Connections to Google
kurikulu last edited by kurikulu
I have more privacy setting up an unencrypted server inside Kim Jong Uns private home than pinging any US/UK service.
Abstracting the Chromium settings page away to your own does not validate not removing the IPs/Links in the source. This looks like laziness/very terrible way to try to save money during developement.
If it is that hard (/costly) for you to properly audit the code, just use the patches, built by single individuals, for free, that removed every single American connection. I don't get the licensing model anyway you say here is the source but still distribute it as proprietary software. Is this like the Duckduckgo Scam or what? (For the clueless: DDG's owner is a known data miner; But I guess people using US/UK services while wanting privacy must be next-level trolls)
@kurikulu There are only two connections, to my knowledge, that are ever made to a Google IP by the Vivaldi browser (extensions may try to make others) unless you are signed in to GMail, Google Drive, or something like this.
The first would be if you have checked the box telling the browser to report Google Safe Browsing events. The other would be if you have the box checked to have Vivaldi compare attempted website connections with the Google list of known phishing-style sites.
There is also a chromecast IP connection on your own local home network that the browser will attempt to make if you have set up ChromeCast or installed the ChromeCast extension/app. I can't recall if the browser reports this one out as Chrome home network, or Google home network.
@ayespy Goto vivaldi://settings/content/ . Instantly your system sends and receives network packages from a Google IP (googleapis.com). Change any setting your system sends and receives packages from a Google IP (google.com, google.).
This has nothing to do with the functionality you describe I am well aware of those. The "Safe Browsering" trap is, after all, just a trap and since I always disable all those pseudo privacy/security functions I could not check whether Vivaldi uses the Google API (ie sending every link to Google) or just downloads the list and caches it, checking the links locally.
If this would have been an actual Open source product one could say "I'll wait till they sort out their problems". But this just makes me lose the trust and never want to come back to Vivaldi.
And in case you want to ask: The profile I used was a clean chroot. Literally the whole system was fresh (and obviously without Google stuff).
Komposten last edited by
There are several other threads similar to this on this forum, and as far as I know the conclusion has always been that it was either an extension (of which I guess you don't have any) or a harmless must-happen connection (i.e. no data transfers, ip-grabbing, etc. involved).
(I'm not too savvy in this area, though, so I guess it's possible that you've encountered something new.)
@kurikulu I will ping the developers and see if someone can answer this question.
@komposten No definitive word from the developers yet, but myself and some more advanced testers have put our heads together backstage, and run some diagnostics.
It appears when you opened the Chrome://settings page, you triggered Chromium code that tries to retrieve your personal settings from Google. This code cannot succeed because Vivaldi does not ship with Chrome APIs and has no valid Chrome Unique ID.
Still, my opinion is that such code should not even be triggered, and I have brought that up. I suspect the developers can apply a patch to Vivaldi preventing such code.
paragon last edited by
Is this like the Duckduckgo Scam or what? (For the clueless: DDG's owner is a known data miner
OT though curious to know source of your claim regarding DDG
Morg42 last edited by
Please read https://forum.vivaldi.net/post/177280
Komposten last edited by Komposten
@ayespy That makes a lot of sense, and I guess it can be fairly easy to overlook (the settings page isn't necessarily the first place you to when testing for connections to Google's APIs). I agree that it shouldn't be triggered in the first place, especially since it serves no purpose in this browser.
Since pretty much all other connections to Google have been eliminated, I can't see why the Team wouldn't remove this one too.
@komposten I can't guarantee any time frame, but a bug has been generated, and there have been a few pages of discussions back and forth between three testers and a developer who has joined the conversation (and asked for the bug report), so there is awareness of this issue and attention on it. We are all in agreement that there is no reason these attempts to connect should occur.
Just to clarify this a bit, Vivaldi doesn't ship with Chrome's API keys, so it can't talk to back-end Google services. When you go into the Chromium site or settings UI, it looks like an error gets triggered (because the stuff to talk to Google is not set up) which, in turn, triggers a connection to googleapis.com presumably to try to recover. It doesn't look like any private data is actually transmitted upstream.
As @Ayespy said, a bug has been opened so that the developers can look into this further and stop these connections from happening.
Just to give you a quick update, the one brief connections that we're seeing consistently is the Language settings code in Chromium trying to fetch a list of languages. That's all.
As other deep dives into the code have shown, Vivaldi's Chromium browser engine will occasionally contact Google servers from time to time for routine and benign purposes, but doesn't send any private data upstream. As I also mentioned earlier, because Vivaldi is missing API keys, it can trigger certain errors under some circumstances. However, so far, it doesn't look like any of the connections that we're seeing are anything to be concerned about.
I'll update you with any new findings.
In the meantime, if you should ever see Vivaldi making any "suspicious" connections back to Google, please continue to report them here... and please don't assume that the worst is happening. (All reports are taken seriously and checked into fully.) Keep in mind that the goal of the Vivaldi team is to build a browser that, above all, respects its users.
It doesn't look like any private data is actually transmitted upstream.
It is not about me giving literal private data (as in my birthdate or name) but rather about the fact that Google gains additional information about me even if passive. Through that one single connection they know what OS I run and can guess the version and have the IP. And if you have visited any website that embedds Google code, regardless of Browser and OS Google will get free market info since your IP is known and can be correleted to the other data.
However, so far, it doesn't look like any of the connections that we're seeing are anything to be concerned about.
Vivaldi is connecting to an US server. A server that is hosted in the United States of America. Without my consent it is connecting to the most malicious of hosts possible on the entire planet. If the European dev/security team is not concerned about that then this Browser certainly is not for "power users". Even the passive fingerprinting (a simple ping is enough for that) gives them free market data.
So when Vivaldi is saying "Google does not benefit by us using their product" it is a utter and blatant lie. Or the devs/sec team is just incompetent. If there is an alternative please explain to me.
@kurikulu As a user, I appreciate your alerting us to these connections. As part of the test team, all I can do is to try to replicate your findings, figure out what's going on, and do my best to provide a transparent, informed response to explain why you're seeing what you're seeing.
From a technical perspective, I don't think that there is any way for any Chromium-based browser to avoid contacting Google servers. It has to, even for doing mundane (yet critical) things relating to certificate management and fetching certificate revocation lists.
kurikulu last edited by kurikulu
I don't think that there is any way for any Chromium-based browser to avoid contacting Google servers.
There are patchsets that do exactly this, at least I never had them ever try to connect to anything except the webpage I was actually trying to reach, regardless of what I did, including opening the Chrom* internal config page. But all of them are Open source which make them unusable in Vivaldi.
things relating to certificate management and fetching certificate revocation lists.
I doubt that translate.google*.com and/or *.googleapis.com have anything to do with the certificate handling especially since the connection only trigger when you visit the Chrom* internal configuration url vivaldi://settings/content
@kurikulu I think we're all in agreement that the connections you reported should not be occurring. The bug pertaining to this is still open and I'm hopeful that this will get resolved.
So is there any bug tracker we can follow this?
Since Vivaldi isn't under an Open source license I can't just check the commits and compile it myself.. It is really daunting as I really want myself to migrate over to Vivaldi.
@kurikulu The bug tracker is closed, but you may ask mods for details on the progress of any bug. The bug number for this one is VB-39696. Use that number when asking.
Ok then can any of the mods in this thread tell me the progress on VB-39696
@kurikulu It's confirmed and commented by more than one developer or tester, but not yet formally assigned to anyone.