way to globally deactivate this feature?

Will the "delete private data" feature be updated to delete the .xml file with this cache data?

While this could be very helpful in protecting users, I can see a lot of users worrying about the fact that every site someone visits gets sent to Opera.

By lexluthor5, # 17. October 2006, 20:45:41

Beautiful... waiting for friday!

By igorditerni, # 17. October 2006, 20:48:04

By Tamil, # 17. October 2006, 20:53:07

@lexluthor5: Delete private data should delete these xml files as well. The feature can be globally deactivated from the security information dialog you get when clicking the icon in the address bar.

Basically, there are two types of users: Those who are so careful about their privacy that they don't want or need the extra protection, and everyone else.

On the other hand, even if I don't feel very vulnerable myself, there is some "entertainment" in seeing if the site I visit is among the verified ones or not

By borg, # 17. October 2006, 20:55:44

Originally posted by fearphage:

@xErath: They already got to that site (404'd). Very few spoofs stay up for long. Paypal, ebay, etc have huge teams working on that.

For me the website is still on.

Originally posted by borg:

@xErath: Just tested your paypal scam link in Opera 9.1, and I was instantly blocked by the fraud protection feature. It works

Great !

By xErath, # 17. October 2006, 20:56:12

Nice try

wha? I'm just *very* security minded. I'm very concerned about the safety of my fellow Opera-teers

As such, I throw myself on the sword of risk... headstrong into the fray (against the wishes of Frey) and prostrate my browsing environment before the whims of the company to test the choppy, sometimes indiscernable waters of phishing,scamming, and uncertainty.

I do this for my fellow Opera browsers in the name of... ah heck, the weekly will probably be release before finish this.

By Eddie_Lopez, # 17. October 2006, 20:58:36

Don't worry, you'll all get to test it well before it is released as a final version

And we will of course keep a careful eye on the feedback.

By haavard, # 17. October 2006, 21:03:11

Oh, and don't worry: We'll throw in a bug or five in the weekly, so you have something to hunt for

By borg, # 17. October 2006, 21:09:23

Wonderful, I can't wait to get the fresh weekly into my hands

By Stasiek_j, # 17. October 2006, 21:11:38

Finally a reason why I should install Opera on my parents PC. Until now, I have left them with IE6, as it has none of the compatability hedaches of Opera, and Opera offered no philshing features over IE6.

By mgillespie, # 17. October 2006, 21:15:04

@mgillespie: IE7 will contain parts of what we offer in 9.1, but we're pretty confident you will prefer our way if you test them both

By borg, # 17. October 2006, 21:21:09

Great!!!!

Congratulations!!!

I have one suggestion:

- Desktop Search (like Copernic or Yahoo) plugin in Opera.
- Integrated anti-spy and anti-adaware Widget like in Nestcape 8.1.2
- Instant Messenger Widget multi-client (Yahoo; Google Talk; Gabber; MSN Messenger;...).
- ;-)

By javier, # 17. October 2006, 21:54:08

What about other bugs like the one regarding media keys are you at least working on these?
Also will you improve JavaScript further in v9.1, so that sites that heavilly relly on JavaScript like Meebo and Digg will work corectlly?
What about the email client will it be updated in the near future as it has been left behind a little.

By Nemok, # 17. October 2006, 21:58:37

I would prefer a less ugly version, both of the warning site and the i/?-icons, but whatever

As long as I can turn it off (globally), I'll be happy.

By PaiTrakt, # 17. October 2006, 22:17:25

@PaiTrakt: The screenshots are from internal builds. We're working on new icons for the final version.

By borg, # 17. October 2006, 22:20:33

awesome, so, when will this be released?

also, adding on to what paitrakt said, i think the warning page should look like the other opera-generated pages (like for file listing, opera:about, etc).

By samkline, # 17. October 2006, 22:23:03

I would like these features/fixes:

1. 100% custom ua string
2. mediakeys fixed
3. greasemonkey functions support

ty

By healer, # 17. October 2006, 22:27:26

Looks nice, it'll be very exciting to see the next weekly

By Daedalus, # 17. October 2006, 22:33:50

Sweet...

I'm assuming we get to see it on Friday? Or am I getting ahead of myself?

By GT500, # 17. October 2006, 22:49:06

@samkline: We've made it deliberately different from the other internal pages. It should scream a bit, because it's not a neutral information. Hopefully, it's not something you should see every day either...

By borg, # 17. October 2006, 22:50:51

Originally posted by healer:

1. 100% custom ua string

Isn't this available via manually editing some ini file or something?

Originally posted by healer:

3. greasemonkey functions support

http://userjs.org/scripts/browser/enhancements/aa-gm-functions

By fearphage, # 17. October 2006, 22:52:55

@fearphage: ad1. No.
@Borg: We prefer that you just get out that old and stinking bugs than added new one. ;]

Pozdrawiam,

janbar.

)

By janbar, # 17. October 2006, 23:10:41

1 2 3 4 Next »

Showing comments 1 - 50 of 170.

Opera Desktop Team