Note: whether or not you choose to enable Fraud Protection, you should always look for the closed padlock in the address field before submitting credit card numbers or other highly personal information.
The explosive growth of Internet commerce has attracted the attention of everyone, including a new breed of on line criminals who will attempt to steal your passwords, your credit card numbers, and other personal information by impersonating authority figures from a bank or other institution with whom you have a financial relationship. The best defense against this growing threat is to be aware of the problem, and to be alert when conducting your on line business.
Fraud of this kind is sometimes called phishing, and in analogy to fishing, your private information is the catch. There is more than one kind of bait, but the most common type is email, apparently from your bank, coupled to a website resembling your bank's, so precisely copied that you may not discern the difference. You will be encouraged to log in and "verify" your customer information: in other words, to reveal your password, credit card number, or other private data.
As a result, many people think it is a good idea to incorporate some degree of fraud protection in the browser itself. The browser-based strategy is to consult a database, to check whether the websites you plan to visit are legitimate and safe to use, and whether or not your surfing trajectory has been redirected.
In this context, there are two kinds of database: whitelists and blacklists. A whitelist is a list of websites that are certified to be legitimate, and safe to use. A blacklist, on the other hand, is a list of websites that are known to be fraudulent, or unsafe in some way. Generally speaking, the most commonly used websites will be whitelisted, but many other websites will be neither whitelisted nor blacklisted. In short, their security status is unknown. Because of the difficulty in creating up-to-date whitelists and blacklists, it is not possible to completely eliminate the risk of encountering a phishing website, although the risk may be minimized.
When Opera Fraud Protection is enabled, you contact a server at Opera every time you request a webpage. HTTPS sites are checked via an encrypted channel, while IP addresses on the local intranet will never be checked. The server checks the domain name of the requested page against live whitelists compiled by GeoTrust, and blacklists compiled by GeoTrust and Phishtank. Opera's fraud protection server downloads blacklists directly from Phishtank, and sends a query to GeoTrust.
The domain name is forwarded to GeoTrust in plain text, together with a hash of the URL, if the site you are checking is served by HTTP. The full URL is not sent, but a fingerprint of the full URL is needed in case you visit a dangerous page on a site that is otherwise harmless. The reply is an XML document containing the trust level of the domain. This reply will be cached for a time indicated by the Opera's fraud protection server. Information about well-trusted sites can be cached for a longer period than for unknown sites.
The privacy implications of Opera's Fraud Protection can be summarized as follows:
With Opera Fraud Protection enabled, every webpage you request is subjected to a phishing filter, and the status of the page is displayed as an icon on the right side of the address field, as indicated in the table below. Clicking on the icon opens a dialogue box with additional information, including the possibility of reporting a site as suspicious, with an explanation.
| Protocol | Address Field | Fraud Protection Dialogue |
|---|---|---|
| HTTP | i | VERIFIED |
| HTTP | ? | NOT VERIFIED |
| HTTP | Fraud Site | WARNING |
| HTTPS | Secure Site | VERIFIED |
A secure page (HTTPS) with valid security certificate and no mis-configuration of the server will display a lock on the right side of the address field, and clicking on this lock will cause the security information for the page to be displayed, including information about the website's certificate. In this case, too, the page will be checked by Opera's fraud protection server.
If a website is found on the blacklist, you will be presented with a warning page, and you must decide whether to visit the fraudulent website, or to return to the home page. Opera's fraud protection server does not cause any delay in the opening of webpages.
Opera Fraud Protection can be enabled/disabled from by checking/unchecking the box marked "Enable Fraud Protection."
Return to Guide to Security and Privacy in Opera