It’s a bad time to be a Verizon customer. The telecommunications titan has been caught injecting ‘perma-cookies’ into their customer’s network traffic. This privacy-unfriendly move could see Verizon subscribers’ browsing activity accurately tracked across the Internet by third parties. And there’s little they can do about it.
The attack works by modifying HTTP traffic to include an element which uniquely identifies a user. This is then transmitted to every unencrypted website visited through their mobile data connection.
Users are not given the option to turn off these perma-cookies. Furthermore, neither deleting the browser cookies or surfing in a private browsing mode will prevent the user from being tracked.
In a blog post, the Electronic Frontier Foundation (EFF) raised significant concernsabout these perma-cookies, describing them as “shockingly insecure”, “dangerous to privacy” and calling for Verizon to immediately end the practice of adding tracking metadata to their user’s network traffic.
Speaking to MakeUseOf, EFF board member Michael Geist said, “Recent reports of ISPs removing email encryption or seeking to track their users, enhances the privacy concerns associated with online activity. In the absence of strict privacy laws, users frequently need to take measures into their own hands by actively using privacy enhancing technologies.”
You can find out whether you’re at risk by visiting lessonslearned.org/sniff or amibeingtracked.com. But how does Verizon’s tracking technology work, and are there any other ways your ISP is interfering with your traffic that could diminish your privacy?
How Verizon’s Perma-Cookies Work
The Hypertext Transfer Protocol is the cornerstone of the Internet. A component of this protocol is ‘HTTP Headers’. This is essentially metadata that is sent whenever your computer sends a request or a response to a remote server.
In its simplest form, this contains information about the site requested and when the request was made. It also contains information about the user, including the User Agent string, which identifies the user’s browser and operating system to the website.
However, HTTP headers can also contain other, non-standard information.
This isn’t always such a bad thing. Some header fields are used to protect against Cross Site Scripting (XSS) attacks, whilst Firefox comes with a custom field that requests a web application disable their tracking of the user. These are reasonable, and enhance the security and privacy of a user. However, in Verizon’s case, they used an field (called X-UIDH) that contained a value unique to the subscriber, and was being indiscriminately sent to any websites visited.
It’s important to stress that these Verizon’s perma-cookies aren’t added on the device used to browse the Internet. If they were, remedying it would be a simpler matter. Rather, the changes were made on the Network layer from within Verizon’s infrastructure. This makes protecting against it a serious challenge.
It’s Not Just Verizon
It’s not just Verizon who’ve been caught interfering with their customer’s traffic. A report published recently suggested certain American ISPs were actively interfering with the email encryption of their users.
According to the allegations (which were made before the Federal Communications Commission), these (unnamed) ISPs are intercepting email traffic and stripping a crucial security flag used to establish an encrypted connection between client and server.
It’s worth noting that this isn’t just an American issue. Similar allegations have also been levied at the two of the largest ISPs in Thailand, who are said to be intercepting connections between Gmail and Yahoo Mail.
When an email client tries to retrieve email from a mail server, it makes a connection on port 25 and sends a STARTTLS flag. This tells the server to create an encrypted connection. Once this has been established, the client sends authentication details to the server, which then responds by sending mail to the client.
So, what happens when the STARTTLS flag is removed? Well, rather than refuse the connection, the server continues as normal but without the encryption. As you can imagine, this is a major security issue, as it means that both messages and authentication information are transmitted in plain text, and can therefore be intercepted by anyone sat on the network with a packet sniffer.
It’s deeply troubling to see how cavalier certain ISPs are when it comes to the security and privacy of their users. With that in mind, it’s worth asking how to protect yourself against ISPs interfering with your email and web traffic.
To Stay Safe, Use A VPN
There’s an easy remedy to both of these security threats.
Just use a VPN. A Virtual Private Network creates a secure connection between a remote server, which all network traffic is passed through. Be that email, web, or otherwise.
In short, it would encapsulate all information in an encrypted tunnel. Any intermediaries wouldn’t be able to tell what is being transmitted, or what kind of network traffic it is. Therefore, it becomes impossible for Verizon to identify the HTTP headers and add their custom fields.
Similarly, it also becomes impossible to identify when the computer is connecting to an email server, preventing an ISP from stripping the STARTTLS flag required to create an encrypted email connection.
There are a lot of options to choose from, but we’re quite fond of SurfEasy at MakeUseOf.
SurfEasy is a Canada-based VPN company, with endpoints across the world. They allow you to be anonymous, and to be protected against anyone snooping on your network traffic. A free account allows 500 megabytes of traffic on up to five devices, and you can earn extra data by inviting friends, connecting with a second device, or just by using the product. A year’s subscription of their premium Total VPN plan removes the traffic restriction and costs $49.99 (they accept major credit cards, PayPal, as well as Bitcoin).
How Do I Win A 1-Year SurfEasy Total VPN Plan?
Photo Credits: Google mail homepage, Verizon homepage, Internet cookies, Email menu Source: www.makeuseof.com