On Fri, 29 Dec 2017 21:34:13 +0000 (UTC), Chaya Eve
wrote:

On Fri, 29 Dec 2017 12:31:14 -0600, Char Jackson wrote:

Most people lock their door, but I don't know many people who take all
of the steps that you take. That's probably what Diesel was getting at.

Let's try to stay on topic, which is to first try to understand *what*
Opera actually does - and then - once we understand that - then we can see
if anyone here knows Windows well enough to figure out how to capture it.

It doesn't have much to do with Windows (or Linux, from your prior
threads), as several people have pointed out. It's an Opera question.
You're trying to sniff your network traffic to see what *Opera* is
doing, but as I've said, you're trying to look inside an encrypted
session. Without the proper certificate, you're going to have a hard
time with that.

I thought it was a valid question. "Windows Networking" isn't
responsible for creating or storing either of the unique IDs in
question, and by the time they're being transported, the session is
encrypted.

Your point about Windows isn't valid

How so?

but your point about encryption is
valid. Windows should be able to capture anything that emanates from our
computers. If we can't capture what emanates from our computers, we're
essentially driving them blind.

Right, you can capture anything and everything that "emanates" from your
computer, but what you're overlooking is that a lot of your network
traffic, and this specific network traffic in particular, is going to be
encrypted. That's the whole point of using HTTPS.

As for encryption, yes, it may be encrypted - but - we know where it goes,
as it goes to de0.opera-proxy.net. And we know that it is preceded by
the following Proxy-Authorization request header.
* CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE 67
* 4A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D8 6A3

That information doesn't really help. It does help you filter just the
traffic that's of interest, but when you view it in Wireshark you're
going to see that the payload is encrypted. Go ahead and capture it and
see for yourself. I expect the entire TCP payload to be encrypted,
including the headers, even the Proxy-Auth header.

On Linux systems, I use the industry standard tcpdump to capture network
packets to a file which I then view in Wireshark. It's usually built in.

On Windows systems, I use WinDump to capture network packets to a file
which I then view in Wireshark. WinDump is a separate download, not
included in Windows.

Either way, you can filter traffic with tcpdump/WinDump to keep your
capture file manageable, or you can run the capture wide open and use
Wireshark's excellent filters to hide everything that's not of interest.

The point is that we are all ignorant, in that we are driving our Windows
computers with a blindfold on - and where all I'm asking is for advice from
people who know how to drive Windows better than I do - for how to remove
the blindfolds.

Ask Surfeasy for a copy of their private key, (not gonna happen), then
set up a local transparent proxy. You'll be able to decrypt the traffic
and see all of the headers that you've identified. They'll be in the
clear.

What's a perfectly valid question is *what* does Opera actually do when you
run it on Windows, where, most people here are clueless, as am I.

Right. As I said above, it's an Opera question, not a Windows or
networking question.

What Opera does is like "winter". It does what it does. All I'm asking is
if anyone knows winter well enough to suggest a warm coat.

You can't reduce it to that level of simplicity. If you could, how
secure would it be?

For example, trying to keep on topic even though I probably won't learn
anything from you

snip

Well, Happy New Year to you, too.

What I'm asking is:
1. Where is the unique SurfEasy-generated device_id & Opera-generated
sequential subscriber-id stored on Windows?

From prior reading, the "SurfEasy-generated device_id" is generated by
Surfeasy and doesn't need to be stored locally. It can simply be
resident in RAM. You could take a snapshot of your RAM, but there's no
guarantee that this ID will be stored with a human-readable label.

I admit I don't understand this public-key/private-key encryption sequence
but I'm hopeful that there is a way to at least *watch* it in action.

That is, we do the following using Windows tools:
1. We clear the device_id and subscriber-id as shown above.
2. We watch a session to see what happens.
3. We run enough sessions to see that these two numbers remain the same.

At the network level, you can't see the data that you're looking for.
It's not like the header is standing out there in the wind and it simply
has an encrypted value. That would make this exercise trivial. The whole
thing, including headers, is encrypted.

I knew only an expert could answer it as it requires knowledge of Windows
networking that I don't have.

I think you mean knowledge of Opera.