Decoding network activity in Vivaldi
-
In this article, Vivaldi security expert Yngve Pettersen takes a deep dive into network activity in Vivaldi.
Click here to see the full blog post
-
Thanks for this very informative article! I love in-depth information like this, especially what hosts we can expect to see traffic to, and you even link to the relevant code parts for users to check themselves
Very useful having it here in the blog for referring users who wonder about the outgoing connections to Google.
@yngve I'd love to get some recommendation for basic troubleshooting/network tools to help me find out stuff like this. I have Wireshark installed (obviously...), but since it's big and complex, I instead tend to use small tools, like TCP View, Current Ports and NetworkTrafficView for basic network troubleshooting on my local machine.
For instance here are the connections Vivaldi makes on startup for me:
login.vivaldi.net 443 https accounts.google.com 443 https www.gstatic.com 443 https clients.l.google.com 443 bifrost.vivaldi.com 443 https bifrost.vivaldi.com 15674 mobile-gtalk.l.google.com 5228
The two at the bottom are interesting because they're using non-standard ports. Also I wonder a bit about the connection to
accounts.google.com
? -
@Pathduck Sorry, I haven't investigated such tools; I use Wireshark when I need to look at network traffic.
Regarding the second bifrost connection, that is the notification connection, which pushes information to all your clients about new sync updates. (Google Chrome uses GCM for that). Sync also needs to refresh login tokens occasionally, which means connecting to our login server.
The mobile-gtalk is probably one of the GCM servers used by a website's push notifications. The server name itself is not in our codebase. It is possible that the accounts.google connection is related to that, it could also be triggered by an open web page or extension, but it is difficult to say what is triggering it.
gstatic is one of the servers Chromium uses to check for captive portals IIRC.
Effectively, once you start actually using the browser things get messy as the configuration gets updated. The log option I mention could give more information, but even that is limited.
-
@axk said:
vivaldi://media-engagement
It gets deleted if you delete your browsing data.
-
@yngve Thanks for the explanation. Like you said, these Google connections are all served by their CDN
1e100.net
and I get different results on the lookup depending on the tool. For instance TCPView just shows the same connection aslq-in-f188.1e100.net
.From the host, I'm thinking it's related to Hangouts which is a hidden extension (
nkeimhogjdpnpccoofpliimaahmaaome
). Should that extension even be there by default? -
@AXK said in Decoding network activity in Vivaldi:
@quhno: It doesn't.
It does here. Make sure you delete all data for all times.
You can use private windows if you only want "some" sites not to be logged there.
-
I don't see any info about form autofill (VB-50410)
How does it work ? Is a DB downloaded, or a request is made to Google each time a page has a form ? -
:knight:
Great details on the network activity -
@Pathduck That extension ID isn't mentioned in the 2.8 source code, at least (another media related one that I do see in my installation, is mentioned). So I have no idea where that extension came from.
-
@Cqoicebordel AFAIK Form autofill would require enabling an API, and likely also Google Account integration, we have neither.
-
@yngve: Then, why is it in Vivaldi settings ? (In privacy)
It looks like the feature is enabled, from the user POV. -
@yngve said in Decoding network activity in Vivaldi:
@Pathduck That extension ID isn't mentioned in the 2.8 source code, at least (another media related one that I do see in my installation, is mentioned). So I have no idea where that extension came from.
Thanks for looking it up. It's probably something that snuck in a while back, even though I've never used Hangouts (but I've opened the page at times). The connections to
accounts.google.com
andmobile-gtalk.l.google.com
are not there when using a clean profile.It's referenced in the "Secure Preferences" file, and refers to an invalid location:
"from_bookmark" : false, "from_webstore" : false, "install_time" : "13203613200388586", "name" : "Google Hangouts", "never_activated_since_loaded" : true, "path" : "D:\\bin\\Vivaldi\\Application\\2.6.1560.4\\resources\\hangout_services", "was_installed_by_default" : false, "was_installed_by_oem" : false
I suspect I'll need to do a profile reset to get rid of it, as it can't be "uninstalled". But I'm not paranoid about it, it's mostly driven by a healthy curiosity
-
@Cqoicebordel Hmmm, Have asked a couple of colleagues to do some testing. The setting was added to let users disable it easily, however given that the feature appears to need the Google Services API key, and we haven't enabled anything related to Google Sync (which does not work), the Account Login (which is not working either), or this feature (which likely require you to be logged into the Google Account via the Sync type login), I doubt it would work even if you are logged into a Google Account via their web page. It might be that this should be auto disabled.
-
@axk: try vivaldi://settings/clearBrowserData "all time" it works
if you try cleaning from ctrl+shift+del doesnt work. today i learned -
@axk: try vivaldi://settings/clearBrowserData "all time" it works
if you try cleaning from ctrl+shift+del doesnt work. today i learned -
@yngve: Just to be clear, this feature doesn't fill the forms for you, but identify each input, to help you fill it (is it a name, an address, a phone number etc.)
So I don't think this feature needs you to be logged to a Google account.For the rest, a definite answer would be good, as well as why this is on by default
-
hm, now i know that even push-notifications can be "dangerous" due to google, thanks.)
-
Excellent article!
-
@reyn: "dangerous" in quotes is a good way to put it. What is the threat here? That done websites make use of GCM for their notifications, and Google will know that a notification was sent to some IP address? This isn't related to the Vivaldi browser, is a user-initiated behavior, so if anyone has that as a threat in their threat model, mitigation is simple -- don't sign up for notifications from websites that make use of GCM.
For me, this isn't an issue. I don't like notifications from websites in general, and never allow them. Even if I did, I'm almost always connected to a VPN, so my IP address isn't unique to me. The GCM servers aren't Google'd tracking servers. I suppose it's possible that they're used for tracking, but one could look into the ToS & privacy policy to confirm that. Point being, the risk is minimal with easy mitigation available. People who are highly concerned about exposing their IP address should be, and likely already are, using a VPN.
-
I have a few questions:
- When Vivaldi contacts Google servers, does Google log our IP address?
- If we have a VPN via a browser extension, does Vivaldi route the transactions to the VPN when communicating with Google servers? Or does Vivaldi communicate "raw" with Google during loading of browser before the browser loads the browser extensions?
- Is it possible for Vivaldi to create a proxy endpoints for those essential Google endpoints mentioned in this article so that Vivaldi browser does not directly communicate with Google's server?