Google caught stripping SSL from BT Wi-Fi users' searches

Gary · Nov 20, 2014, 12:38:19

Google's "encryption everywhere" claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found.

The move described as 'privacy seppuku' by Forbes (@al4) meant that BT customer searches were broadcast in clear text and possibly open to interception.

Customers were told that the network, rather than the Chocolate Factory, "has turned off SSL search", a statement Forbes proved to be false.

Yet another reason I shall avoid Android and Chrome for as long as I can, Google ~~dont be evil~~ are evil

http://www.theregister.co.uk/2014/11/20/gotcha_google_caught_stripping_ssl_search_from_bt_wifi_users_searches/

Steve · Nov 20, 2014, 13:15:33

If I read it correctly the agreement is between BT and Google uk and indeed may even have been instigated by BT. Location base data mining - £££

Gary · Nov 21, 2014, 08:36:09

Quote from: Steve on Nov 20, 2014, 13:15:33
If I read it correctly the agreement is between BT and Google uk and indeed may even have been instigated by BT. Location base data mining - £££

BT may have removed the security measures helping facilitate data mining but Google helped as I underhand it. Its not great for Google no matter what way you look at it. Its abit like saying "well I went to the house knowing my mate might steal something and I said if he see something nice to chance his arm, sorry!"

Steve · Nov 21, 2014, 08:55:26

I think it's not quite as it seems, the reason is probably quite simple and a comment from the original blog is self explanatory

http://blog.al4.co.nz/2014/09/google-commits-privacy-seppuku-at-bts-request/

Comment quote:

I was recently in the same situation. And as far as I can figure the reason HTTPS is disabled, is that the BT Wifi hotspots require you to login with username/password on a custom page before you can access the internet. Most people's default thing to do is google something, which then redirects them to the BT Wifi login page, but this only works if Google is being served up via HTTP, otherwise BT wouldn't be able to hijack the request and redirect you to the login page.

Hence it's probably not got much to do with privacy, and more to do with usability.

If +90% of users just got HTTPS/SSL security warnings from their browsers instead of a BT Wifi login page, they wouldn't be able to use BT Wifi unless they're of the minority who know and understand how HTTP/HTTPS connections work.

And regarding Google doing the redirect themselves, as far as I would guess, they probably offers certain networks the ability to disable HTTPS for various reasons. Like companies who want to actively restrict internet usage, or schools with overly strict policies, or open hotspot providers who want to improve average customer usability.

End

However it still means you searches on BT public WiFi are potentially open to interception.

Gary · Nov 21, 2014, 09:28:27

Quote from: Steve on Nov 21, 2014, 08:55:26
However it still means you searches on BT public WiFi are potentially open to interception.

Which google new and participated in, which is what it comes down to, they would have known BT's reasons I'm sure and happy participated. Google are the scourge of the internet these days privacy wise, and with them demanding their own standards be applied to websites too, it sounds like the MS days when websites only worked with IE except Google are omnipresent and they don't care about privacy or breaking privacy rules. Net neutrality is probably a dirty word at Google's Mountain view chocolate box. Even Mozilla a has parted ways with them now. Oh and 'End'

Steve · Nov 21, 2014, 09:41:03

But surely for many there are positive benefits to Google activities certainly my life's easier with Google knowing where I am and what I'm looking for, I sure prefer it that way than to living in a Faraday cage.

Glenn · Nov 21, 2014, 10:01:50

I would think Mozilla dropped Google in favour of Yahoo, just to get a larger share of the income from the adverts displayed. In 2012, Google gave them $311m in revenue generated from adverts.

Steve · Nov 21, 2014, 10:15:00

I think probably Google offered less favourable terms than it did before, when the initial agreement was negotiated FireFox was the dominant browser when compared with Chrome , now the situation has reversed with the latest Net Analytics figures putting Chrome on 21% and FireFox on 14%. In simple terms FireFox is not worth as much to Google as it was.