Security Bits Logo no alpha channel

Security Bits — 16 April 2023

Deep Dive 1 — Opera’s ‘VPN’ is Useful but Poorly Named

Opera made some news by expanding out their free in-browser security feature they call a VPN to iOS, this makes the feature truly cross-platform, covering Windows, Mac, Android, and now iOS. This news triggered me to look into the feature before linking to the story, because the name implies this is a VPN service, and that simply toggling a button in the app’s settings will magically protect you like a true VPN does — it does not!

I was deeply suspicious, but it took quite a bit of sleuthing to get a proper understanding of what’s going on, because almost every news story just slightly re-phrased the official press release, without adding context, detail, or frankly, value.

Aside/Rant: my hunt for details was an eye-opening experience from which I’ve concluded that a lot of so-called ‘journalists’ are very likely to be replaced by Chat GPT soon, because they’re already useless insight-free noise!

I had two concerns:

  1. Opera are a for-profit company, how are are they offering a free VPN service that they claim respects privacy?
  2. How could it be technically possible for a browser to contain a true VPN?

The few good articles I found on the topic all addressed the ‘follow the money’ question, and this excerpt from TechCrunch summarises the company’s response to the question well:

“The company is able to offer free tools to end users because it generates revenue through other channels, including search and ad revenues, as well as technology licensing fees. It’s projecting $370 – $390 million in revenues for 2023, for instance.” — Tech Crunch

Tech Crunch then goes on to point out that despite the company being headquartered in Oslo (Norway), and GDPR compliant, there is some concern over the fact that there are significant Chinese shareholders. Given their HQ is in Oslo I think they’re probably safe from formal CCP (Chinese Communist Party) interference (I’m sure they’re being targeted by espionage just like every other major company in the world!)

But what about the tech? Honestly, I think it’s disgraceful that the company are using a technical term with a real technical meaning to describe a service that does not meet that technical meaning at all. If you just look at the non-jargon plain-English definitions of the word you can sorta-kinda stretch them to cover what the product does, but I can’t honestly describe this as anything less than misleading. This ‘VPN’ service does not use any VPN protocols!

A true VPN is a low-level networking concept where a virtual network interface is added to the OS — it looks as if you added an extra ethernet or wifi card! But instead of being a hardware device, this network interface uses software to wrap all the traffic routed through it in strong encryption, and then sends the encrypted packets over the internet to another computer somewhere else in the world where the reverse happens.

What Opera is doing is different, it is using a TLS (basically HTTPS) connection from the browser app to their server to send the browsers DNS & HTTP(S) requests to Opera servers, which then forwards them out to the internet. This means it is the browser’s traffic that is encrypted and only the browser’s traffic that is encrypted.

While the technology is not the same, functionally, this is equivalent to Apple’s Safe Browsing feature in iCloud Plus, but because they are marketing it as a VPN, it sounds like it does more. The difference is that Apple’s branding is honest, while Opera’s is misleading!

Best-case, this is just marketing peeps getting away with too much, but it leaves a really bad taste in my mouth. As I see it, either management are ignorant, spineless, or dishonest, and none of those options are good enough IMO, so I will not be recommending this to anyone.


Deep Dive 2 — What’s Apple’s (Relatively) New ‘Rapid Security Response’ Feature?

Note: This segment is a special request from Allison, who came across a feature she didn’t recognise on a popular Apple fan site, and asked that I explain it on the show.

At last summer’s WWDC Apple announced an up-coming improvement to how they would handle critical security updates, which they branded Rapid Security Response. However, it was one of those features they promised would be coming ‘later’, rather than shipping with the initial releases of macOS 13 & iOS 16. I made a mental note to myself that we needed to talk about Rapid Security Response on this segment when it went live, but we never did. Why? Because new of it’s launch with macOS 13.2 and iOS 16.2 in January 2023 got drowned out by the more dramatic advanced iCloud protections that also went live with those releases.

So, what changed in January? To understand that, let’s remind our selves about how things worked before January.

OS updates contained a mix of feature releases, bug fixes, and security patches. Automatic software updates were not just supported, but positively encouraged, with Apple nudging users towards turning them on. But, even with automatic updates on, most people’s devices didn’t get updated straight away, Apple intentionally staggered the updates over multiple weeks, starting with a small cohort of devices, then ramping up as it became clearer the updates were free from unintended side-effects. This is absolutely fine for new features, and acceptable for bug fixes, but it’s not nearly good enough for security updates.

What Apple have done now is split the important security updates out into a completely different mechanism, designed to deliver small targeted security fixes quickly, without delay. Because the changes are tightly focuses on fixing specific security vulnerabilities they are much less likely to break things, and of course, they’re much smaller, so there’s no need to wait for the device to have a good internet connection before starting the automated download. Also, because they will be more tightly focused, Apple can avoid the need for reboots most of the time.

The feature us on by default, so you don’t have to do anything to benefit from this enhanced protection. Just know that since January, Apple’s latest OSes are just that little bit easier to keep secure 🙂


❗ Action Alerts

Worthy Warnings

Notable News

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 16 April 2023

  1. ChatGPT Français - October 26, 2023

    The article is very good and detailed

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top