Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users' searches

Choc Factory to build crypto bridge 'soon'

Google's "encryption everywhere" claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found.

The move described as 'privacy seppuku' by Forbes (@al4) meant that BT customer searches were broadcast in clear text and possibly open to interception.

Customers were told that the network, rather than the Chocolate Factory, "has turned off SSL search", a statement Forbes proved to be false.

Google engineer and security bod Adam Langley in a forum comment confirmed the SSL strip and said it would be removed 'soon'.

"At the moment, yes, no nosslsearch VIP will do this. However we're getting rid of it soon and replacing it with one that enables SafeSearch, but still over HTTPS," Langley said.

"However, if you want an encrypted search option, 'https://encrypted.google.com' is always encrypted and isn't affected by these methods."

Google and BT have been contacted for comment.

Forbes speculated in a blog detailing the SSL strip that BT may have removed the security measure to facilitate content filtering for kids or 'more likely' for data mining.

"It's reasonable to expect that BT knows the location of every BT WiFi router within 10 to 15 metres, because it has a home address for every one of them," Forbes said.

"... knowing what is searched by location is a marketing gold mine."

A curl request examining whether public DNS could get around the security gap demonstrated Google was redirecting users to unsecured http through a 302 found header.

"What we’re witnessing therefore, is almost certainly the result of a commercial agreement between BT and Google UK -- one that exchanges the privacy of my searches for BT and Google's commercial gain," Forbes said.

"Duckduckgo it is then." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like