Opera, a browser that already has an ad-blocking feature, recently added a new feature to their browser – a free VPN with unlimited data usage. It currently has IP addresses in the United States, Canada, and Germany. This addition was well-received and met with praise, but there’s a twist to it.
It’s actually an HTTP/S proxy that requires authentication. For some reason Opera insists on calling it a VPN even though it says below “Enable VPN” that it’s a proxy.
According to research by Michal Špaček, when you first enable the “VPN”, it makes 4 requests to SurfEasy’s API. The first request “subscribes” you to the VPN and the second gives you your credentials (ID and password). The last two obtain proxy IP addresses.
When you request a web page, requests are made to *.opera-proxy.net with a Proxy-Authorization header. ‘*’ being a country then a number, e.g. de0.opera-proxy.net. A few of the proxy servers appear to be hosted at Xirra. The Proxy-Authorization header is a SHA1 checksum of your ID with your password concatenated by a colon. An example of this header would be: CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3
Due to the fact that this VPN is actually a proxy, you can technically use it on a different computer that doesn’t even have Opera installed.
SurfEasy, the company that provides the proxies, is a VPN provider owned by Opera, and like Opera, they’re based in Canada – one of the five eyes.
However, SurfEasy claims to be a “no log network”: “SurfEasy does not store users originating IP address when connected to our service and therefore cannot identify users when provided IP addresses of our servers. …”. They then go on to say that they temporarily log usage, perform real-time analysis of traffic (which isn’t logged), comply work with law enforcement, and that their clients may use analytic technology like Google Analytics.
As always, proceed with caution when selecting a VPN to use. Check out our VPN comparison chart if you need help.