Opera, a browser that already has an ad-blocking feature, recently added a new feature to their browser – a free VPN with unlimited data usage. It currently has IP addresses in the United States, Canada, and Germany. This addition was well-received and met with praise, but there’s a twist to it.
It’s actually an HTTP/S proxy that requires authentication. For some reason Opera insists on calling it a VPN even though it says below “Enable VPN” that it’s a proxy.
According to research by Michal Špaček, when you first enable the “VPN”, it makes 4 requests to SurfEasy’s API. The first request “subscribes” you to the VPN and the second gives you your credentials (ID and password). The last two obtain proxy IP addresses.
When you request a web page, requests are made to *.opera-proxy.net with a Proxy-Authorization header. ‘*’ being a country then a number, e.g. de0.opera-proxy.net. A few of the proxy servers appear to be hosted at Xirra. The Proxy-Authorization header is a SHA1 checksum of your ID with your password concatenated by a colon. An example of this header would