back to article GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users' searches

Google's "encryption everywhere" claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found. The move described as 'privacy seppuku' by Forbes (@al4) meant that BT customer searches were broadcast in clear text and …

  1. Anonymous Coward
    Anonymous Coward

    And...

    Do people still think Google and all the other major players in IT are doing anything besides destroying privacy for commercial gain?

    In fact, does TheRegister have a contract with Microsoft?!?!? Who's reading my posts! (If it's anyone but Balmer, we'll have words!)

    1. P. Lee
      Terminator

      Re: And...

      The question is, why was google stripping SSL for BT? Google already has your search data.

      Was there a deal between BT and Google? Is BT under political pressure to arrange things to allow dragnet surveillance?

      1. Message From A Self-Destructing Turnip

        Re: And...

        The answer is in the article, Google has your search data, BT has your location.

        Search data + Location = Profit

        More worrying, and not mentioned in the article, is the fact that BT also knows your name and address.

        1. Suricou Raven

          Re: And...

          Also, google image search is the greatest advancement in the field of pornography since the invention of the portable camera. BT runs a filter, they might be disabling the encryption as part of the process of forcing safesearch on.

        2. Indolent Wretch

          Re: And...

          Hows that different to any other ISP?

          1. Anonymous Custard
            Big Brother

            Re: And...

            Hows that different to any other ISP?

            They got caught doing it?

    2. Allan George Dyer
      Facepalm

      Re: And...

      "Who's reading my posts! (If it's anyone but Balmer, we'll have words!)"

      Uhh... I read that post, sorry. But, if you tell me what you don't want me to know, I promise to try to forget it.

  2. Mark 85

    Ah...

    So they strip the security/privacy but it works if you use theirs. Hmm.... fox + keys + henhouse = dinner.

  3. Anonymous Coward
    Anonymous Coward

    "What we’re witnessing therefore, is almost certainly the result of a commercial agreement between BT and Google UK -- one that exchanges the privacy of my searches for BT and Google's commercial gain"

    While BT doing this is utterly unsurprising, I'd have thought Google would be reluctant to share the data they purloin and more particularly risk the reputation they've tried to foster since the Snowden leaks for keeping search data secure from others, even if they roger it senseless themselves.

    Google's approach to the PR of privacy, as it were, is to mine the crap out of your data, but to studiously say nothing at all about what they're doing in anything but the sketchiest of detail. It works to a point with those who don't pay too much attention; they may make the average punters skin crawl, but they don't antagonise with the bellicose rhetoric of some companies use that more or less amounts to 'your data is our right'. It helps that they're not responsible for visibly irritating stuff like cascades of marketing crap through the letterbox or in the inbox.

    That said, their usual undoing is getting caught out doing something dodgy, as here, but I can't imagine the money from any deal with Satans Own WiFi Provider is really worth the flak.

    1. Anonymous Coward
      Anonymous Coward

      I agree this article just doesn't ring true. BT have a history of doing quasi-legal acts (phorm anyone) to their subscribers but Google encrypted searches by default for everyone without any pressure to do so.

      Bing and most others don't.

      By encrypting their searches it now meant that no-one using analytics could now check which keywords people were using to hit their site which was also an incentive to buy adwords for key terms which didn't arrive at your site but you couldn't (didn't want to) SEO in.

      I would actually be surprised if Google and BT had done a deal.

      1. Jim 59

        By encrypting their searches it now meant that no-one using analytics could now check which keywords people were using to hit their site which was also an incentive to buy adwords for key terms which didn't arrive at your site but you couldn't (didn't want to) SEO in.

        I think Google removed referral information long ago, in flagrant breach of internet protocols. Click on a google search term and it doesn't go straight to the page, it first goes to Google's internal harvesting site, then a moment later to the target. You can see it flash up quickly at the bottom of the Firefox window. In summary, they strip the info to prevent web masters from using it, which slows down the search experience for the user, and pressurizes content owners to use Google's own analytic tools.

        1. Anonymous Coward
          Anonymous Coward

          @Jin 59

          That's all mistaken. They don't remove the referrer, it is just that referrers aren't sent (usually) from SSL to non SSL sites (IETF RFC 7321: A user agent MUST NOT send a Referer header field in an unsecured HTTP request if the referring page was received with a secure protocol." ). If you force the use of Non-SSL searches the referrer and therefore keywords are still there. Google, can't "remove the referrer" as it is the client that accesses the page not the server apart from when using Chrome where they could manufacturer it not to have that feature, but that would open a whole can of worms for no good reason.

          The reason, when you click a link it goes to Google first is to record that you've clicked that link, it's always done that. Google use this information for many purposes (including, probably, building up your Google profile but mainly for optimising their results for showing which are the most popular sites for given search terms and adjusting their rankings accordingly. They've always done this in recent times.

          It doesn't pressurise the webmaster to use Google's tools because the referrer is not available via Google analytics either. Search terms are only available if you use PPC, to see which ads work or don't on which terms.

          1. Anonymous Custard

            Re: @Jin 59

            And it also means if you press the browser back button you end up at the second Google page rather than the original search, which promptly sends you back to the original page that you just left rather than back to the search results page.

            It's one of the most fecking annoying parts of using Google for searching unless you consciously open your selection in a new tab and so keep the original search results page available in the original tab.

  4. Jim Cosser

    I agree with AC, Google don't shove the data they gather in your face.

    It's a smart move but at some point a drive for profits will cause Google to play the cards they so carefully gather in a more overt way. I think if/when they overstep the mark people will finally think about the broad amount of data they are gathering and that may drive some competition in the search space again.

    1. RyokuMas
      Devil

      Behind closed doors...

      "Google don't shove the data they gather in your face."

      So what exactly do they do with it?

      Let's face it - thanks to analytics, it's practically impossible for the average Joe to surf the web without Google mining data. Same with emails, if anyone you know has a gmail account. And I dread to think what data-gathering goes on under the hood of Android...

      Suffice to say that Google has probably gathered enough data to be able to ruin anyone in the western world, from an individual to a large company - probably largely without said person/organisation's knowledge.

      I can live with a few targetted adverts - so long as I have a cast-iron assurance that that's all my data is being used for...

  5. big_D Silver badge

    Don't be evil

    Google are following their corporate motto, don't be evil (to their customers and partners), unfortunately you and me, the normal users, are their product, not their customers.

    1. foo_bar_baz

      Re: Don't be evil

      That motto has been quietly forgotten. Now it's about being as close to the "creepy line" as possible, but not quite crossing it. They are public about it, so I guess at least they are honest.

      http://www.buzzfeed.com/charliewarzel/how-google-leapfrogged-the-creepy-line

      http://creepyline.com/

  6. Andrew Jones 2

    I'd imagine it probably is actually for the safesearch setting - the pfSense box we have in the internet cafe has the same issue - the only way to force safesearch to always be active at the moment is to force DNS for the Google domain to point to the nossl address. Otherwise pfSense cannot add the details that force the request to enforce safesearch.

    1. Anonymous Coward
      Anonymous Coward

      Quite. This is just BT trying to stop "their" public hotspots being used to search for naughty things by using Google's SafeSearch facility, which as Google openly say doesn't work over https. You may not think that Google should give network admins the ability to force search result filtering on users (originally intended for schools and the like), but all the "selling your location data" stuff in that article is nonsense.

    2. Anonymous Coward
      Anonymous Coward

      I can confirm that Bluecoats K9 does the same thing, if you don't change https to http for Google image search, it can't be locked to filter content.

    3. Charlie Clark Silver badge

      Damn, a plausible explanation that isn't a conspiracy theory!

    4. Jamie Kitson

      > the only way to force safesearch to always be active at the moment is to force DNS for the Google domain to point to the nossl address.

      Not according to option 3 here: https://support.google.com/websearch/answer/186669

  7. Anonymous Coward
    Thumb Down

    Trust? What's that then?

    From what I can tell, nosslsearch was being use by BT as far back as 2013 to turn of HTTPS. That was bad enough, but the issue was between BT and its fodder.

    Now we have Google directly getting into it and providing a privacy-removing service to BT, making the statement "the network has turned off SSL Search" on Google's search page a bare-face lie.

    I don't trust Google - never have - but this is way beyond anything I might have imagined of them.

  8. nematoad

    There are ways round.

    If you look there are ways and services to minimise this problem.

    1) Use Duckduckgo as stated in the article.

    2) If you are a Firefox or Palemoon: http://www.palemoon.org/ user there a lot of add-ons like Noscript, Ghostery, PrivacyBadger and so on to help get rid of trackers, analytics etc.

    3) Look for an alternative ISP. There are lists of ISPs rated for their ethical standards available so all is not lost.

    A little digging will give you lots of ways round this prying. It's up to you if you think its worth doing. I know I have done all of the above with little effort or expense.

  9. TheWeddingPhotographer

    Like opening your mail

    I expect my ISP to just handle my traffic, not read it, nor report back to company whose service I am using.

    If my aunt sends me a letter, it is of no concern to the postal service, what my address is, or what my aunt's address is, nor the contents of the letter. They are simply expected to deliver it

    1. A J Stiles
      Holmes

      Re: Like opening your mail

      Back in the days when the postal service was set up, yes, you wouldn't have expected them to read the mail they were supposed to be delivering.

      But things have changed

      If they were setting up the postal service nowadays, it would be free to post a letter anywhere in the world; but they would reserve the right to read your mail and insert advertisements. Because that's the way the world works now: The new postal service exists for the purpose of displaying advertisements, and the delivery of letters and parcels is just a serendipitous side-effect. All services nowadays are just means to an end, and that end is Targeted Advertising. Marketing departments want to be able to show you advertisements that are likely to match something you were already going to buy anyway, so they can pretend to their paying customers that they successfully persuaded you to buy it. And in order to do this, they need to gather as much information as possible about you.

      Of course, the cost of all this advertising is added to the price you end up paying for the product .....

      1. John 62

        Re: Like opening your mail

        If you read Simon Garfield's lovely book To The Letter, you'll find out that the various postal services around the world have always been very keen to open people's mail. The difference now is the sheer volume of post makes it very difficult for them to do it except on a very targetted basis.

        1. keith_w

          Re: Like opening your mail

          What? The postal service is going to read the 44 advertisements and 1 bill I received in the mail this week?

  10. Anonymous Coward
    Anonymous Coward

    I take the same doesn't happen

    With DuckDuckGo? Perhaps the solution is not to use Google?

    1. RyokuMas
      Stop

      Re: I take the same doesn't happen

      "Perhaps the solution is not to use Google?"

      Find me websites that offer the products/service I need without implementing Google tracking/analytics etc. and I'll use them.

      1. Anonymous Coward
        Anonymous Coward

        Re: I take the same doesn't happen

        > Find me websites that offer the products/service I need without implementing Google tracking/analytics etc. and I'll use them.

        You make a very relevant point, but one could take "not using Google" to mean using Ghostery / AdBlock to block the analytics and other tracking stuff (to the extent that this is possible. Let us not forget about seemingly innocuous¹ things like WebFonts, jQuery caches, etc.)

        ¹ That took me a few attempts to spell correctly. :-(

      2. werdsmith Silver badge

        Re: I take the same doesn't happen

        I think if the BT customer crowd got together and ran some kind of browser add on that routinely submitted random BS pointless searches in the background then they could properly skew their mining and analytics to a point where it would be useless.

      3. Anonymous Coward
        Anonymous Coward

        Re: I take the same doesn't happen

        "Find me websites that offer the products/service I need without implementing Google tracking/analytics etc. and I'll use them."

        Indeed. I started using NoScript in anger only fairly recently, and was somewhat taken aback when discovering how many sites run scripts on various google subdomains, particularly google-analytics.

        Fortunately most sites still function normally with these subdomains blocked, but I've come across one or two which break badly enough to be non functional. Has made me question whether I want to continue dealing with such sites if they want to involve Google so deeply.

        This has also opened by eyes to the many site handover involved in online payments! I had expected a transaction to only involve inter-operation between the vendor site and the payments processor ... WRONG! ... some involve three or four other domains in addition the the two I think I'm dealing with.

    2. Spasticus Autisticus

      Re: I take the same doesn't happen

      All systems I set up now get startpage.com/uk as the home page and default search, along with adblock plus and ghostery. I use noscript on my system too but its a bit keen for normies to cope with.

  11. POPE Mad Mitch

    TFA clearly says this is a 'nosslsearch VIP' issue, this is not google being sneaky or underhanded in any way, this is the provider (BT) redirecting all normal searches to googles 'nossl' service instead. This service exists so that places that really need to filter their content (eg schools) can do so by making sure search results aren't hidden from them by ssl encryption.

    1. Anonymous Coward
      Anonymous Coward

      I get the purpose and use of 'nosslsearch', but the point raised in the blog which is the basis for this article is that he discovered that 'nosslsearch' wasn't the mechanism being used.

      Rather, he discovered that the redirect was initiated directly by the google servers using a different mechanism. It's that point that makes the statement (that the network has turned off https) a lie.

    2. James R Grinter

      Back in July they (BT) were also breaking Google drive, with their meddling of google.com

  12. Anonymous Coward
    Anonymous Coward

    Clarification Needed Please

    Do I understand correctly that if I am on the affected network and I type "https://google.com/" in my browser's URL bar, it will 302 me to "http://google.com/"?

    That would be pretty vile if that were so, especially without at least a prominent warning notice and the possibility to back off.

    1. Anonymous Coward
      Anonymous Coward

      Re: Clarification Needed Please

      > Do I understand correctly that if I am on the affected network and I type "https://google.com/" in my browser's URL bar, it will 302 me to "http://google.com/"?

      The referenced post has been both upvoted and downvoted, but nobody has provided an actual answer to the question. May I ask if the above is, in fact, correct?

  13. David Roberts

    Analytics and filtering?

    Just checking.

    Using SSL will stop any intermediate network hops to your target snooping on your content (such as your ISP for security or profit).

    However Google as the end point of your search request will legitimately decrypt your search request before executing it.

    As far as I know Google routinely passes back a URL which contains not only the target web site but also a string of search terms used (presumably to show the target that they were found via Google and aren't they lucky).

    If the URL returned is to a dodgy site with loads of pron which also supports SSL this is surely where the problem starts if you want to monitor content to protect the kiddies.

    Google can presumably implement a Safe Search policy at their end, but this would require you to log onto Google before you could search? Ah, it is an option in Google which doesn't requie you to log in so presumably a cookie.

    So - why does encrypting your search request prevent Safesearch from working?

    Are they filtering the search request on the fly before it hits the search engine and so working on the encrypted data stream?

    Sounds like a quick fix solution without any proper system design if it needs encryption turned off at source for it to work.

    Likewise harvesting search terms - if the eventual target of the search gets the key words tacked onto the URL then the only people to gain from the search being in clear are intermediate snoop points.

    Supplementary - if Internet Cafes have to suborn SSL sessions to filter for bad stuff then presumably you should always use a VPN when surfing away from home.

    Supplementary 2 - presumably the padlock doesn't show if your HTTPS session has been redirected?

  14. Anonymous Coward
    Anonymous Coward

    Cue Fandroid apologists defending the company.

    Wake up, they're evil now, they even said that "don't be evil" went out years ago.

    Poogle strikes again.

  15. Test Man

    Ah! The hotel I stayed in in Cheshire was stripping SSL from my Google searches, despite me being logged in (the hotel wifi was provided by BT Wifi). I thought it was weird but Google reckoned that it was the choice of the hotel admin.

    Still, they couldn't stop me from using https://encrypted.google.com though, so fuck 'em.

  16. Christian Berger

    To do something about it, we might need to give it a "terrorism" spin...

    We could be saying something like, "All that collected data could be used by terrorists". After all BT and Google are collecting lots of data which can/will be misused eventually.

  17. chris lively

    A few weeks ago I noticed that browsing to https://google.com was being redirect to the non SSL site and a little message was showing up saying the network had turned off SSL search. As I'm the network guy I tried different browsers and different computers. Same problem.

    So I called google and asked them what was going on. At first they said my company turned off that setting in the admin panel for google. I assured them the only person capable of doing that was me and that I had the admin panel up showing that ssl search was enabled.

    Then they said time warner ( our ISP ) had turned it off. I hung up and called time warner. After asking why they would have ssl search turned off the csr put me on hold. He came back a few minutes later and insisted that they did no such thing. Interestingly, ssl search immediately started working again.

    I don't know wtf is going on, but I've configured all of our desktops to point to encrypted.google.com.

  18. Parax

    I'm not surprised BT have phorm in this area.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like