Still phoning home

rigo

Re: Phoning home?

Because of a problem with stupid online banking scripts, I looked at the network operations of my browsers. Of course Google phoned home immediately.
I expected Vivaldi to be privacy friendly after all the buzz their Communications and their Boss did about browsers and privacy.

Yet, the first thing Vivaldi does with no windows open is to connect to Amazon services to Google and to some others.

Vivaldi should either stop making claims about being privacy friendly or fix the phoning home to all those trackers.

rigo

I start the browser one after the other and look at which site they connect without any window open or connected. Chrome connects to Google and logs me into my Google account and tracks.
On my linux - box I used ss -4 to look at the connections. If I close the browser, only my xmpp connections show. If I open Vivaldi, it connects to Google owned hosts and to Amazon.

I have not yet done a deeper debugging into what those servers do. But it is sufficient to get my present profile and detect whenever someone opens their browser.

So just try with your browsers. Close all network consuming apps. Do ss -4 or ss -6 if you're using IPv6. Now start one and do the same. You'll see all the IPs it will contact. And contacting IP without user request is phoning home and relevant for privacy claims and GDPR IMHO.

Pathduck

I believe this has been addressed several times on this forum. Vivaldi uses third-party services from Google for instance for phishing and privacy protection. These settings are under Privacy in Settings. You can turn these off like this:

However, Vivaldi still does call Google on startup even with the three services disabled. I suspect also the "Block ads..." setting gets data for its list from Google.

I don't really mind and the devs have explained this is how it is, and that there is no information being sent. I trust them on that.

Below are the connections Vivaldi makes on startup on my system. The 1e100.net addresses are Google-owned. The 82.221.130 IPs are hosting provider hysing.is where Vivaldi keeps data like Sync and so on.

arn11s03-in-f3.1e100.net	https	ESTABLISHED	
fra07s64-in-f170.1e100.net	https	ESTABLISHED		
muc03s13-in-f13.1e100.net	https	ESTABLISHED		
arn11s03-in-f8.1e100.net	https	ESTABLISHED		
82.221.130.134			https	ESTABLISHED		
82.221.130.131			https	ESTABLISHED		
82.221.130.131			15674	ESTABLISHED		

rigo

Yep, I had Google form autofill on, which I never switched on. This is not privacy by default. Found, switched off, but still. "Not sending information" is a bit euphemistic IMHO. If the browser connects it reveals IP and timestamp and probably a lot more information.

Devs explaining "this is how it is" is as bad as lawyers wanting to design software by law or court decisions. This is not the way to go IMHO. And fines are now high enough that people start to listen.

But that doesn't explain the connection to Amazon. I suspect Vivaldi has some stuff in AWS. That may even be fine if contained and crypted, but doing this behind the back of the user isn't really acceptable.

BTW, this is the chrome logic applying. Mozilla didn't phone anywhere.

Pathduck

@rigo said in Still phoning home:

If the browser connects it reveals IP

This is how TCP/IP and client-server connections work, and how the internet has always worked. If you don't want to reveal your IP you can't use the internet, it's that simple. Well of course you can use a paid VPN service to feel safer, but the do you really trust the VPN company? Tit for tat if you ask me...

If Vivaldi connects to AWS on startup I suspect you have an extension that does it. It certainly doesn't for me. What is the IP of the AWS instance it connects to?

rigo

@Pathduck I'm sufficiently literate in networking to know what a TCP connection is and how to Web works And I'm sufficiently literate in security, privacy and law to know when something is suspicious.

That said, the tip with the extensions is a good one. I need to analyse those too. It is still relevant from a privacy perspective if things are just done in background without a good means to control it.

@Gwen-Dragon "contact Vivaldi" is a funny remark here: I'm a Vivaldi-ambassador in a Vivaldi forum talking to a Vivaldi community manager and trying to debug what the thing does before publicity goes berserk facing a suggestion to contact Vivaldi . If I wanted to sue Vivaldi on privacy grounds I would have done so without making noise here to raise my chances to succeed
I was suspicious when von Tetzchner selected blink as a basis instead of presto. He continues to make privacy noises like in the good old opera days to gain market share. Yet vivaldi isn't there yet, privacy wise. So whenever I find something, I make noise. Sometimes, this may be unjustified (extensions). But when I hear "this is how it is", my lawyer-reflexes start itching.

Pathduck

@rigo said in Still phoning home:

But when I hear "this is how it is", my lawyer-reflexes start itching.

Well, that's what I wrote because I couldn't find the actual post by a Vivaldi team member about the same issue. But of course you can sue me, not that it would help

Here's the actual post found with a bit of Google-fu:
https://forum.vivaldi.net/post/177280

rigo

I should have told @yngve that he should have proxied those requests. But I missed that discussion. The possible correlations are too revealing. But maybe he chimes in.
In the meantime, I need to analyse my extensions, namely zotero, privacy badger and kimetrak and a funny anti w3schools that I forgot to remove. Will do so now.
@Pathduck the "it is as it is" argumentation always triggers the lawyers, so be careful

rigo

@yngve , as usual, was right in saying that it connects to google. W3Schools remover connects to Amazon. Privacy badger connects to some provider in SFO. And zotero connects to cloudflare despite the fact that I have told it I have a local instance. I will have to work on those to block their access to remote services.

That said, vivaldi should proxy the requests to those google component services, really... And people should be told that vivaldi my not run correctly without google servers connecting.

Cqoicebordel

Note that, included in what Yngve named "components" are included extensions that are checking for updates too, like the PDF viewer and Chrome Cast.

A researcher did look into Vivaldi : https://twitter.com/jonathansampson/status/1165358155922059266