Forgot your password?
typodupeerror
Privacy Google Security Yahoo! Your Rights Online

Widespread Hijacking of Search Traffic In the US 194

Posted by Soulskill
from the par-for-the-course dept.
Peter Eckersley writes "The Netalyzr research project from the ICSI networking group has discovered that on a number of U.S. ISPs' networks, search traffic for Bing, Yahoo! and sometimes Google is being redirected to proxy servers operated by a company called Paxfire. In addition to posing a grave privacy problem, this server impersonation is being used to redirect certain searches away from the user's chosen search engine and to affiliate marketing programs instead. Further analysis is available in a post at the EFF."
This discussion has been archived. No new comments can be posted.

Widespread Hijacking of Search Traffic In the US

Comments Filter:
  • Use HTTPS (Score:5, Informative)

    by mrogers (85392) on Friday August 05, 2011 @08:55AM (#36995768)
    Another good reason to install HTTPS Everywhere [eff.org], a browser extension that will redirect your Google searches to the HTTPS version of the site. By checking the certificate presented by the server, your browser can then be sure that it's talking directly to Google. (HTTPS Everywhere also works for a lot of other popular sites.)

    Or, if you don't like Google, use DuckDuckGo [duckduckgo.com], which uses HTTPS by default with no need for a browser extension.

    • Re:Use HTTPS (Score:5, Interesting)

      by Gaygirlie (1657131) <gaygirlie@hotmail. c o m> on Friday August 05, 2011 @09:04AM (#36995826) Homepage

      I too have to recommend HTTPS everywhere, it's a great addon and makes it a lot safer to e.g. Surf the web over an unencrypted WIFI hotspot. And so far I haven't actually had a single glitch because of it.

      • Re:Use HTTPS (Score:4, Informative)

        by arth1 (260657) on Friday August 05, 2011 @09:29AM (#36996028) Homepage Journal

        Sure, there are benefits, but as always, TANSTAAFL.

        - https does incur overhead and higher CPU usage on both ends, so it will be slower.
        - I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)
        - Some sites serve different content on the http and https sites.
        - A few even redirects the https to http (to save themselves cycles and bandwidth, while not losing the visitor).

        • by silanea (1241518) on Friday August 05, 2011 @09:36AM (#36996086)

          - https does incur overhead and higher CPU usage on both ends, so it will be slower.

          Firstly, this overhead is manageable. You do not have to be Google to run all your content over HTTPS. Secondly, apparently encrypting every single connection is a necessity of the times to prevent assholes from hijacking traffic, so that overhead is simply the necessary cost of interacting safely over the Internet.

          - - I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)

          I do not know a single person who runs a proxy at home.

          - - Some sites serve different content on the http and https sites. - A few even redirects the https to http (to save themselves cycles and bandwidth, while not losing the visitor).

          You can disable individual rules. Over time those websites will have to stop doing those things or they will lose visitors.

          • by PNutts (199112) on Friday August 05, 2011 @09:57AM (#36996274)

            I do not know a single person who runs a proxy at home.

            You should get out more, or stay in more. I'm not sure which one applies here.

          • You do not have to be Google to run all your content over HTTPS.

            But you do pay more per month for hosting if you run your hobby site on HTTPS. Name-based virtual hosting of HTTPS sites requires SNI, but Internet Explorer on Windows XP doesn't support SNI, nor does Android 2.x. So until IE on XP passes out of use and Android 4 (Ice Cream Sandwich) has been out for a couple years, HTTPS will still need a dedicated IPv4 address per certificate, which in practice means per domain. And now that all the /8 blocks are used up, hosting providers such as Go Daddy have started to

          • by Larryish (1215510)

            Now you know of at least one.

            Privoxy blocks things that Adblock misses.

            • I use a proxy for blocking too, as it allows centralised managment of blocking rather than having to deal with software on five laptops, two mobile phones and a tablet.
          • by arth1 (260657)

            Over time those websites will have to stop doing those things or they will lose visitors.

            Like google, you mean? Their https://www.google.com/ [google.com] is a redirect to a site with less functionality than http://www.google.com/ [google.com]
            I bet they are bleeding visitors right and left over that one...

          • by whoever57 (658626)

            I do not know a single person who runs a proxy at home.

            I do, and I use it to block both certain sites (advertising and tracking networks) and headers (referrer header is blocked, with a list of exceptions for sites that won't work without it).

        • by Joce640k (829181)

          https does incur overhead and higher CPU usage on both ends, so it will be slower.

          Yeah, my quad-core really bogs down when I use https on a connection which can transfer as much as a few hundred kbytes per second..

        • come on, this is /., surely I'm not the only one with a proxy array at home?

          You on dial-up or something? I just let my browser cache do the work (RAM cache only, I always disable disk caching to defeat Evercookies).

          • by arth1 (260657)

            You on dial-up or something? I just let my browser cache do the work (RAM cache only, I always disable disk caching to defeat Evercookies).

            No, load balanced Cable+DSL.
            According to my local statistics, it saves around 20% bandwidth and increases page load speed around 30% (this is higher because there's a lot of tiny requests going back and forth to servers, where latency is the killer, not the bandwidth). That's significant. And it's also an average - for certain sites, the benefits are much larger.

            There are some immediate benefits too, like when someone else in the household IMs me a link, and it pops up instantaneously because all the elem

            • by BitZtream (692029)

              Do you have browser caching turned off or something or do you just browse so freaking much your browser cache is overflowing regularly.

              You're right on automatic updates, but being that you can just schedule them for a time when your lines aren't busy, which seems a whole lot simpler than setting up a proxy.

              I find your numbers suspect. Perhaps in a large enough household, with a bunch of facebook users or something where you guys visit the same set of sites, but in my house, which is small with only 2 perm

        • by Qzukk (229616)

          - I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)

          This is slashdot, those of us with proxies at home can make them work with https if we wanted them to.

        • by BitZtream (692029)

          - I will defeat most of the benefits of running local caching proxy servers (come on, this is /., surely I'm not the only one with a proxy array at home?)

          I think you'll find the percentage pretty low, the only people who do it really are those with more time than money, as in most cases it offers very little benefit.

          My browser caches pretty well on its own, there are 2 people in my house, me and my wife. We view pretty much 0 related content on the web with the exception of photos ... which are served locally anyway. A cache proxy is going to get almost 0 cache hits in normal usage, except for that one time when I happen to look at an old reference manual

          • by bedouin (248624)

            Running a cache proxy at home is something you do when you don't have a real job and want to futz around in your free time, maybe learn about it so you can use it at a job and make yourself more valuable.

            If you have one machine running as a home server, it's trivial. My box handles a plethora of little tasks that can be centralized: file server, web server, torrent box, machine to run Linux X11 apps from in OS X or even iOS, web cache, home DNS and forwarding, BOINC, backup server . . .

            The rest of us however, don't have time to set it up

            sudo apt-get install squid

            Make a few changes to squid.conf and you're done. You might not find it worthwhile, but others who're already running a little home server might as well.

      • by Hatta (162192)

        HTTPS Everywhere only works with sites that support HTTPS. If you want to really be safe on WIFI* use a VPN, or set up a quick socks proxy with 'ssh -D'.

        *notice that even encrypted WIFI isn't safe. Anyone with access to the encrypted network can eavesdrop on your packets

    • And how long will using HTTPS pevent this? Damn near every security measure except unplugging the network cable has been defeated or made useless.
      • Assuming you have a browser capable of secure renegotiation (not IE on XP or older), your ISP would have to set up a certificate authority and someone would have to add the certificates into your browsers to bypass the giant red warnings.

      • They could do an SSL MITM attack, I doubt their buddies in the government would mind, but to prevent that you could use Perspectives. [perspectives-project.org]

        • I don't see how Perspectives will help if the MITM is located in the hosting provider or its upstream ISP.
          • Well assuming the ISP hasn't set up a set of fake Perspectives project pages to serve you a tampered version to give false negative results, notary servers in other locations around the world (which you connect to using encryption keys already included in the Perspecives plugin) should see a different certificate, raising a warning.

            • by tepples (727027)

              notary servers in other locations around the world (which you connect to using encryption keys already included in the Perspecives plugin) should see a different certificate

              A web server at a hosting provider has only one connection to the Internet, namely through the hosting provider's upstream ISP. So all notary servers outside the upstream ISP's own network would see the web server through this upstream ISP, including any MITMs that the upstream ISP has installed.

    • by avatar4d (192234)
      For users of Chrome, you can change your default Google search to use HTTPS by following the instructions here [google.com]
    • by erroneus (253617)

      Either that or get these jackasses to respect Network neutrality before the law requires them to.

      So now that we can see that ISPs everywhere are interested in hijacking and intercepting your traffic for their profit (and you thought you were paying them to just give you a connection to the internet) are all those people out there on Slashdot still saying we don't need any network neutrality laws?

      We live in a capitalist society and their aim it to make money in every way they can. Respect for their customer

      • by TheLink (130905)
        Wait this is only a network neutrality problem? If I did this to someone else wouldn't it be a computer crime?

        I suppose it's like when Sony rootkits everybody it's just an embarrassment that they are caught doing it, but when I rootkit even one person it's a computer crime?
        • by erroneus (253617)

          If there were a criminal investigation, it would end with the privacy agreement between the subscriber and the provider in the clause that says "subject to change without notice."

          If someone else did it, it would be a crime because it would be intrusion on someone else's network.

    • by Stellian (673475)

      Another good reason to install HTTPS Everywhere

      I would also actually run a HTTPS server everywhere if I didn't have to deal with the certificate mafia, and if major browsers would silently accept self-signed without drowning the user in a storm of "RUN FOREST, RUN !!!" messages. This is currently pretty tricky to do on the browser side without opening PayPal to attack (cache the sites that use real certs ? have a hardcoded master list for first connect ?). But it would be very nice if I could publish a flag in DNSSEC that could say "This is my certifica

      • by BitZtream (692029)

        , and if major browsers would silently accept self-signed without drowning the user in a storm of "RUN FOREST, RUN !!!" messages.

        Just a hint, every time you say that, it makes it very clear that you have absolutely no idea how SSL works. SSL with unverified certificates is absolutely useless, which means blindly accepting it and pretending its okay is a lie of omission to the user, its basically snake oil instead of something useful.

        At the very minimum, the user has to be prompted to verify the unknown certificate. You must make the wording here strong enough that people GET that its a dangerous decision. You setup a site with a s

    • by dachshund (300733)

      Or, if you're a browser that doesn't support it, just set your default search engine to https://encrypted.google.com/#q= [google.com] followed by the query string.

    • by BitZtream (692029)

      I tried, but when I clicked install it gave me a completely useless firefox extension. Its completely useless because I, and well, the majority of the web users, do not use firefox. Now I realize that of the 5 big ones, my prefered browser is second to last with only 2 or 3% usage according to w3schools, but nothing for Chrome or IE either? Not even a 'go get it from your built in extension source'? Seriously?

      Firefox is the new IE, people went retarded and code shit for firefox rather than remembering t

      • by bedouin (248624)

        I had to build my own Safari version. There are some issues that prevent the EFF from standing behind an official binary; you've probably encountered info about it by this point.

        Here is a link to my build, if you're willing to trust me:

        http://tinyurl.com/6dul8vr [tinyurl.com]

    • by Dan667 (564390)
      https://encrypted.google.com/ [google.com] works if you use the url directly.
    • For Chrome users, see KB SSL Enforcer [google.com].
  • Site slashdotted in under 5 minutes.

  • ISPs (Score:5, Informative)

    by Jaysyn (203771) <jaysyn+slashdot@noSpAm.gmail.com> on Friday August 05, 2011 @09:09AM (#36995854) Homepage Journal

    Here is a list of the ISPs mentioned in the article:

    Cavalier
    Cincinnati Bell
    Cogent
    Frontier
    Hughes
    IBBS
    Insight Broadband
    Megapath
    Paetec
    RCN
    Wide Open West
    XO Communication

    • by Kreigaffe (765218)

      No Comcast? No Cox? Heck, none of the big evil corps? I am... everything I learned on /. is wrong! My world has been thrown askew!

  • As I can't RTFA I do wonder if this explains some of the strangeness I see in doing searches between by work machine and my home machine. This really shouldn't surprise anyone as ISPs have been know to redirect DNS look up failures.
    • After the new scientist link finally loaded it does appear that this is indeed the case as one of the listed ISPs is my home ISP (Frontier). Now if only I could vote with my dollars and switch to a different ISP that hasn't done this (Charter is my other option and they "claim" to have stopped).
      • Re:I wonder (Score:5, Informative)

        by number11 (129686) on Friday August 05, 2011 @10:29AM (#36996562)

        Now if only I could vote with my dollars and switch to a different ISP that hasn't done this (Charter is my other option and they "claim" to have stopped).

        Why not simply plug in a different DNS instead of using their crappy one?
        Google 8.8.8.8, 8.8.4.4
        OpenDNS 208.67.222.222, 208.67.220.220
        Verizon 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6 (since these are all same subnet, don't use for both primary and secondary)

        You can use Google Namebench [google.com] to compare DNS speeds.

        • by BitZtream (692029)

          OpenDNS does the same thing you tool, they at least tell you about it, but none the less, they do the exact same thing.

    • by lee1 (219161)
      If the strangeness is you getting different results from different computers, it could be due to this [lee-phillips.org].
  • by Anonymous Coward on Friday August 05, 2011 @09:16AM (#36995900)

    ... that's a fucking computer crime.

  • For once Comcast does good as my local ISP. All it does is hijack the page if the DNS doesn't resolve and then puts up its own results of what it thinks the domain should be.
    • Any time my ISP does that I add the returned search site to my etc/hosts file so it will never load again as Frontier seems to like to send you to crappy search pages
    • by X0563511 (793323)

      This is available [google.com] should you wish to stop even that behavior.

      • by Skapare (16644)

        And of course Comcast would never hijack the 8.8.8.8 and 8.8.4.4 name servers by rerouting those IPs to its own name server.

      • by Bucc5062 (856482)

        Okay, I read through the information as went so far as to set up my laptop to use the Google public server. What's the catch? I read their write-ups about security, but frankly, I'm not a network guy and had eyes glazing fast.

        If the end result is that by using 8.8.8.8 I am blocking the ability for an ISP to spoof or redirect my searches, then mission accomplished, but TANSTAAFL! What does Google get from providing this service? Better ads dollars?

        • by X0563511 (793323)

          Okay, I read through the information as went so far as to set up my laptop to use the Google public server. What's the catch? I read their write-ups about security, but frankly, I'm not a network guy and had eyes glazing fast.

          If the end result is that by using 8.8.8.8 I am blocking the ability for an ISP to spoof or redirect my searches, then mission accomplished, but TANSTAAFL! What does Google get [google.com] from providing this service? Better ads dollars [google.com]?

          These questions are answered in the FAQ. I linked them above in your quote.

          Unless they are outright lying, this is one of those projects they do "For the Good of the Community"

          Now, since DNS is a cleartext protocol, there's no technical reason why your ISP cannot interfere with this if they wish to. This said, doing so is more involved than simply tinkering with their own DNS servers, and this gets into a grey area legally.

          Before, they were simply altering the behavior of their DNS systems, which you reques

          • by nabsltd (1313397)

            If they were to alter your requests to, say, 8.8.8.8, then they would be deliberately violating their common-carrier status and exposing themselves to all kinds of lawyer-bait.

            ISPs are not common carriers [wikipedia.org], and this sort of level of proxying happens all the time. In particular, many ISPs re-direct all outgoing connections to port 25 to their own mail server, and similarly all connections to port 53 (DNS) are sent to their own DNS server. It's not that they are "altering requests to 8.8.8.8", but rather they are altering requests to particular ports.

            Also, almost every ISP blocks incoming requests to well-known "server" ports for their non-business customers. If "altering reques

    • by Skapare (16644)

      I just tested Comcast's DNS lookup. They are redirecting SLDs that get NXDOMAIN from the TLD server. However, for hostnames within registered and working SLDs, they are redirecting SOME of those, as well. In particular my test for a couple of my own domains shows that for .net they are not doing 3rd level name redirection, but for .us they are. IMHO, the 3rd level redirection is bad.

  • by Bob the Super Hamste (1152367) on Friday August 05, 2011 @09:18AM (#36995924) Homepage
    For those of you wondering what ISPs are doing this the New Scientist article has it:

    List of ISPs that are redirecting some search queries

    Cavalier
    Cincinnati Bell
    Cogent
    Frontier
    Hughes
    IBBS
    Insight Broadband
    Megapath
    Paetec
    RCN
    Wide Open West
    XO Communication

    Charter and Iowa Telecom were observed to be redirecting search terms, but have since ceased doing so. Iowa Telecom stopped its redirection between July and September 2010, and Charter stopped in March 2011.

  • anyway thats not a bad idea. In that case also an hijacked machine withing you own network plays a lesser role.

    • Make double-sure that your VPN also tunnels the DNS requests, by checking the configuration and/or by using TCPdump. EG, its pretty easy to accidentally set-up firefox through an SSH tunnel in a way where the DNS requests don't pass through the tunnel.

  • by nweaver (113078) on Friday August 05, 2011 @09:35AM (#36996084) Homepage

    I am one of the Netalyzr developers involved in this work. I or my colleagues will answer questions in this thread, but I may be offline for a little while so responses may be somewhat delayed at times.

    • Is there some easy way we can check for this, such as with a curl or wget command line script? A great way to defeat this practice would be to notify the businesses that are needlessly paying commissions out even though they are the first result.

    • by PineGreen (446635)

      How much does the use of neutral (for example google's) DNS services rather than default ISP's DNS help?

      • by nweaver (113078)

        They do NOT intercept DNS that's not directed to the ISP's resolvers, thus using Google Public DNS allows you to avoid this redirection completely if you are affected.

    • by whoever57 (658626)
      What are the gifs it tries to download? My proxy apparently blocked a gif file from being downloaded, but the only recent records of denied requests in my squid log file referred to google-analytics.com
      • by nweaver (113078)

        We don't do GIFs except for ones on the web page, there are test JPG downloads however, which check for caching.

        We also fetch a .exe, a .torrent, a .mp3 file, and a "virus" (the benign EICAR test file which AV systems detect as a virus so you can check AV operation safely).

  • Ok, I know this is just DNS and not some network-level hijacking, but crap like this is exactly why we need net neutrality. Capitalizing on customers' traffic by redirecting their searches (or otherwise interfering with customers' activities) is type of behavior net neutrality activists have claimed will happen for a long time, and that ISPs have claimed will never happen. Odd that the big players aren't the culprits for once (they're probably scared of regulation after the bittorrent scandal [slashdot.org]), but I'm sure
    • by BitZtream (692029)

      Ok, I know this is just DNS and not some network-level hijacking

      Thats irrelevant. ANY UNAUTHORIZED access to computer systems or data is illegal under federal law. You can thank Kevin Mitnick and DEC (May have my companies wrong) for that. Shortly after that whole event laws were enacted that basically made it so you need explicit permission to even VIEW someones data let alone manipulate it.

      This sort of tampering, to me fits squarely as a violation of that law. I authorize them to look at the IP headers only for routing purposes, I grant no authorization for any m

  • by macraig (621737) <(mark.a.craig) (at) (gmail.com)> on Friday August 05, 2011 @10:38AM (#36996676)

    "... additional revenue through advertising based on mistyped URLs."

    This is why perfect spelling is so important.

  • Its not like its new, anyone using OpenDNS has been subjected to this bullshit since day one. And for some reasons unknown to me, half of the slashdot user base still thinks opendns is a god send. The same people who were bitching like crazy when Network Solutions started returning itself instead of NXDOMAIN for missing names, everyone was ranting about how OpenDNS is the way to go ... ignoring the fact that they do exactly the same thing ... and its a feature. Idiots.

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...