dslreports logo
 story category
ISPs Covertly Hijacking Search Traffic
10 ISPs Using Paxfire Tech to Track Users, Hijack Results

Earlier this year, ICSI researcher Nicholas Weaver told me he and other Berkeley researchers had discovered some strange ISP shenanigans related to search traffic hijacking that went well beyond the traditional DNS Redirection ad services we've talked about over the years. It took a few months to shore up their research with the help of the EFF, but the group has finally publishing their findings over at the EFF -- which effectively show that many ISPs are hijacking user search traffic in order to make an extra buck.

Click for full size
The researchers, who are behind the popular Netlyzer tool (and wrote an article for us back in April), note there's a number of privacy and security issues raised by this behavior -- which may not be legal. Two papers (pdf) on the matter note that ten major ISPs are using the help of a company named Paxfire to not only manage their DNS Redirection ad income, but to actually hijack users search results for popular terms such as "Apple" or "Dell" -- allowing them to both track users and profit from search results. Some additional detail:
quote:
Paxfire's product also includes an optional, unadvertised, and more alarming feature that drastically expands Paxfire's window into users' traffic. Instead of activating only upon error, this product redirects the customers' entire web search traffic destined for Yahoo!, Bing, and sometimes Google, to a small number of separate web traffic proxies.

These proxies collect the users' web searches and the corresponding search results, mostly forwarding them to and from the intended search engines. This allows Paxfire and/or the ISPs to directly monitor all searches made by the ISPs' customers and build up corresponding profiles, a process on which Paxfire holds a patent. It also puts Paxfire in a position to modify the underlying traffic if it decides to.


While users of these ISPs will sometimes be directed directly to the company they were looking for (while being tracked by the ISP), other times they're redirected to other web sites and/or affiliate partners:
quote:
Under specific conditions, the Paxfire proxies do not merely relay traffic to and from the search engines. When the user initiates searches for specific keywords from the browser's URL bar or search bar, the proxy no longer relays the query to the intended search engine, but instead redirects the browser's request through affiliate networks, as the equivalent of a click on advertisements. Using the names of popular websites, we have so far identified 170 brand-related keywords that trigger redirections via affiliate programs and result either on the brands' sites or on search assistance pages unrelated to the intended search engine results page.
Much like the ISP sale of clickstream data, users have not been informed that this is occurring, nor have they consented to the process in any ISP agreements. The New Scientist has some additional interesting reading on the hijacking, and lists all of the participating ISPs including Cavalier, Cincinnati Bell, Cogent, Frontier, Hughes, IBBS, Insight Broadband, Megapath, Paetec, RCN, Wide Open West and XO Communications. Charter and Iowa Telecom had been doing this, but stopped. None of the participating ISPs have been willing to comment.

We've discussed how the effort to get consumer privacy laws passed is an upstream battle given the collective lobbying power of the telecom, marketing and content industries. Companies like Verizon have claimed that public shame will keep them honest on the privacy front, and most carriers have argued that self-regulation will be enough to protect consumers from privacy and security abuses. In this instance, self-regulation apparently means hijacking traffic and tracking users -- without telling anyone they're doing it.
view:
topics flat nest 

DataRiker
Premium Member
join:2002-05-19
00000

1 recommendation

DataRiker

Premium Member

Simple solution

»encrypted.google.com/

I also recommend firefox users try HTTPS-Everywhere
kaila
join:2000-10-11
Lincolnshire, IL

kaila

Member

Re: Simple solution

Not sure about this, but couldn't SSL still be vulnerable to man-in-the-middle type attacks if ISP's are proxying the traffic.

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker

Premium Member

Re: Simple solution

No.

SSL uses endpoint mutual authentication.
InfinityDev
join:2005-06-30
USA

InfinityDev to kaila

Member

to kaila
Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."

»www.grc.com/sn/sn-243.htm
rahvin112
join:2002-05-24
Sandy, UT

rahvin112

Member

Re: Simple solution

There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust. Though there is speculation that if a government provided a proxy node they could potentially identify some users. The probability is extremely low that this would succeed due to the onion routing, though it is technically possible. The only issue to deal with is that TOR is slow (because of the onion routing). TOR has been a documented resource in allowing people in oppressive totalitarian regimes to bypass the censorship regimes and provide real information flow.

The beauty of TOR over generalized proxy's is that the traffic is routed through multiple proxies before source and destination, thus shielding both sides from oppressive government (or ISP in this case) action.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Re: Simple solution

said by rahvin112:

There is a solution though. It's called TOR and it allows encrypted traffic to proxy servers through which you can browse the regular internet. I'm not aware of any exploit against TOR at this time that would allow man-in-the middle as it doesn't use the SSL chain of trust.

Tor is no solution, asshat torrenters and child pornographers have ruined the network.

As far as exploits, why, a simple Google search shows there is in fact an easy way to perform a man-in-the-middle attack, even of SSL encrypted traffic.
said by article :
He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You don’t shop using Tor do you?).


»www.google.com/search?rl ··· e-middle

DataRiker
Premium Member
join:2002-05-19
00000

4 edits

DataRiker

Premium Member

Re: Simple solution

If one uses their browser in default setting as intended, a Man in the Middle attack is not transparent and will fail.

Your browser will issue a warning saying the Cert does not match.

All the rest is FUD.

MxxCon
join:1999-11-19
Brooklyn, NY
ARRIS TM822
Actiontec MI424WR Rev. I

MxxCon to rahvin112

Member

to rahvin112
Tor is not a solution, it's a workaround. Using Tor you'd bypass your ISPs hijacking, but you have no idea if the exit node you picked has a similar hijacking ISP.
The only way to protect against this kind of hijacking is https or perhaps IP-level authentication that I think IPv6 can provide.

dslcreature
Premium Member
join:2010-07-10
Seattle, WA

dslcreature to InfinityDev

Premium Member

to InfinityDev
said by InfinityDev:

Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."

»www.grc.com/sn/sn-243.htm

In the real world the ISP can trick you into installing their root cert the same way they can trick you into installing a key logger or advertising malware. This is realistically the only capability they will see.

Any covert LEA capability to sign fake certs is sure as hell not going to be pissed away in pursuit of extracting a few dollars from advertising campaigns.

The days of the MD5 only signatures used previously to generate fake intermediates with PS3 clusters are over. As of a few months ago some browsers have stopped accepting them.

ctceo
Premium Member
join:2001-04-26
South Bend, IN

ctceo to kaila

Premium Member

to kaila
ISP's are in the perfect position to use MitM paralelling. You've already given them permission to snoop. You only need a piece of widely used publicly available software to do the trick.

toby
Troy Mcclure
join:2001-11-13
Seattle, WA

toby to DataRiker

Member

to DataRiker
Thanks, great software to use, just installed it. Coming back to this site redirected it to secure.dslreports.com

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3 to DataRiker

Premium Member

to DataRiker
said by DataRiker:

»encrypted.google.com/

I also recommend firefox users try HTTPS-Everywhere

This is done at the DNS layer, SSL doesn't matter.

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

Re: Simple solution

said by Matt3:

This is done at the DNS layer, SSL doesn't matter.

With SSL though, the ISP isn't going to know what the user is searching for to proxy the results. It's also encrypted by google so they can't alter/inject their own results back. And if they redirect all traffic going to https google to their spoofed proxy site that looks like https google, the real certs won't be valid.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Re: Simple solution

said by cdru:

said by Matt3:

This is done at the DNS layer, SSL doesn't matter.

With SSL though, the ISP isn't going to know what the user is searching for to proxy the results. It's also encrypted by google so they can't alter/inject their own results back. And if they redirect all traffic going to https google to their spoofed proxy site that looks like https google, the real certs won't be valid.

They can easily act as a man-in-the-middle SSL proxy and your browser would be none the wiser. You have to go much lower on the OSI model to prevent this type of hijacking, think network or transport layer, not the session or application layer.

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

Re: Simple solution

said by Matt3:

They can easily act as a man-in-the-middle SSL proxy and your browser would be none the wiser. You have to go much lower on the OSI model to prevent this type of hijacking, think network or transport layer, not the session or application layer.

Can you please elaborate? I won't say that you're wrong, but I don't think your right.

Taking google for instance, presuming that google has a properly installed certificate, the certificate is signed by a trusted CA, and you are actually visiting the correct URL (and haven't been redirected to g00g1e.com, I don't see how a MITM attack would be possible. The presentation of any spoofed certificates would not be signed by a CA and/or match up to the host name, all up to date modern browsers would alert you to this immediately.

If this was possible, it would mean the break down of the entire eCommerce infrastructure due to the insecurity of the transactions.

gme
@ada5ab81.net

gme

Anon

Re: Simple solution

Google may have a very valid SSL certificate (from VeriSign even), but the way an SSL MiTM attack works is that the SSL proxy intercepts your HTTPS request, breaks it, and then forwards it on to Google (for example).

What the proxy sends to YOU (and your browser) is a completely separate encrypted SSL page, and your little lock still shows, because the SSL proxy is using a certificate that is trusted in your certificate store.

Countries like Saudi Arabia, Iran, and China, can do this because their country-level CAs are in everyone's browser (bring up certmgr.msc if you're on Windows).

Since the root is universally trusted, the root CAs can issue bogus intermediate certs via their own CAs, forging the legitimate certs to your browser.

You mention the breakdown of eCommerce as we know it, and you're absolutely correct.

SSL has been the worst thing to happen to the Internet.

Not because of the technology, but because of the false sense of security it provides.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Re: Simple solution

said by gme :

Google may have a very valid SSL certificate (from VeriSign even), but the way an SSL MiTM attack works is that the SSL proxy intercepts your HTTPS request, breaks it, and then forwards it on to Google (for example).

What the proxy sends to YOU (and your browser) is a completely separate encrypted SSL page, and your little lock still shows, because the SSL proxy is using a certificate that is trusted in your certificate store.

Countries like Saudi Arabia, Iran, and China, can do this because their country-level CAs are in everyone's browser (bring up certmgr.msc if you're on Windows).

Since the root is universally trusted, the root CAs can issue bogus intermediate certs via their own CAs, forging the legitimate certs to your browser.

You mention the breakdown of eCommerce as we know it, and you're absolutely correct.

SSL has been the worst thing to happen to the Internet.

Not because of the technology, but because of the false sense of security it provides.

This is a very good explanation and is inline with what I have read about SSL man-in-the-middle attacks. The crux seems to be that in most modern certificate stores (be it Firefox's internal or the one in Windows) there are simply too many trusted root/intermediate certificates that are valid for 10+ years.

All it takes is one relatively common cert to be exploited and you could build a spying business off it ... while working on the next one to compromise to extend your business another 10 years.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105

rchandra

Premium Member

Re: Simple solution

Even more to the point, validity checking of certs relies on valid DNS results. Without widespread DNSSEC client implementations and validations, and zone signatures, it is likewise MitM vulnerable.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

1 recommendation

Steve to Matt3

to Matt3
said by Matt3:

They can easily act as a man-in-the-middle SSL proxy and your browser would be none the wiser.

SSL cannot be proxied in this way without setting off alarm bells in the browser due to cert name mismatches.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Re: Simple solution

said by Steve:

said by Matt3:

They can easily act as a man-in-the-middle SSL proxy and your browser would be none the wiser.

SSL cannot be proxied in this way without setting off alarm bells in the browser due to cert name mismatches.

Cert name mismatches are easy to overcome, you simply spoof the name of the URL with a fake cert. It's the chain to the intermediate and/or root certificate that is stored in the browser or local computer's certificate store that I'm not quite sure how they'd work around ... without compromising and delivering an intermediate cert to the browser or OS trust store.

Bruce Schneier has a good summation from April of 2010 of one way to do this, readily built into an appliance. The comments are worth reading as well.

»www.schneier.com/blog/ar ··· d_2.html
quote:
Although current browsers don't ordinarily detect unusual or suspiciously changed certificates, there's no fundamental reason they couldn't (and the Soghoian/Stamm paper proposes a Firefox plugin to do just that). In any case, there's no reliable way for the wiretapper to know in advance whether the target will be alerted by a browser that scrutinizes new certificates.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

Re: Simple solution

said by Matt3:

Cert name mismatches are easy to overcome, you simply spoof the name of the URL with a fake cert.

I am familiar with Bruce's piece, and I'm pretty sure you missed a key piece, the part where the cert vendors were induced to issue valid certs for the URLs they wish to intercept.
said by the abstract :

This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications.

These are "false" certs only in the sense that they're not the ones issued by the real owners, but they will validate the same as the real ones, and there's nothing the clients can do to notice that something is awry.

I really hope that ISPs are not getting bogus certs.

Steve
zefie
join:2007-07-18
Hudson, NY

1 edit

zefie to DataRiker

Member

to DataRiker
Just installed it. Irony is this site fails it. At least for me.

secure.dslreports.com uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

Edit: Oddly only Firefox (v5.0.1, fresh install) is doing it.
rahvin112
join:2002-05-24
Sandy, UT

rahvin112

Member

Re: Simple solution

Firefox 5 invalidated a certain SSL certificate provider that is known to issue certificates without validating domain ownership. That's likely the issue here as my own certificate was bitten by this. The issuer in question is the lowest price issuer of SSL certificates (probably because they don't do any validation). You can issue individual exceptions for these certificates but I would verify that the certificate in question is for the actual site (verify the IP and DNS records) before doing so.
zefie
join:2007-07-18
Hudson, NY

zefie

Member

Re: Simple solution

Or maybe Verizon was doing something shady.. because oddly after reading your post I re-enabled this site in the extension, ready to manually except it, but to my surprise, it is not throwing the error anymore. Hmm.

Matt3
All noise, no signal.
Premium Member
join:2003-07-20
Jamestown, NC

Matt3

Premium Member

Re: Simple solution

said by zefie:

Or maybe Verizon was doing something shady.. because oddly after reading your post I re-enabled this site in the extension, ready to manually except it, but to my surprise, it is not throwing the error anymore. Hmm.

I get random cert errors from this site when I log in from different devices. Seems to be browser based.

joako
Premium Member
join:2000-09-07
/dev/null

joako to rahvin112

Premium Member

to rahvin112
What certain SSL provider?

DataRiker
Premium Member
join:2002-05-19
00000

DataRiker to zefie

Premium Member

to zefie
said by zefie:

Just installed it. Irony is this site fails it. At least for me.

secure.dslreports.com uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

Edit: Oddly only Firefox (v5.0.1, fresh install) is doing it.

Is the plug in compatible with V5? I'm on version 4.
equivocal
join:2008-01-23
USA

equivocal to zefie

Member

to zefie
I started seeing SSL cert errors with secure.dslreports.com a couple weeks ago. Firefox...er...2!?

hayabusa3303
Over 200 mph
Premium Member
join:2005-06-29
Florence, SC

1 recommendation

hayabusa3303

Premium Member

humm

They want to track us, make a buck and cap us to death and charge us up the ass if we go over? Keep up the good work ISP's. Your business model is slowly going to crap.

gettagrip
@141.191.20.x

gettagrip

Anon

Re: humm

Keep up the good work ISP's. Your business model is quickly going to crap.

FTFY
openbox9
Premium Member
join:2004-01-26
71144

openbox9 to hayabusa3303

Premium Member

to hayabusa3303
Actually, the business model is improving. It's the consumers' approval of the business model that is deteriorating.
mleland
Premium Member
join:2002-12-17
Westwood, CA

mleland

Premium Member

Wire tap laws?

Just imagine if the old phone company didn't have to follow wire tapping laws. It is clearly WAY past time for a MAJOR update to the wire tapping(privacy) laws.

Yes I know all about warrant-less wire tapping.... We are talking about a private company here using that data for profit without any notification or consent... not the gov't for criminal activity.
nweaver
join:2010-01-13
Napa, CA

nweaver

Member

Re: Wire tap laws?

The legal complaint specifically concerns the wiretap act amongst other complaints.

firephoto
Truth and reality matters
Premium Member
join:2003-03-18
Brewster, WA

1 recommendation

firephoto

Premium Member

Don't use ISP DNS

Use a public DNS server and don't fall for the tricks from the ISP that make you think you need to use their DNS.

•••••••
nweaver
join:2010-01-13
Napa, CA

nweaver

Member

Questions answered in this thread...

I'm one of the Netalyzr developers, and will attempt to answer questions in this thread. I may have intermittent connectivity, so please be patient.

••••••••••••••

SkellBasher
Yes Sorto, I'll take my Prozac
join:2000-10-22
Niagara Falls, NY

1 edit

SkellBasher

Member

Paxfire is shady

Although I'm not at one of the ISPs listed, we use Paxfire appliances for DNS redirection for our customers. (I hate it, but my objections were overruled by our owner.)

Even though we ONLY use them for NXDOMAIN redirection, we've caught them performing this search hijacking in the past. The first time, they told me that they were requested to make the change by an individual that hadn't worked for us in 3 years. I raised hell about it, and they reverted it. Since then, I've been watching for it, and they've made 'configuration mistakes' to turn this back on more than a few times.

I very much suspect that they're intentionally turning this on without ISP knowledge to increase revenues, reverting it when they get caught.

EDIT: I wasn't running a check for Bing, since it's almost never used. I decided to look, and sure enough, they were proxying Bing without our consent.

Shady shady... can't wait to get rid of them.

••••••••

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords

MVM

Congrats to Nick and Team

Congrats and thanks to nweaver and the rest of the folks involved in uncovering this!

dvd536
as Mr. Pink as they come
Premium Member
join:2001-04-27
Phoenix, AZ

dvd536

Premium Member

HSI should be free

Given all the ways providers are making money off our actions!!
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd

Premium Member

Re: HSI should be free

said by dvd536:

Given all the ways providers are making money off our actions!!

just think they are snooping data to serve us better targeted ads and then if they truly get their way. they will bill us for the bits consumed by us seeing those ads.

so they will profit off our actions and then profit off the ads generated by our actions and then profit again by the data consumed by those ads.

ctceo
Premium Member
join:2001-04-26
South Bend, IN

ctceo

Premium Member

But then again

This is old news to me, at least 6 or 7 years old. I knew it was happening then. Anyone who believed otherwise was simply in their little happy place (the hole they stick their head in when they don't want to believe something is the case).