Opera Fraud Protection prior to 9.5

Note: whether or not you choose to enable Fraud Protection, you should always look for the closed padlock in the address field before submitting credit card numbers or other highly personal information.

What is phishing?

The explosive growth of Internet commerce has attracted the attention of everyone, including a new breed of on line criminals who will attempt to steal your passwords, your credit card numbers, and other personal information by impersonating authority figures from a bank or other institution with whom you have a financial relationship. The best defense against this growing threat is to be aware of the problem, and to be alert when conducting your on line business.

Fraud of this kind is sometimes called phishing, and in analogy to fishing, your private information is the catch. There is more than one kind of bait, but the most common type is email, apparently from your bank, coupled to a website resembling your bank's, so precisely copied that you may not discern the difference. You will be encouraged to log in and "verify" your customer information: in other words, to reveal your password, credit card number, or other private data.

As a result, many people think it is a good idea to incorporate some degree of fraud protection in the browser itself. The browser-based strategy is to consult a database, to check whether the websites you plan to visit are legitimate and safe to use, and whether or not your surfing trajectory has been redirected.

In this context, there are two kinds of database: whitelists and blacklists. A whitelist is a list of websites that are certified to be legitimate, and safe to use. A blacklist, on the other hand, is a list of websites that are known to be fraudulent, or unsafe in some way. Generally speaking, the most commonly used websites will be whitelisted, but many other websites will be neither whitelisted nor blacklisted. In short, their security status is unknown. Because of the difficulty in creating up-to-date whitelists and blacklists, it is not possible to completely eliminate the risk of encountering a phishing website, although the risk may be minimized.

Opera's approach: the fraud protection server

When Opera Fraud Protection is enabled, you contact a server at Opera every time you request a webpage. HTTPS sites are checked via an encrypted channel, while IP addresses on the local intranet will never be checked. The server checks the domain name of the requested page against live whitelists compiled by GeoTrust, and blacklists compiled by GeoTrust and Phishtank. Opera's fraud protection server downloads blacklists directly from Phishtank, and sends a query to GeoTrust.

The domain name is forwarded to GeoTrust in plain text, together with a hash of the URL, if the site you are checking is served by HTTP. The full URL is not sent, but a fingerprint of the full URL is needed in case you visit a dangerous page on a site that is otherwise harmless. The reply is an XML document containing the trust level of the domain. This reply will be cached for a time indicated by the Opera's fraud protection server. Information about well-trusted sites can be cached for a longer period than for unknown sites.

The privacy implications of Opera's Fraud Protection can be summarized as follows:

  1. By default, Opera Fraud protection is disabled. The browser never makes contact with the fraud protection server when Opera Fraud Protection is disabled. To enable the feature, select from the menu Tools > Preferences > Advanced > Security , and check the box marked "Enable Fraud Protection."
  2. With Opera Fraud Protection enabled, the domain name of websites you visit is sent to Opera's fraud protection server together with a hash of the complete URL. No information goes directly to third parties, and the information that is forwarded to whitelist/blacklist providers is not connected to your identity. HTTPS sites are checked via an encrypted channel, while IP addresses on the local intranet will never be checked.
  3. Although Opera's fraud protection server stores the domain name and the security status of the websites you visit, it does not save your IP address or any other information related to your identity. There are no cookies or other session information.
  4. You can at any time disable Opera Fraud Protection in preferences, by choosing Tools > Preferences > Advanced > Security , and unchecking the box marked "Enable Fraud Protection."

The user interface

With Opera Fraud Protection enabled, every webpage you request is subjected to a phishing filter, and the status of the page is displayed as an icon on the right side of the address field, as indicated in the table below. Clicking on the icon opens a dialogue box with additional information, including the possibility of reporting a site as suspicious, with an explanation.

Protocol Address Field Fraud Protection Dialogue

A secure page (HTTPS) with valid security certificate and no mis-configuration of the server will display a lock on the right side of the address field, and clicking on this lock will cause the security information for the page to be displayed, including information about the website's certificate. In this case, too, the page will be checked by Opera's fraud protection server.

If a website is found on the blacklist, you will be presented with a warning page, and you must decide whether to visit the fraudulent website, or to return to the home page. Opera's fraud protection server does not cause any delay in the opening of webpages.

Enabling/Disabling Fraud Protection

Opera Fraud Protection can be enabled/disabled from Tools > Preferences > Advanced > Security by checking/unchecking the box marked "Enable Fraud Protection."

Return to Guide to Security and Privacy in Opera