Yesterday, Opera announced they’ve added a free VPN client with unlimited data usage in the latest developer version of their browser. Sounds great, doesn’t it?
Michal Špaček, a web developer and security engineer based in Prague, researched the way Opera’s VPN works and discovered there’s more marketing than security behind Opera’s claims.
“What Opera offers is not a VPN as such. It’s just a proxy for the browser. You still need a full VPN if privacy is what you care about (and you should care about your privacy). Other tools you use, including for example email clients like Outlook, won’t use this ‘VPN’,” Špaček told Help Net Security.
“There’s also a potential privacy issue: when setting up the VPN, the browser requests something called
device_id, this is subsequently sent in every request to the proxy and it survives browser restarts and reinstalls unless you also delete your user data when uninstalling. This might be used for user tracking for whatever purpose,” Špaček added.
How the “VPN” works
Once the user enables the feature in settings, Opera VPN sends API requests to
https://api.surfeasy.com to obtain credentials and proxy IPs. The browser then talks to a proxy like
de0.opera-proxy.net, and its IP address can only be resolved from within Opera when the VPN feature is turned on. It’s an HTTP/S proxy that requires authentication.
When the Opera browser with enabled VPN loads a page, it sends many requests to
de0.opera-proxy.net with a
Proxy-Authorization request header.
Proxy-Authorization header decoded:
Since we’re talking about a proxy, these credentials can be used with
de0.opera-proxy.net even when connecting from a different machine. This means that if you use the proxy on a computer with no Opera installed, you’ll get the same IP as when using Opera’s VPN.
A caution on proxies
“I am a bit surprised by Opera in this case. A proxy is a proxy, usually for one specific service. A VPN is usually an encrypted tunnel for all services going out of our computer to a remote host, before it gets decrypted and then forwarded to its final destination. While Opera may have done this little tweak of definitions with the best intentions, end users should understand that this free service by Opera is nowhere near the security provided by a real VPN solution,” Per Thorsheim, founder of PasswordsCon, commented.
UPDATE: Saturday, 23 April, 05:56 AM PT – The head engineer of Opera for computers Krystian Kolondra reached out to us with a comment.
“In our case we are coming with a new term: a browser VPN – and our goal is that all the network activity from the browser is actually routed via our secure proxy – unlike the usual proxies that only route the web traffic. So it’s different than a system wide VPN but it’s also different than a proxy. Thus – a browser VPN. Currently WebRTC and plugins are still not routed that way – but we’re very open about this – we’ve just released this as a developer preview and planning to fix this in the coming updates.”