Slashdot Mirror

← Back to Stories (view on slashdot.org)

Widespread Hijacking of Search Traffic In the US

Posted by Soulskill on from the par-for-the-course dept.

Peter Eckersley writes "The Netalyzr research project from the ICSI networking group has discovered that on a number of U.S. ISPs' networks, search traffic for Bing, Yahoo! and sometimes Google is being redirected to proxy servers operated by a company called Paxfire. In addition to posing a grave privacy problem, this server impersonation is being used to redirect certain searches away from the user's chosen search engine and to affiliate marketing programs instead. Further analysis is available in a post at the EFF."

23 of 194 comments (clear)

  1. Use HTTPS by mrogers · · Score: 5, Informative
    Another good reason to install HTTPS Everywhere, a browser extension that will redirect your Google searches to the HTTPS version of the site. By checking the certificate presented by the server, your browser can then be sure that it's talking directly to Google. (HTTPS Everywhere also works for a lot of other popular sites.)

    Or, if you don't like Google, use DuckDuckGo, which uses HTTPS by default with no need for a browser extension.

    1. Re:Use HTTPS by Gaygirlie · · Score: 4, Interesting

      I too have to recommend HTTPS everywhere, it's a great addon and makes it a lot safer to e.g. Surf the web over an unencrypted WIFI hotspot. And so far I haven't actually had a single glitch because of it.

    2. Re:Use HTTPS by arth1 · · Score: 3, Informative

      Sure, there are benefits, but as always, TANSTAAFL.

      - https does incur overhead and higher CPU usage on both ends, so it will be slower.
      - I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)
      - Some sites serve different content on the http and https sites.
      - A few even redirects the https to http (to save themselves cycles and bandwidth, while not losing the visitor).

    3. Re:Use HTTPS by silanea · · Score: 3

      - https does incur overhead and higher CPU usage on both ends, so it will be slower.

      Firstly, this overhead is manageable. You do not have to be Google to run all your content over HTTPS. Secondly, apparently encrypting every single connection is a necessity of the times to prevent assholes from hijacking traffic, so that overhead is simply the necessary cost of interacting safely over the Internet.

      - - I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)

      I do not know a single person who runs a proxy at home.

      - - Some sites serve different content on the http and https sites. - A few even redirects the https to http (to save themselves cycles and bandwidth, while not losing the visitor).

      You can disable individual rules. Over time those websites will have to stop doing those things or they will lose visitors.

      --
      Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
    4. Re:Use HTTPS by avatar4d · · Score: 2

      For users of Chrome, you can change your default Google search to use HTTPS by following the instructions here

      --
      Confucius say: "Man who associates with smarter men than himself is smarter than the men he associates with."
    5. Re:Use HTTPS by PNutts · · Score: 5, Funny

      I do not know a single person who runs a proxy at home.

      You should get out more, or stay in more. I'm not sure which one applies here.

    6. Re:Use HTTPS by arth1 · · Score: 2

      Just because you don't notice something doesn't mean it isn't there.

      http://serverfault.com/questions/43692/how-much-of-a-performance-hit-for-https-vs-http-for-apache
      http://www.semicomplete.com/blog/geekery/ssl-latency.html

  2. Re:That didn't take long by AHuxley · · Score: 2

    http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf paper quoted is the only real missing link.

    --
    Domestic spying is now "Benign Information Gathering"
  3. ISPs by Jaysyn · · Score: 4, Informative

    Here is a list of the ISPs mentioned in the article:

    Cavalier
    Cincinnati Bell
    Cogent
    Frontier
    Hughes
    IBBS
    Insight Broadband
    Megapath
    Paetec
    RCN
    Wide Open West
    XO Communication

    --
    There is a war going on for your mind.
  4. That's not a privacy concern... by Anonymous Coward · · Score: 4, Insightful

    ... that's a fucking computer crime.

    1. Re:That's not a privacy concern... by GameboyRMH · · Score: 3, Insightful

      No no no, big corporations did this, it's just a privacy concern ^_^

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  5. Re:Use https? by fuzzyfuzzyfungus · · Score: 2

    HTTPS will(barring CA incompetence or your ISP 'install disk' quietly adding their own root certs) assure you that you are talking to the real google.

    If your ISP is fucking with DNS, though, and your attempts to talk to the real google are going to a different IP entirely, it will only warn you of that, not get you where you want to go.

    If only because copyright/trademark claims for a US company serving an exact duplicate of the google homepage for monetary gain could pretty quickly hit the zillions, I'm guessing that these "Paxfire" shitbags aren't actually trying to do a 100% spoof of the site you want, just redirecting you to some horrid 'search' page of the sort normally maintained by typosquatters and similar scum.

    HTTPS isn't harmful under this circumstance; but it is unlikely to tell you anything you didn't already know, and it isn't even intended to solve the problem you will want to solve...

  6. The list of ISPs by Bob+the+Super+Hamste · · Score: 2
    For those of you wondering what ISPs are doing this the New Scientist article has it:

    List of ISPs that are redirecting some search queries

    Cavalier
    Cincinnati Bell
    Cogent
    Frontier
    Hughes
    IBBS
    Insight Broadband
    Megapath
    Paetec
    RCN
    Wide Open West
    XO Communication

    Charter and Iowa Telecom were observed to be redirecting search terms, but have since ceased doing so. Iowa Telecom stopped its redirection between July and September 2010, and Charter stopped in March 2011.

    --
    Time to offend someone
    1. Re:The list of ISPs by Cornwallis · · Score: 2

      Add One Communications (now owned by Earthlink) to the list.

  7. Re:Use https? by X0563511 · · Score: 2

    How convenient !

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  8. Re:Simple Solution by X0563511 · · Score: 3, Informative

    Then use a local resolver, ensure you set up DNSSec checking, and beat everyone with a stick who still doesn't sign their zones.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  9. Re:That didn't take long by alostpacket · · Score: 3, Funny

    Works fine for me. I just won 2 free $250 Walmart Pirce club cards and I get 20% off my next purchase of a HiPhone 5 Nano from Somy. Pretty exciting.

    --
    PocketPermissions Android Permission Guide
  10. Questions answered in this thread... by nweaver · · Score: 5, Interesting

    I am one of the Netalyzr developers involved in this work. I or my colleagues will answer questions in this thread, but I may be offline for a little while so responses may be somewhat delayed at times.

    --
    Test your net with Netalyzr
    1. Re:Questions answered in this thread... by nweaver · · Score: 2

      They do NOT intercept DNS that's not directed to the ISP's resolvers, thus using Google Public DNS allows you to avoid this redirection completely if you are affected.

      --
      Test your net with Netalyzr
  11. Re:Comcast by Skapare · · Score: 2

    I just tested Comcast's DNS lookup. They are redirecting SLDs that get NXDOMAIN from the TLD server. However, for hostnames within registered and working SLDs, they are redirecting SOME of those, as well. In particular my test for a couple of my own domains shows that for .net they are not doing 3rd level name redirection, but for .us they are. IMHO, the 3rd level redirection is bad.

    --
    now we need to go OSS in diesel cars
  12. Re:Do you have a useful tool for identifying this? by nweaver · · Score: 3, Informative

    Yes. Netalyzr specifically detects this condition amongst its many other tests. We also have a Java Command Line Client.

    You can also check by doing a "dig search.yahoo.com". If the authority is "jomax.net", its a Paxfire appliance changing the results.

    --
    Test your net with Netalyzr
  13. Re:I wonder by number11 · · Score: 4, Informative

    Now if only I could vote with my dollars and switch to a different ISP that hasn't done this (Charter is my other option and they "claim" to have stopped).

    Why not simply plug in a different DNS instead of using their crappy one?
    Google 8.8.8.8, 8.8.4.4
    OpenDNS 208.67.222.222, 208.67.220.220
    Verizon 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6 (since these are all same subnet, don't use for both primary and secondary)

    You can use Google Namebench to compare DNS speeds.

  14. Mistyped URLs by macraig · · Score: 2

    "... additional revenue through advertising based on mistyped URLs."

    This is why perfect spelling is so important.