A closer look at Opera’s Browser VPN

Opera Software launched what it calls a Browser VPN or just VPN depending on where you find it in the browser in a recent developer edition of the web browser.

Browser VPN can be enabled in Opera with a simple check of a box in the browser's settings, and then turned on or off on the frontend.

It protects traffic by using encryption which improves both the privacy and security while using the browser.

We have mentioned previously that Browser VPN does not support WebRTC or plugin traffic yet which means that sites and services may find out about the public IP address of the device used to connect to it even if the VPN is enabled.

A detailed analysis of Opera's VPN integration revealed that it is not a full VPN solution which protects all traffic on the device but a proxy instead.

When you enable the VPN in Opera, the following happens:

1. Opera connects to the SurfEasy API to obtain credentials and IP addresses (SurfEasy is an Opera company).
2. The browser sends requests to the proxy with proxy authorization request headers whenever sites or services are loaded in the browser. These include the device ID and device password.
3. These information can be grabbed and used on different machines, even in other programs that are not Opera (as you have the proxy IP address, username, and password).

The connection itself is secure, with HTTPS being used even if non-HTTPS sites are loaded. Hostname resolution is done remotely on the proxy server which means that hostnames are not leaked as well when the VPN is used.

Two issues emerge from this; first, Opera's VPN is not a real VPN but a HTTP proxy. Second, Browser VPN uses a device ID that is linked to the device you are using.

Opera's VPN is not a real VPN but a HTTP proxy

Most users who run developer or beta editions of browsers probably assumed as much when they read about the new VPN that is built-in to the Opera browser.

Opera's Browser VPN works for the most part just like other VPN extensions that you can install for it.

The main difference is that the feature is built-in to the browser so that it may theoretically make use of features that extensions cannot make use of.

Additionally, when it comes to trust, users may trust Opera more than third-party browser extensions considering that they are using the Opera web browser which too requires some level of trust.

The takeaway is that Opera's Browser VPN does not encrypt all browser traffic currently (WebRTC and plugins are not included currently but you can disable those features if you don't require them), and that it won't work on a system-wide level but only within the browser.

Opera is aware of this however and plans to fix this in future releases (probably before it hits the stable channel).

Browser VPN uses a device ID that is linked to the device you are using

The device ID that is used by the VPN is the same ID that Opera has been using for a long time. You can read about it by loading opera://about/privacy in the web browser. There you find the following information about it:

Your installation of Opera browser contains a unique ID that can not be linked to you as an individual person. This unique ID is required for auto-updates of the software and any installed extensions. Data about the features (not websites) used in Opera browser is collected with the purpose to improve the software and services. The software also creates a unique ID that is linked to your computer. This unique ID is processed with the sole purpose to measure marketing campaigns and distribution partners.

Opera stated that they have a strict no-logging policy when it comes to the VPN/Proxy.