Music Styles   Opera  

Opera Backstage: Opera 9.1 will include Fraud Protection - Desktop Team - by Desktop Team

Opera Backstage: Opera 9.1 will include Fraud Protection - Desktop Team - by Desktop Team
Amber Swift  |  by my.opera.com. All rights reserved. 10.11 | 17:09

By . Tuesday, 17. October 2006, 13:11:05
, ,

As presented at the Opera Backstage event in London today, Opera 9.

1 will include enhanced fraud protection. Today we display the name of the certificate owner in the right end of the address field when you're on a secure site. In 9.

1 we will reuse that field to display more information about the trust level of the site you visit.


When you go to a new site for the first time, Opera will check against a database if the site is trusted or if it is a known fraud site. If we know the site, there will be a small information "i" in the right end of the address field.

If it's unknown/not verified there will be a "?" and if it's known as a fraudulent site we will display a warning and block the user from accessing the site.

The browser sends only the minimum information the database needs to identify a fraud site.

When a result is received by the browser, it will be cached there for some time, so it doesn't have to check again if you go to the same site often.


- Why don't we use a downloaded blacklist like Firefox 2?

Firefox 2 only checks against a blacklist unless you turn on real-time protection from Google or other providers.

We feel that only real-time protection is real protection, since phishing attacks tend to be more and more like virus attacks, most of their damage is done in a very short time.

- Why don't we use a downloaded whitelist like IE 7?

This makes some sense, especially to save bandwidth for our servers.

But for the privacy-concerned user, we don't think it changes anything, since it's typically the more obscure sites that you really want to keep to yourself. We've made it easy to turn on and off the fraud protection from the information dialog you get when clicking the icon.


More technical details:

When you browse to a site you have not visited before, the browser sends a request for site information to our server.

The requests contains the domain name of the site and a hash value of the URL. We don't send the full URL, but we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.

The reply from the server is an XML document containing the trust level of the domain.

This reply will be cached by Opera for a time indicated by our server. This means that information about well-trusted sites can be cached for a longer period than for unknown sites.

We don't store information on our servers that let us track individual users.

IP addresses are discarded and we don't use cookies or other session information. No information goes directly to third parties, all communication goes through our own servers. Our servers get the trust information from a database supplied by , who have a long experience with anti-fraud solutions.



The requests go over HTTP, but the replies will be signed by the server to make sure they are genuine. We prefer to send information between the browser and ourselves in plain text, so our users can inspect the data we send "home".

17.

October 2006, 19:23:15

Shadowk was first out of the shoot with the questions that I'm sure everyone is going to be asking with exception to privacy concerns that, even though you address them quite clearly, will still be asked.


Will there be demo URLs for use to play around with so we can see the expected behavoir?
17.

October 2006, 19:26:13

shadowk: "We've made it easy to turn on and off the fraud protection from the information dialog you get when clicking the icon."

This sounds very cool. Although I believe that common sense is the greatest defense, this will prevent mistakes and hopefully eliminate (or greatly reduce) people entering bank details into fraud sites.

17. October 2006, 19:30:00
Speed will not be affected, everything is done asynchronously and the content load is really minimal.

We can publish demo URLs for the blocking screen, yes.



Common sense is the best defense, and many of you here may not need it, but when we install Opera for our friends and family it's an extra layer of protection.

17. October 2006, 19:33:20
@fearphage: The 'Stop executing scripts on this page' checkbox is intended to help you out of neverending scripts.

It's a last resort to regain control of your browser, not intended to be used to set site preferences.

17. October 2006, 19:55:11
I'd really like to see two new options:
1.

minimize to tray when closing,
2. editable User Agent string - usefull for example in phpBB with OS icons, when I want to be more specyfic (Gentoo Linux instead of Linux x86_64).

Both don't require much coding.

17. October 2006, 19:55:58
I'm not sure if I like the UI.

It adds even more clutter in addressbar.

RSS, widgetize and now trust level. I have other items on my address toolbar and my address input box is getting too short :frown:

GeoTrust probably doesn't have information about most websites I visit, so I'd have [?

] in UI most of the time. I find this symbol intriguing and calling for attention. I'd prefer more neutral UI (nothing added to addressbar?

) for unchecked websites.

Why send domain in clear text and not hash as well?

Whitelist of safe domains makes sense to me.

With 16 bytes per domain hash, you can include plenty in the default install.


BTW: is that a full-blown pop-up window? Will it be modal or always-on-top?

If not, what if user clicks main window? What if user closes or navigates away from suspectd page without closing alert?
How about alert made similar to "block content" toolbar?


17. October 2006, 20:01:51
@porneL: *One* of the reasons for not using a hash for the domain part is that we're not entirely sure that you can't create another domain that "steals" the good rating of a site with the same hash value. You don't have that problem with blacklisted URLs: nobody would try to get a hash that matches a bad rating.



The warning takes over the entire tab, so you really can't miss it. Even if you choose to continue to the fraud site, the right end of the address bar will be red and display a warning.

17.

October 2006, 20:20:09

nobody would try to get a hash that matches a bad rating

Except websites that are rebeling against their parent (website) by exhibiting bad behavoir:
Parent website: Young site! You are *not* going live with that hash value! Now you march right back to your development server and rethink your hash.


Rebel: When am I going to be old enoughhave enough google ranking to use the subdomains that *I* want. You can't choose my paths!

Parent: As long as you're in my domain, you'll follow *my* paths!


Rebel: *under breath* As soon as I go live, I'm *totally* changing my hash value to some paypal scam site. See what *that* does for your precious customer relations..

17. October 2006, 20:31:41
Just tested your paypal scam link in Opera 9.1

Well.

. I'm suspicous by nature. My father told me not to take things at face value and to get out and try and explore them myself.



So if you'll just email me the installer for 9.1, we'll get to the bottom of this.

17.

October 2006, 20:36:49

BORG:
"...

Our servers get the trust information from a database supplied by GeoTrust, who have a long experience with anti-fraud solutions.

Read more on by my.opera.com. All rights reserved.
Keywords: Fraud Protection, Opera Backstage, Desktop Team
Related news
Post comments
Name
Place
8 + 3 =
Comments