Hacker News new | past | comments | ask | show | jobs | submit login
Opera VPN behind the curtains is just a proxy (gist.github.com)
126 points by tdurden on Apr 23, 2016 | hide | past | web | favorite | 47 comments

K. To be honest, this was pretty obvious to me. Did people really think it was a full VPN?

I agree.

There's no good reason why a web browser would make its own network layer connection to support non-HTTP sessions. Session layer proxies have forever been how this is done.

A full VPN could be useful to wrap Java Applets or custom browser extensions. I've found their support for proxy settings unreliable, especially if you don't want to leak info to the main network.

(I ended up setting up a VM and routing everything through Tor, which worked but was complete overkill. It would be great if you could force an application (and all subprocess) to use a certain connection. Put a control in the titlebar/system menu that lets me select interfaces. Please, desktop developers, steal this idea!)

Baking OpenVPN into the browser doesn't seem like a horrible idea.

There's no way it can stay free can it? It seems like a crazily expensive feature for them to bake in..

I mean they can insert a client that allows people to use their server of choice.

I can install the browser without root privileges. This is an absolute must have for me. Installing a browser for a user shoukd not require root.

How would you get a non-privileged executable to take control of full network?

It doesn't.

While that's the most common way to run a VPN, it's not the only way. You use TUN/TAP devices because you want arbitrary programs to use them. In this case, you only want Opera to use the VPN connection. You don't need a TUN device for that.

So it is possible to set up a proper vpn connection without root privileges. I didn't know this was possible.

This sounds perfect to me. A custom corporate wrapper for a web browser that lives in its own silo. Workers who are working from home for the day can use that app for work while keeping everything else like Spotify or YouTube or Netflix from going on a long roundabout trip through the VPN. Sounds perfect if you ask me.

Having a browser break non-web traffic doesn't sound like a great idea to me.

Most of the time in a casual, public, marketing or just generally not technical setting, "VPN" is just the modern tern for "Proxy". I'm not sure why that happened to be honest, except maybe that "Virtual Private Network" is more marketable than "Proxy"?

Maybe because proxies got a bad name from sketchy free proxies? There are sketchy free VPNs now, but "Businesses use VPNs for security" is a pretty powerful idea, I guess.

I can understand this argument.

The term "proxy" immediately brings me back to the days of trying to bypass the high school content filters using sketchy foreign proxies…

I still remember the day I leveled up by setting up an SSH tunnel via my family's PC and walking into school with putty.exe on a thumb drive!

This is a very technical solution. I just asked my homeroom teacher, who was also the schools main IT guy, to unblock whatever website I wanted. He was pretty cool. Also installed Visual C# for me on the schools computers so I could program during my down time.

That's a good point. If you're under 40, "Proxy" probably conjures images of those free proxies you mention. Over that, I have to believe you're going to favor the legal terminology at first blush.

So the problem is that, e.g., DNS isn't also queried over a VPN, so the sites you're looking at will still be 100% visible to anyone watching your network stream?

Or is the problem just that they're using the wrong terminology?

people are complaining about the terminology they're using, because it only effects Opera and not other applications, even though that was completely obvious from the start.

They clarify it here: https://www.opera.com/blogs/news/2016/04/opera-doubling-serv...

"Our VPN feature is still in development. We are currently working hard to implement support for proxying even more of the browser traffic, including WebRTC and plug-ins. Having this functionality built into the browser, instead of as an extension, allows us to catch more situations, such as certificate revocation checks made by the system. Yes, the VPN feature is free, and we do not plan to charge for it. Our VPN is something we call a browser VPN. Under the hood it works by routing all the browser traffic properly encrypted via our secure proxies in various parts of the world. It will not route the traffic from other applications – as a system wide VPN would do – it’s a browser VPN after all."

Which is actually a really interesting idea. Network interface level VPNs are great in certain situations.

For instance, when using untrusted WiFi networks I'll connect to my VPS VPN hosted in the US or my UK RasPI VPN.

But when I want to circumvent a geo-block to watch some sports on Al Jazeera Sport (now BeIn Sport), I don't want all of my traffic going through the public VPN provider in Saudia Arabia. I don't really trust public VPN providers.

Normally I'd run a dedicated local VM which I'd connect to a public VM just to watch geo-blocked streaming media.

Proxies, though. Per-application proxies. Or even better - per tab/window/browser profile proxies. This would solve my problem more elegantly.

On Linux I configure a network namespace that routes everything through my VPN, and I run a separate Chrome profile within that namespace (or whatever else I want to run and route through the VPN).

http://pastie.org/private/fzx7btxmvxbnftgkx31k8g is what I use as openvpn up/down script. Feel free to study/reuse.

You create that namespace under root? What next? You run nsenter NNNN and su - $username -c chromium? It's still able to communicate with Xorg thereafter?

Indeed, something like "sudo ip netns exec myvpn sudo -u delroth -- google-chrome-stable --user-data-dir=~/.config/myvpn-google-chrome"

I've been using my own proxies for years, just a plain SSH dynamic SSH tunnel (SOCKS). It's pretty easy to do with a cheap linux VPS. If you want, you can set up a tunnel on one local port and another one (from another VPS) on another port to be used by different applications. Firefox can be configured to use it and query DNS over it as well, making it completely transparent. On linux things work out of the box, on Windows clients I use Putty to connect to the VPS.

On Windows with Cygwin, setting up an SSH proxy works just like it does under Linux/BSD, pretty easy to do[0]. I prefer it over Putty because Putty doesn't accept the same SSH key as used on unix systems which is a bit of a pain to deal with. I also think it's nicer using the Cygwin bash shell as the terminal, especially if needing to use it frequently.

[0] If anyone doesn't know how, here's a good resource (actually not specific to OS or linode vps): https://www.linode.com/docs/networking/ssh/setting-up-an-ssh...

Yes, and app-specific VPNs too. So a SaaS app with embedded VPN in order to achieve certain security, quality or visibility goals between user network and their first cloud hop. Each app VPN using a virtual IP?

I am actually working on build something similar. So, you could roll out an app-specific VPN like secure tunnel real easy. It is inspired by the work at Google IT called BeyondCorp [1].

The target market is companies whose employees require secure remote access to internal apps, but IT does not want to give a broad network access via VPN. So, marketing/sales like employees who simply want to access internal portals, etc. without the hassle of dialing into a VPN.

[1] http://research.google.com/pubs/archive/43231.pdf

You can use ssh as a proxy

Yes, it's an https proxy. And DNS queries are not leaked. Again since it's a HTTPS proxy your traffic is hard to inspect/intercept/MITM. Earlier discussion https://news.ycombinator.com/item?id=11540389

> DNS queries are not leaked.

I imagine that you mean the proxy takes care of resolving hosts. For example, requesting https://google.com doesn't resolve google.com. on the client, rather it sends a request for https://google.com to the proxy server and the proxy server resolves google.com.

Attacking the DNS lookup for the proxy itself won't work because the attacker would need the SSL certificate for the proxy. Hopefully Opera has pinned that certificate (or better, its signer), which prevents a rogue CA attack.

It does leak via WebRTC unless you install a 3rd party plugin and configure it a specific way.

I don't know how reliably to test WebRCT thus can't comment on that particular case. For http/https DNS queries are not leaked.

There's a pretty good demo, with links to source code, here: https://diafygi.github.io/webrtc-ips/

All VPNs are proxies. It's just a matter of at what layer of the stack you do the proxying. This post is a non-story.

Yes, it's sort of a persnickety issue, but the point is that it's not "proxying" at the network layer, so it's not accurate to market it as a virtual private network.

All VPNs are proxies, but not all proxies are VPNs!

This has a small benefit of protecting information routed to Opera's proxy (on your LAN, ISP or whatever there is till the Opera's proxy), even when trying to reach HTTP-only website. Though it is still not secure as HTTP-only website will have data delivered to it in non-encrypted form.

"Browser VPN" is another misleading made-up term.

I think they added a bit of polish/magic compared to what you'd get in a plain https proxy that you could setup yourself, since when visiting an HTTPS page it'll show the certificate information from the site that you're visiting, and not the one from the actual machine you're connecting to (the proxy).

Similarly (unlike poorly setup proxies like Lenovo's Superfish) it also prevents connection to sites with invalid certificates.

(I wrote the same comment in the gist)

I'm pretty sure that they just don't inspect the HTTPS traffic. Otherwise I'd be worried that they have patched Opera to accept their fake certificate and replace the cert information with details from the original.

I'm currently trying to setup an OpenVPN based VPN server on OS X. That's because several iPad apps I use seem to bypass my regular DNS servers and go to Google's DNS servers and OpenDNS, which I don't want them to do.

I could stick a gateway on my network, but frankly I just don't want to spend any more money and OS X should do fine for what I want.

There is surprisingly little documentation on how to setup OpenVPN on OS X. However, in my travails through OS X I've had to learn a whole bunch of tools I've never used before, the main ones are how to create launcher files, how to setup OpenVPN and how to use pf - in the way OS X wants me to.

I'm think of uploading the setup onto GitHub - would anyone be interested?

Sure, that might be helpful to some.

Isn't this very similar to what they used to do with Opera Mini?

The purpose was of course different. Opera Mini added value by optimising the pages for your device (tiny screens, underpowered CPUs, insufficient RAM, small batteries), while the added value of the current proposal is actually defeated when it's offered only for free (meaning they get something out of it - not just marketing for a paid offering).

"" Opera Mini requests web pages through Opera Software's servers, which process and compress them before sending them to the mobile phone, speeding up transfer by two to three times and dramatically reducing the amount of data transferred, chargeable on many mobile phone data plans. The pre-processing increases compatibility with web pages not designed for mobile phones. However, interactive sites which depend upon the device processing JavaScript do not work properly. "" https://en.wikipedia.org/wiki/Opera_Mini

I am wondering.. how about logging? I don't see anything about logging.. VPN is useless if the VPN service provider hands out all logs to anyone who ask for it.. anonymity goes bye-bye

Based on my research (I'm the author of the linked content), I've built a simple Python Script which will do all the API calls and fetch the credentials and list available proxies: https://github.com/spaze/oprah-proxy

Better to use Epic Privacy Browser with a built-in ENCRYPTED proxy that's fast over SPDY (not a simple unencrypted http proxy).

Yet my post on the story about that said basically "do not want until open sourced" got downvoted into oblivion with no response...

Some people want all their applications open source. Which is fine, do that if that’s what you want. But it’s quite tedious if we need have to have that discussion for every thread related to a proprietary application/service.

That'd be a fair position to hold.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact