GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users’ searches
Google’s “encryption everywhere” claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found.
The move described as ‘privacy seppuku’ by Forbes (@al4) meant that BT customer searches were broadcast in clear text and possibly open to interception.
Google engineer and security bod Adam Langley in a forum comment confirmed the SSL strip and said it would be removed ‘soon’.
“At the moment, yes, no nosslsearch VIP will do this. However we’re getting rid of it soon and replacing it with one that enables SafeSearch, but still over HTTPS,” Langley said.
“However, if you want an encrypted search option, ‘https://encrypted.google.com’ is always encrypted and isn’t affected by these methods.”
Google and BT have been contacted for comment.
Forbes speculated in a blog detailing the SSL strip that BT may have removed the security measure to facilitate content filtering for kids or ‘more likely’ for data mining.
“It’s reasonable to expect that BT knows the location of every BT WiFi router within 10 to 15 metres, because it has a home address for every one of them,” Forbes said.
“… knowing what is searched by location is a marketing gold mine.”
A curl request examining whether public DNS could get around the security gap demonstrated Google was redirecting users to unsecured http through a 302 found header.
“What we’re witnessing therefore, is almost certainly the result of a commercial agreement between BT and Google UK — one that exchanges the privacy of my searches for BT and Google’s commercial gain,” Forbes said.
“Duckduckgo it is then.”
Note: Use http://www.duckduckgo.com or http://www.startpage.com as your search engine, as neither will track your IP.
Take Home Message
1. Use a VPN – with OpenVPN.
2. Always consider BT or any ISP as the “enemy”.
Historically OpenVPN was designed to combat Russian & Chinese ISP’s.
3. Use Strong encryption – AES 256 for your symmetric cipher, along with at least 4096 Pubic keys.
4. Select your VPN provider from neutral third party information.
Use the http://www.torrentfreak.com or EFF membership (as in IVPN).
The use of a VPN is basically mandatory. If Google has the data – so does your government, council, benefits agency and divorce lawyer.
Get real – get a VPN.