Verizon Injects Unique IDs Into HTTP Traffic

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.

Is there a way to prevent this?

This should be illegal. People have a right to try and avoid being tracked. There has to be a way to prevent this. I'm a sysadmin, not a network guru, so I will defer to those smarter than me here...

Re:Is there a way to prevent this?

third party VPN paid for by a cash card

Re: Is there a way to prevent this?

Or just browse https only

Re:Is there a way to prevent this?

[0dugo0]

Rig as many webservers as possible to give users with that header a nag screen

Re:Is there a way to prevent this?

[slinches]

Don't use Verizon as your ISP?

Re: Is there a way to prevent this?

To be honest, I don't think this does anything. I think a VPN might be the only current way to avoid this, as your traffic in a VPN tunnel is theoretically not seen by the routers that pass it. I'm not sure if deep packet inspection tools could add the unique ID. I'm not a network engineer, so I don't know for sure. I do know that VPNs of today are rapidly becoming easier to circumvent by those who would do so.

Re:Is there a way to prevent this?

[Charliemopps]

Don't use Verizon as your ISP?

Personally, I use Verizon and have no other choice for a wireless provider. AT&T has plans to build another tower here in 2021, and it's not like their the champions of my privacy either.

Re:Is there a way to prevent this?

Unacceptable. Verizon licensed the spectrum from citizens, and therefore has certain obligations.

This is what should occur. Make use of any spectrum contingent upon a series of consumer friendly policies. Failure to comply requires turning the spectrum and any technology that uses it or assists in its use over to auction. Then establish a rule that prohibits anyone over a pay grade access to any industry that uses spectrum for a predetermined duration.

If you set the concequesnces high enough than ideas like this get shot down in the board room.

Re:Is there a way to prevent this?

[CaptainDork]

So your theory is that, now that women have been "integrated" in the military, male soldier's sexual needs have been met?

Re:Is there a way to prevent this?

[whoever57]

There has to be a way to prevent this

As a sysadmin, you should know that it is easy and cheap to rent a VPS (Virtual Private Server). Then, run squid on the server, or do some fancy routing to send all your web traffic out via a VPN to your VPS. Since most VPS services offer a minimum of 1TB of monthy data, there should not be any excess data usage charges.

Re: Is there a way to prevent this?

TLS from end to end ...

Re:Is there a way to prevent this?

[Nethemas+the+Great]

Judging by the sexual harassment reports, I'm guessing no. They must be cutting back on cycling soldiers through SE Asia.

Re:Is there a way to prevent this?

[DamnOregonian]

Not just sexual harassment. It's safer for a supermodel to walk down MLK in your favorite large city naked than a homely woman to walk from one end of Fort Hood to the other, wearing ACUs after dark.
When soldiering becomes less of a duty and more of a way to delay starting out your life of dismal poverty, you start making the wrong kind of army.

Re:Is there a way to prevent this?

[mmell]

...the internet was indeed created for porn and online casinos.

.

FTFY.

Re:Is there a way to prevent this?

[gbjbaanb]

bullshit. They bought it from the government, whose representation of its citizens occurs roughly every 5 years for a fortnight. Apart from that time, they do what they like. And even in that fortnight they just tell you what you wanted to hear anyway.

Re:Is there a way to prevent this?

[dgatwood]

So you're saying they made a new network for blackjack and hookers? You know what, forget the network. And the hookers.

Re:Is there a way to prevent this?

[slinches]

That's the problem with monopolies (natural or otherwise). Still, there is an option to sign up for just the phone plans without wireless data and use wired or satellite ISPs for internet access.

You could also go the route of circumventing the problem (using the methods others have already suggested) with a bit of added effort/cost, but in that case there's no disincentive to help persuade Verizon to stop the program.

Re:Is there a way to prevent this?

[Dishevel]

You still have the right.

You just need to decide to not be a Verizon customer.

Re:Is there a way to prevent this?

[cbhacking]

USA, so more like every two years for the federal government (this is an election year for congress, though not for the presidency) and it lasts a lot longer than a fortnight (which, it should be mentioned, is a word only very rarely used on this side of the pond) due to the degree of campaigning that people do here (though it's definitely a bigger deal on the presidential years).

No argument on the "tell you what you wanted to hear anyway" part, though! Something so far removed from the few very carefully controlled Major Issues as corporate misuse of licensed bandwidth is going to be completely ignored by both sides (and there *are* only two sides; the media won't even report on any other parties or permit them at the debates). Occasionally some congressthing ("critter" isn't sufficiently derogatory for them) will make some statement (and maybe actually introduce / support some legislation) about such topics, but generally only when pandering to local interests in their districts.

Re: Is there a way to prevent this?

[TheGratefulNet]

I don't think you could modify packets that are in an ssl stream and not have ssl detect it and reject the 'broken' packets.

https is mostly secure (other than MitM attacks on certs) and vpn's are also very secure.

I have a vpn and while I use it mostly at home, there is an android client (even for my ancient 2.x android o/s) for the vpn provider I have and so I could get as complete privacy as possible on my phone, while doing inet things.

Re:Is there a way to prevent this?

[CaptainDork]

Interesting connective theory.

Noted, as well, is that chemtrails began to appear only after the invention of radio.

Re:Is there a way to prevent this?

> There has to be a way to prevent this.

Does anyone know if you configure your broswer to send it's own X-UIDH header will verizon overwrite it with their version or let it pass unmolested?

If you can send your own then a simple plugin should be able to randomize it for every page access.

Re:Is there a way to prevent this?

[Bob9113]

When soldiering becomes less of a duty and more of a way to delay starting out your life of dismal poverty, you start making the wrong kind of army.

Wait, we can do worse; how about making enlistment an alternative to a prison sentence for newly convicted criminals? (actually, that sounds so awful, I'm surprised it isn't already in place)

Re:Is there a way to prevent this?

[nazsco]

> Don't use Verizon as your ISP?

How quaint. A foreigner.

well lad, in the US of A, you have the freedom of choosing the ISP that was selected to monopolize your burrough.

Or you can use the one mobile provider that has good coverage in your city instead, if you don't want to use that pre-selected ISP.

Re: Is there a way to prevent this?

Well, they could put a proxy between but you'd get warnings about bad certificates. They could tell you to add theirs as a trusted cert, but at that some point nobody can stop someone else from putting a gun to their own head and pulling the trigger if they are that intent on bypassing the SSL security.

Worse yet, they could preload that cert into the phone's ROM image and not let you remove it.

Re:Is there a way to prevent this?

[SuricouRaven]

The US military currently has too many and too few recruits. Lots of people want in, because when the economy tanks the military is one of the few options left. But most of them fail the entry qualifications, so the number of qualifying recruits is still too low.

Re: Is there a way to prevent this?

Nope.
What is happening is essentially a "man in the middle" attack; the xUIDH header is put on by VzW by the proxy device connecting at the DataCenter.
The proxy is IP transparent, it adds the xUIDH to the outgoing http stream, before the certificate request.
The device is made by Flash Networks - http://www.flashnetworks.com/Monetization-Overview

The clever box does several things, the proxy design reduces the number of over the air connections, a webpage has many connections (to ad servers, to discrete image servers, etc) and the box sends a single image over the air to the device.
It also reduces the image resolution so that you aren't sending pixels and then tossing them out to display it on a tiny screen.
It also has TCP+, a varient that uses different assumptions to speed up the transfer.

Re: Is there a way to prevent this?

[allo]

So, and why wouldn't TLS help there?

Re:Is there a way to prevent this?

[jandar]

In my jurisdiction is altering data (stored or transmitted) without censent a felony. The action of Verizon is hacking and would here be punishable as such.

Re:Is there a way to prevent this?

[Zontar+The+Mindless]

It's been done. I've a friend who got busted at age 19 for selling heroin. The judge gave him the option of enlisting and volunteering for combat duty, or doing hard time in the state pen. He chose the former--which in those days, was effectively getting a ticket to Vietnam.

There's a photo somewhere showing one of the last US helicopters to take off from Saigon in April 1975. In the photo you can a soldier dangling from one of the landing skids. That's my friend.

Re:Is there a way to prevent this?

[tepples]

Still, there is an option to sign up for just the phone plans without wireless data

Are you sure Verizon will even activate voice-only service on a smartphone? AT&T sure won't.

and use wired or satellite ISPs for internet access.

And if the DSL ILEC for your area is also Verizon, too bad.

Re:Is there a way to prevent this?

[Stan92057]

"walk down MLK"
Please ..share.

Re: Is there a way to prevent this?

[allo]

hmm, true. But maybe they will trigger an "unsafe elements" alert in the browser.

Re: Is there a way to prevent this?

[allo]

nope, he's right. Your adversary is the site, not verizon. And the site can make you request non-http stuff, where verizon (which is not the main enemy) injects an id, which can then be read by the site. There is not much protection without using extreme measures like requestpolicy (and not allowing anything using http).

Re: Is there a way to prevent this?

[allo]

you're still not getting the szenario, just as i did not in my first post.

VZW does not want to interfere for this szenario. They interfere with http adding an id and ignore https. The website wants your identification. So they generate a token on the https-site and load image.jpg?token from a http(without s) site. Then they know a token vzw correlation and can assign the same token on your next visit.

Hello supercookies.

Let me be one of the first...

Fucking scumbags.

Maybe the FCC...

Will tell them to go fuck themselves on this, and make them stop...

Re:Maybe the FCC...

[Overzeetop]

If there ever was a +6 Funny, this is the one.

Free market?

[NotInHere]

They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

Re:Free market?

[fox171171]

They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

Except it will be the other way around. Pay more to not be tracked.

Re:Free market?

I think the free market solution would simply be having enough ISPs so that if one pulls stuff like this you can just switch to another. Some sort of "competition". I suggest we find out why there is only one fast ISP per area, and fix that problem.

Re:Free market?

[Charliemopps]

They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

No because they'll quickly value this service at $50 a month to force you into it.

They should not be altering my HTTP requests. It's wiretapping, plane and simple.

Re:Free market?

[Bob9113]

I suggest we find out why there is only one fast ISP per area,

Here's a hint: It's the same reason there is only one electricity provider in most areas. Generally, it is not cost efficient to run multiple sets of wires, but everyone wants electricity.

and fix that problem.

The solution is the same as with electricity. We've tried all the other solutions, many, many, many times over, and we keep coming back to the same small set of best answers; all over the world, in all kinds of cultures and every shade of Western economics.

Re:Free market?

[nazsco]

last time i heard about US ISP/mobile provider shenanigans there was a debate on net neutrality (which the tel cos were wining) arguing that they were not common carriers.

well, that just goes to prove that they are not common carriers. they can even monetize on the service they are already selling you. they don't consider your communication protected in any way.

it is like opening a restaurant and selling your scraps to feed cows. except that they are the only restaurant in town. and after 12sec they take away your plate and consider what is left scrap. oh, and dog bags are forbiden on the contract.

i wonder if the FSF pays verizon to get the IDs from the senate to advertise to them... how would they like it? probably would jail everyone shouting commie. or is that terrorist nowadays?

Re:Free market?

[SuricouRaven]

It's called a natural monopoly. It occurs when the capital cost of entering a market is so high as to render doing to prohibitive for all but the first entry.

Verizon or another of the major ISPs comes first. That means they pay for laying cables, renting mast space, installing equipment and lobbying local government for the appropriate rights. It costs them a fortune, but they can be assured of a return because they'll have 100% of the market - there's no other option for potential customers.

When another ISP comes along, they'd have to pay just as much for cables, equipment and such - but they wouldn't get 100% of the market. They'd have to poach customers from an existing provider, which is a great deal harder than getting unaffiliated customers. There's no realistic way they would turn a profit as a second-comer, so they stay out of that area.

Thus one ISP gets a monopoly.

Re:Free market?

[cgimusic]

But that's the same thing as paying less when you are being tracked.

What did you expect?

[koan]

Everyone was targeting mobile use because that's what the average slob uses, remember Facebook's panic because they couldn't find the right model for mobile?
How many other methods are in use? Who else is using this method? (ATT?)
Are agencies like the NSA doing something similar?

Re:What about Tor?

[NotInHere]

No, unless the exit node uses verizon wireless, too.

Verizon Fios

[gurps_npc]

Does it only apply to Verizon Wireless?

Does anyone know if FIOS internet uses the same system? I don't have a Verizon Wireless account.

Re:Verizon Fios

[cbhacking]

Of course not. It's added to your requests when they reach the ISP gateway. Why would you expect to be able to see them on anything between you and that gateway?

Re:Verizon Fios

[Lawrence_Bird]

Thanks for the pointer. I should have read the hacker news linked in TFA as it was not clear to me whether the header was one way or on both ends of the connection.

HTTPS Everywhere

[watermark]

They can't inject into secure traffic. HTTPS solves this problem too.

Re:HTTPS everywhere

[XanC]

The slashdot objection is that slashdot itself isn't on HTTPS. Come on, guys! Does whoever posted this article not see the need??

Re:HTTPS Everywhere

[Burz]

I intend to use a proxy in addition to HTTPS-E.

Re:HTTPS Everywhere

[Charliemopps]

They can't inject into secure traffic. HTTPS solves this problem too.

Good idea, I just need to figure out what the http address for slashdot is...

Re:HTTPS Everywhere

[cbhacking]

Slashdot actually supports HTTPS just fine. They simply redirect you back to HTTP immediately! Try it yourself: https://slashdot.org/ - 302, Location: http://slashdot.org/index2.pl - 302, Location: http://slashdot.org/

I wish I was joking...

Re:HTTPS everywhere

[cbhacking]

No, it's actually much worse than that. Slashdot supports HTTPS just fine. They simply force you back to HTTP (using a redirect *out* of HTTPS whenever you request an HTTPS page)! Total bullshit; there's no legitimate reason for such behavior. Even without dedicated TLS hardware, the overhead of HTTPS is pretty trivial for modern servers.

Re:HTTPS Everywhere

[DoofusOfDeath]

Slashdot actually supports HTTPS just fine. They simply redirect you back to HTTP immediately! Try it yourself: https://slashdot.org/ - 302, Location: http://slashdot.org/index2.pl - 302, Location: http://slashdot.org/

I wish I was joking...

Any idea why they do this? Of all the sites to not to https...

Re:HTTPS Everywhere

[Charliemopps]

Educated guess?
The sites made up of custom code written before HTTPS was really all that common. It's such a mess that adding it now would require just as much work as just flat out rewriting the whole site. Last time they tried a site redesigned all the neck beards on here started shooting rocksalt at them and screaming "GET OFF MY LAW!!!"

I suspect this site barely pays for itself. I do not anticipate any large site redesigns ever.

Re:HTTPS Everywhere

[gman003]

Soylent News runs on Slashcode (although a fork of an earlier version, I think). HTTPS works just fine, as does Unicode and probably a few other things broken on Slashdot. No IPv6 yet but I'm sure it's coming. It's all on Github so it would be fairly trivial to merge it in to Slashdot.

Re:HTTPS Everywhere

[cbhacking]

TLS (or lack thereof) is, or at least should be, completely transparent to the Perl-based web application powering the site. In fact, the HTTP request itself doesn't even specify anything about the protocol. The request line has the path and stuff after it, and the Host header has the domain name, but doesn't mention the protocol. The absolute minimum they should do would be to return *exactly* the same content over HTTPS that they do over HTTP for a given request (remember, the HTTP traffic is the same whether it's tunneled through TLS or not).

In fact, I just checked: the site already uses protocol-agnostic URLs. For example:
<a title="" class="read-more" href="//hardware.slashdot.org/story/14/10/24/2320227/microsoft-now-makes-money-from-surface-line-q1-sales-reach-almost-1-billion"><span>Read More</span> </a> (random link off the home page, note the href="//hardware.slashdot..." URL, which doesn't specify HTTP or HTTPS). Your browser handles such URLs by using whatever protocol the page itself was served over.

They wouldn't have to change a damn thing except to remove the stupid rule that redirects users out of HTTPS. That's a pretty damn minor change.

Re:HTTPS Everywhere

[TimTucker]

They can't inject into secure traffic. HTTPS solves this problem too.

For cellular at least, Verizon keeps pretty tight control over what devices they allow on their network. All they would need to do is to start shipping phones with a Verizon root cert installed that can't be removed. Phone trusts the cert, Verizon proxy performs MITM on SSL traffic...

Re:HTTPS Everywhere

[TheGratefulNet]

quite a valid point!

just like you can NEVER trust a windows (or mac or even linux box) that was not setup by you, especially if its a corporate box that was given to you pre-installed.

almost every company of mid-size or larger preinstalled MitM certs for their spying firewalls. they don't tell employees that, but netadmins and sysadmins pretty much all know this.

I work at a large networking company and they didn't tell me WHAT they do or HOW they'd spy on me, but I found out via a friend (in germany) exactly what they are doing. in .de, you have to disclose to the employees a lot more than the US requires you to do, and he relayed the info to me about how our corp laptops come preinstalled with corp spyware. ability to active mic, camera, screen caps, all that bullshit in addition to traffic logging.

I'm a network mgmt guy and when I was out interviewing for jobs (the last few years) almost all of them involved DPI and MitM attacks, even though they tried to explain it away as 'troubleshooting information' and 'for the users benefit'. quite bullshitty but they said it with a straight face, like they believe their own BS.

you guys have to start realizing that corp america is all about privacy invasion; of customers and employees, alike. if you have a corp laptop, do NOT login to your home email systems and keep your work laptops entirely clean of anything personal and home related. yeah, even if you see the lock icon on the browser, it means nothing anymore, in a corp LAN.

Re:HTTPS Everywhere

[Harodotus]

Well I have a free (albeit older) Slashdot account and it doesn't redirect me to http when i follow the https link above.

I think they're just limiting non-logged in access to http, not subscriber (paid) only access.

-Harodotus

Re:HTTPS Everywhere

[_merlin]

Any idea why they do this? Of all the sites to not to https...

CPU load. SSL/TLS greatly increases CPU demands on the server(s). For a high-traffic site that costs real money.

Re:HTTPS Everywhere

[Zontar+The+Mindless]

And people wonder why I buy my own hardware for work, don't use a company-supplied laptop or phone, and always connect to the corporate net using a VM and never from the host OS...

Re:HTTPS Everywhere

[watermark]

There are tons of reports (just google them) of the server side cpu load being minimal to encrypt traffic. My guess is either the load balancing setup they have doesn't support SSL or their 3rd party ad network doesn't.

In general, I think sites don't support https because of a) the extra cost of a cert, b) they don't care, c) the extra cost of a dedicated IP (SNI isn't supported on IE on XP). You can say "screw XP" all you want, but a good 20% still (of at least my traffic) comes from IE on XP.

Re:HTTPS Everywhere

[Cederic]

Soylent News can't even email a password to me. If I want to use their site, it's anonymous or not at all. Fuck 'em.

Re:HTTPS Everywhere

[cbhacking]

a) is already taken care of; they have a signed cert in place and set up.
b) is probably the main reason, but you would think that they would be more wise to what their user demographic wants. (But then, there's beta, so...)
c) is not a valid reason. Leaving aside the fact that IE6 traffic has got to be absolutely miniscule on this site - which serves HTML and CSS than IE6 has no idea how to handle - those people could just go on using HTTP. We're not asking them to mandate HTTPS, just to allow it.

As you say, the server load is pretty trivial. Even if you aren't using the new CPUs with hardware accelerated crypto, the vast majority of the CPU time to serve a web application over HTTPS is spent parsing requests and building pages, not doing crypto... and unless you have really excellent caching, the I/O time to do things like database access dwarfs the CPU time altogether. Using TLS typically imposes less than 5% overhead, often much less.

Re:HTTPS Everywhere

[cbhacking]

Wow, really? That's several kinds of BS, that right there. Neither security nor privacy should cost money.

Also, that's not mentioned on the FAQ under subscriber perks. In fact, the string "https" doesn't occur anywhere on the FAQ at all. Is it documented somewhere else that I just didn't see?

Re:HTTPS Everywhere

[cbhacking]

I'm signed in, have an account that's nearly ten years old (not *as* old as yours, but still six digits), have Excellent karma (and have for years), have tried multiple browsers, and still get redirected every time. I'm not a subscriber, (on any accounts; I only have the one) but if that's the difference, I am pissed.

Re:HTTPS Everywhere

[Burz]

Any idea why they do this? Of all the sites to not to https...

CPU load. SSL/TLS greatly increases CPU demands on the server(s). For a high-traffic site that costs real money.

This is 2014 not 2004; Most servers have CPU's with built-in AES acceleration. Unless the site gets lots of very short-term use from many different users, the impact of server load should be negligible because most of the crypto will be AES and not the initial public key stuff.

Re:HTTPS Everywhere

[Burz]

Then you may like this... http://www.qubes-os.org/

Re: HTTPS Everywhere

[Harodotus]

Hmm interesting. I was a subscriber many years ago before ad and script blocking technology. Maybe my browser (Chrome) and its plug-ins is the cause or perhaps it's something about the legacy status of my account.

HTTPS everywhere

Every person browsing the web today should be using the HTTPS everywhere extension.

To forestall the typical slashdot objection: No, it's not perfect. That doesn't mean it isn't damned useful.

Re:What about Tor?

[watermark]

The first tor hop is encrypted, so no. Technically, if the exit node is on verizon wireless, then it would have the code of exit node, not yours.

Re:which Verizon services

[watermark]

I'm on fios and just checked headers, nothing like this (yet).

Step #6 image is all wrong

[HappyDrgn]

Step #6 image should have been this instead:

https://doodleaday.files.wordpress.com/2012/03/doodle-1016-money-bags.jpg

I think it illustrates whats happening more appropriately...

Re:Step #6 image is all wrong

[Charliemopps]

Step #6 image should have been this instead:

https://doodleaday.files.wordpress.com/2012/03/doodle-1016-money-bags.jpg

I think it illustrates whats happening more appropriately...

Except, it's more like pennies. That's what's hilarious about all this privacy invading nonsense we've been subjected to. It's not valuable. They do not make more money with it. Sure, at first it sounds like a great idea. But the mountains of data it generates quickly become completely useless and you just end up sitting on it all and doing nothing with it. I've dealt with marketing people and seen them install their huge data tracking software packages that they paid fortunes for. Several years later and they just stare at the wall of text the software created blankly.

What I've learned from the data? Most of the sites people visit are by mistake. Out of 10 links visited, 9 were closed within seconds without following another link and the last link was the page with our phone number on it. But all that generated about 100 rows in the table. Multiply that by thousands of customers a day and what do you have? A lot of useless data, that's what. You've no idea which pages they found interesting, dwelled on... were interested in.

Re:Step #6 image is all wrong

[BadPirate]

Appropriate that you share the link HTTPS :)

Wonder if a chaff approach would help

[chefmonkey]

I wonder... if we wrote addons for popular browsers that would inject bogus X-UIDH headers into every request, whether we could make this kind of inappropriate privacy intrusion prohibitively expensive. If it works as he surmises, maybe we can overwhelm Verizon's ad exchange platform with meaningless data.

Re:Wonder if a chaff approach would help

[cbhacking]

This plan. I like this plan! Put a random value in the header on every request. If you're not on Verizon, it'll look like you are (but as a different person every time). If you *are* on Verizon, you may just confuse the software that is adding those headers, or that is logging them. Poison their tracking data with meaningless garbage, and make it *cost* Verizon money to try and track us.

Well, that and use HTTPS everywhere possible, of course. But that requires that the sites you use allow people to do so (*AHEM* Slashdot, looking at you...)

Oh, and don't use Verizon. That's the best way to hit them in the pocketbook, by far. I like the idea of sending the header even when you don't use Verizon though, as a general-purpose "fuck you!" to them.

Re:Wonder if a chaff approach would help

It's not going to matter. 1. Hardware is cheap and telcos have been working on scalability during the last century, since way before computing. 2. X-UIDH is only considered valid when coming from Verizon IP range.

Re:Wonder if a chaff approach would help

[Mr.+Sanity]

Since they're the ones adding the header, the client setting the header is futile. Verizon's version will clobber it.

However, if you happen to run some intermediary servers that handle traffic once a backbone layer is crossed, then you can clobber their value.

Re:Wonder if a chaff approach would help

[Burz]

No, not this plan! Since the modified tag is only transmitted from Verizon to advertising sites, Verizon could very easily just strip out all X-UIDH headers coming from you before adding their own.

Re:Wonder if a chaff approach would help

[Rich0]

However, if you happen to run some intermediary servers that handle traffic once a backbone layer is crossed, then you can clobber their value.

I suspect that the only folks who care to do deep packet inspection at that level are the privacy-loving folks at the NSA. :)

Spoof it

Insert 10 random X-UIDH headers in the same place verizon will, randomize them seeded based on the date and device-id (not the time), what could they do?

Re:Spoof it

what could they do?

Log the one that stays the same. Duh.

I prefer chefmonkey's idea.

Could be worse

[pushing-robot]

My router injects a unique identifier into every packet it sends. The manufacturer claims they can't turn it off. Yeah, probably under pressure from the government. But I'm building my own open source router that blanks out everything—MAC, IP, you name it. I'll be invisible to everyone. Take that, Orwellian bastards!

Re:Could be worse

[CaptainDork]

You'll be easily recognizable as the only surfer without fingerprints.

Re:Could be worse

[cbhacking]

Does that unique identifier get passed down all the way to the server you're trying to connect to, even if you go through a proxy server or reset your router? This is significantly worse than MAC or IP addresses.

Re:Could be worse

[SeaFox]

I always find it interesting when people post thing like this and never mention the brand/model of the product so the rest of us can avoid it. It's like we've gotten so worked about lawsuits we censor ourselves now.

Re:How can I set Safari to default to HTTPS?

[jimmifett]

If it does load, that doesn't mean the NSA isn't still spying on you...

Filthy Ingrates

[rogoshen1]

God. it's like you people don't even appreciate the value added service they are *GIVING* away here. Who wouldn't want to see more perfectly tailored and targeted ads -- some of which even include *VIDEO* again, completely for free.

You have to pay for cable right? The same thing applies, you're getting the service you paid for (TV shows, home shopping channels) with the added bonus of free to view advertisements.

In both cases they're simply giving away high quality, hopefully relevant audio and video. I think that's super generous of them.

And for no charge! And yet, you people still bitch. Absolutely shameful.

Re:Filthy Ingrates

[sconeu]

+1.

The sad part is that some idiots will not see the implied <SARCASM> tags.

Re:Filthy Ingrates

[oodaloop]

My browser doesn't render sarcasm tags properly. It's really annoying.

Re:Filthy Ingrates

[cbhacking]

... I have this sudden urge to write a browser extension. I'm not sure *how* I want it to render <sarcasm> tags, but I think I do want it to do so. Just in case.

Don't use HTTP. Use HTTPS.

[jtara]

Don't want your carrier messing with your traffic?

Use HTTPS.

Hello Vodafone

[wabrandsma]

From: Using Browser Properties for Fingerprinting Purposes.

Vodafone injects the X-VF-ACR header: 'Vodafone Anonymous Customer Recognition'. It is unclear what this header exactly does; all headers that have been seen start with the string "204004DYNMVFNLACR", followed by 16 X's, and are followed by a BASE64-encoded 256-byte cyphertext, which we were unable to decrypt. It has been suggested that this string might contain the SIM-card identifier (IMSI) or other personal information, as was found in a research conducted by Mulliner in 2010 [14]. Vodafone did not respond to requests of explaining this header. Nevertheless, the presence of this header, certainly identifies customers of Vodafone as being customers of Vodafone.

Re:Hello Vodafone

[Pikoro]

Just checked. AT&T does this as well with an x-acr header

Switch carriers

[Ritz_Just_Ritz]

Just another reason not to spend your money with Verizon.

Telling The Story Backwards and Upside Down.

[westlake]

It's safer for a supermodel to walk down MLK in your favorite large city naked than a homely woman to walk from one end of Fort Hood to the other, wearing ACUs after dark. When soldiering becomes less of a duty and more of a way to delay starting out your life of dismal poverty, you start making the wrong kind of army.

I have come to the conclusion that anything the geek says about women, rape or the military needs to be fact-checked.

A cash-strapped female soldier told a Fort Hood hearing board Tuesday about how a noncommissioned sexual assault prevention officer on base forced her into a prostitution ring so she could buy groceries for her child.

The private testified against Sgt. 1st Class Gregory McQueen during a proceeding similar to a grand jury hearing. McQueen could face some 21 criminal charges if he is slapped with a military court-martial.

''Basically, it was having sex with higher ranking officers for money," the woman told the board.

The private, who was 20 and struggling as a single mother of a 3-year-old child at the time of the alleged prostitution, was granted immunity in return for her testimony. She told the board how McQueen snapped pics of her naked to distribute to potential clients. The two also had sex so McQueen could see how she would ''act out'' with clients.

McQueen, who has since been relieved from his sexual assault prevention duties, faces charges of pandering, conspiracy, adultery and sexual assault.

Another female private claims McQueen sexually assaulted her when he tried to recruit her into the military sex ring.

That woman told investigators that McQueen ''preys on young females who are in bad financial situations and that he keeps their pictures on his cell phone,'' the Austin American-Statesman reported in December.

Fort Hood sexual assault prevention officer ran on-base prostitution ring: witness [June 3, 2014]

Re:Telling The Story Backwards and Upside Down.

[DamnOregonian]

I have a good friend there right now. There have been 2 attempts on her where she had to physically fight someone off of her, and the first 2 days of reception were sexual assault awareness classes where they're instructed to stay out of the dark and not go anywhere on-base that they're not familiar with or get into any cars they're not familiar with. No shit. On a US army base.

Re:Telling The Story Backwards and Upside Down.

Congratulation You have become the Colonial Redcoats ie. your army is scum but they are YOUR scum.

Keep on worshiping them as heroes.

Re:which Verizon services

[cbhacking]

Where did you check from? You don't see the headers on your end; they're only added at the ISP gateway. Unless you were able to bounce a request off an external web server and see the headers that it *received* - which don't have to be the ones you sent - then you don't know. Oh, and don't use HTTPS for the test, since they obviously can't modify those requests.

Easy to kill this one

[keyvin]

This one is easy, easy, easy to kill. Your headers to the webserver are a copyrighted creative work if you customize them at all. Verizon is creating an unlicensed derivative work. Any legal eagles willing to run with this?

Re:Easy to kill this one

[Harodotus]

Not really. Even if your derivative work idea was valid and could be used to stop Verizon, they would just update their Terms of Service (TOS) to explicitly have you grant them this right and waive any claims.

Frankly, while i haven't checked, is very likely that their existing TOS grants them the right to make any change to your traffic they see fit, so it's likely that any derivative work would fail on it's face based on your existing contract.

Not all web sites offer HTTPS

[tepples]

And lose access to several websites. Slashdot, for example, redirects HTTPS hits to HTTP for non-subscribers because ad networks have been slow to implement HTTPS. And a lot of shared web hosts don't support HTTPS because their policies haven't been updated in the six months since the last major Server Name Indication-ignorant desktop web browser (IE on Windows XP) reached end of support in April. But HTTPS support is the second biggest reason I stopped going to TV Tropes in favor of All The Tropes (after licensing).

Re:Not all web sites offer HTTPS

[Hypotensive]

Just use Tor for those sites.

Re:which Verizon services

[jbmartin6]

I just checked using http://centralops.net/co/ over my Verizon mobile phone and sure enough there is the X-UIDH header. Well, this cements my plan to switch carriers in a month when my contract expires. Any tips on moving to a pay-as-you-go plan that lets me keep my phone number?

Re:which Verizon services

[nazsco]

> Any tips on moving to a pay-as-you-go plan that lets me keep my phone number?

DO NOT cancel your account!

call the new company, say you want to port your number.

the system is F*up... you will have to give the new co your account number AND PASSWORD for the old one. so if it is your SSN as it is by default, change it before if you care (or stop believing that SSN is secret, you are a grow up).

anyway, i cancelled ATT and then ported to TMOBILE. ATT was obliged by law to reactivate my account to complete the transfer... but that didn't hold them against mailing for a NEW 2yr contract and cancelation because i "hired" the service again... costed me a couple calls to short it out since they can't charge you.

anyway, the system sucks. read online and follow the steps. i had lots of headache for not following the dumb non-sense crap.

be a happy sheep. and good luck.

Re:What about Tor?

[GNious]

Run a Tor exit-node on your Verizon network?
That should allow SnR to effectively mask you against tracking.

Spoof it

[flux]

They could remove your headers and add their own.

Just check "Do Not Track" checkbox in browser

[TrollstonButterbeans]

Then problem goes away!

HTTP should be killed long live HTTPS

[PeteBennett]

Even though https isn't perfect as heartbleed and the various TLS bugs have demonstrated, it certainly would help. Perhaps slashdot should consider HTTPS!

Re:RUN TOR

[Zontar+The+Mindless]

that will cure the disease by killing the patient.

TFTFY.

Slashdot redirects HTTPS to HTTP

[tepples]

Anonymous Coward wrote:

Just install HTTPS Everywhere [...] all good sites work.

You appear to call Slashdot not a good site. It redirects all HTTPS hits from non-subscribers to HTTP.

Re:which Verizon services

[watermark]

I'm aware. I used some random site I found on google that displays my sent headers.

Time and money to move to change ISPs

[tepples]

In order to stop being a Verizon customer, someone who requires home or mobile Internet access for his way of life might have to move his family away from territory serviced by Verizon, either as the DSL ILEC or as the only wireless carrier with acceptable coverage. Consensus in comments to previous Slashdot articles is that almost nobody is willing to spend the time and money to move just to change ISPs.

Bury conduit and blow wires later

[tepples]

Ultimately, utility monopolies arise from cities' ownership of their roads. The solution is for a city to bury empty conduits when it repairs the roads, and then competing ISPs can blow their wires through those conduits.

Ads would be mixed content

[tepples]

For all users other than subscribers and karma-capped users who have checked "Disable Advertising", Slashdot is funded by advertisements. Using an HTTP ad network from an HTTPS site would be blocked as mixed content, and HTTPS support among ad networks is very new. AdSense, for example, didn't support HTTPS until September of last year.

Re:Ads would be mixed content

[cbhacking]

While that's at least an understandable argument, I still don't buy it.
1) People who want to block ads - a significant portion of the site - just block them. I don't imagine the intersection of "people bothered by /. being unsecured and
would also block mixed content" and "people who aren't subscribers, Excellent karma, or just using an ad blocker anyhow" is that big.
2) I have Excellent karma and disabled ads. I still can't use HTTPS. That's a really easy thing for them to check, if they wanted to support HTTPS at all (and this was their reason not to).
3) Some ad networks don't support HTTPS (or at least, don't have a valid cert for their domain name because their content all comes from Akamai or similar), but some (as you point out yourself) do.

There really aren't any valid excuses.

HTTP-only ad network

[tepples]

Tell that to the operators of ad networks. If the ad network is HTTP while the rest of the page is HTTPS, it gets blocked as mixed content. That's probably why Slashdot redirects non-subscribers' page views to HTTP.

Re:which Verizon services

[JesseMcDonald]

I just checked using over my Verizon mobile phone and sure enough there is the X-UIDH header.

I just checked with my AT&T mobile phone and found an "x-acr" header which seems to serve much the same purpose, so switching away from Verizon might not help. (The header is not present when accessing the site through a VPN, so it wasn't sent by the browser.)

The content seems to be based on the Anonymous Customer Reference concept promoted by the GSM Alliance.

Re:which Verizon services

[jbmartin6]

T-Mobile doesn't, at least as far as I could tell. Not yet at least.

Very clever of them to create new PII

[laughingskeptic]

Now under the law I believe they are required to protect this information. If the state of California has decided that a Zip code is PII, then this identifier certainly is. Roll the plaintiff's attorneys.

Who does this & how do we find out?

[JIDatiT4C]

I am not a HTTP expert. My protocols are so old you probably won't know them!
- How do I determine if my ISP is doing this? Will Firebug do the job or do I need a protocol sniffer?
- How can we determine which ISPs are doing this?
- How can I challenge my own or possible future ISPs?
It strikes me that the first step is to document this. Will some kind (and expert) soul do this? Perhaps a Wikipedia page? If you don't grok Wikipedia then I (and may others, I am sure) can do the formatting if we have the information - with references.