Operas VPN is only a HTTP proxy

Operas VPN is only a HTTP proxy! Opera advertises in the latest developer version of the browser with an integrated VPN – but that’s not quite true. The alleged VPN also has a privacy problem.

Operas VPN is rather a proxy

The Norwegian browser manufacturer Opera wants to protect users‘ privacy with a new function – but the VPN feature advertised is only an HTTP proxy. According to security researcher Michal Spacek, this is not a fully-fledged VPN, and there is a potential privacy problem. For experienced users it should be clear that such a service in a browser only encrypts the web traffic and provides it with a new IP – but inexperienced users could be misled here.

The function, which is advertised throughout as VPN, can be activated in the settings of the current developer version of Opera. After activation, the proxy is automatically active, the status is displayed in the address bar to the left of the URL. With a single click, users can see how much data has already been transferred. You can also choose between three locations. In addition to Germany, there are servers in the USA and Canada to choose from.

Opera uses the API of the VPN operator Surfeasy for the service. The connection requires authorization by the user, but this is done automatically. Opera generates a device ID hashed with SHA1 and a device password. With a simple Python script on Github, users can find out their own credentials and use them on another device.

Device ID remains stable

The device ID also remains stable, so it could be used to track users on the network. According to Spacek, the device ID will be retained even after the browser has been reinstalled. A new ID will only be created if the user data is deleted manually. If this ID were created each time the browser was started, privacy would be significantly improved.

But the connection speed was good in the short test – we reached about 50 MBit/s. In the test with a US server, the connection via Netflix and access to content not available in Germany also worked. However, it took well over a minute for the content to be displayed in HD quality. However, there were no dropouts in our short test.

Krystian Kolondra of Opera defended the name in an interview with Helpnetsecurity: „In our case we come up with a new term: Browser VPN – and our goal is that all network activities of the browser are routed through our secure proxy – unlike the normal proxies, which only route the web traffic. It’s different from a system-wide VPN, but it’s also different from a proxy. Therefore: Browser VPN.“ Not all plugins already use the proxy, Kolondra said, citing WebRTC as an example. This will be fixed in later versions of the Developer Preview.

Even a full VPN has limitations: Although it can be used to conceal one’s own IP address, it can also be used in an open WLAN to protect one’s own data traffic on unencrypted websites from other readers. But at the end of the day, unencrypted data is released unencrypted even with a VPN. Users can also be deanonymized using fingerprinting. Various privacy boxes also rely on VPN networks, but many also offer little more protection here.


Posted in News by with comments disabled.