GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users' searches
Choc Factory to build crypto bridge 'soon'
Google's "encryption everywhere" claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found.
The move described as 'privacy seppuku' by Forbes (@al4) meant that BT customer searches were broadcast in clear text and possibly open to interception.
Customers were told that the network, rather than the Chocolate Factory, "has turned off SSL search", a statement Forbes proved to be false.
Google engineer and security bod Adam Langley in a forum comment confirmed the SSL strip and said it would be removed 'soon'.
"At the moment, yes, no nosslsearch VIP will do this. However we're getting rid of it soon and replacing it with one that enables SafeSearch, but still over HTTPS," Langley said.
"However, if you want an encrypted search option, 'https://encrypted.google.com' is always encrypted and isn't affected by these methods."
Google and BT have been contacted for comment.
Forbes speculated in a blog detailing the SSL strip that BT may have removed the security measure to facilitate content filtering for kids or 'more likely' for data mining.
"It's reasonable to expect that BT knows the location of every BT WiFi router within 10 to 15 metres, because it has a home address for every one of them," Forbes said.
"... knowing what is searched by location is a marketing gold mine."
A curl request examining whether public DNS could get around the security gap demonstrated Google was redirecting users to unsecured http through a 302 found header.
"What we’re witnessing therefore, is almost certainly the result of a commercial agreement between BT and Google UK -- one that exchanges the privacy of my searches for BT and Google's commercial gain," Forbes said.
"Duckduckgo it is then." ®