Tag Archives: https

Gogo Issues Fake HTTPS Certificates

A number of publications, including Ars Technica, have reported that Gogo is issuing fake HTTPS certificates to users visiting YouTube. HTTPS, when properly used, assures users that:

1. They are actually visiting the real site; Youtube in this case.

2. The communications between the visitor and the site, including passwords and cookies, are encrypted.

Ars Technica shows a screenshot of the fake certificate. It clearly shows that the issuer is Gogo rather than a Certificate Authority (CA) that the browser trusts; hence, the pop-up warning. Unfortunately, Continue reading Gogo Issues Fake HTTPS Certificates

The Lowdown on Phone Carrier UIDH Injection

Over the past few days, media outlets have been reporting that Verizon has been inserting a string of letters and numbers called a UIDH into outgoing http requests made by its customers. The string uniquely identifies a specific device. The diagram in Jonathan Mayer’s blog post provides a good picture of how the process occurs and how this string can be used. Basically, a website that receives the string can pass it along to an advertising exchange which in turn pays Verizon for information on the subscriber that allows them to show more relevant ads.

Mayer’s post states that at a minimum, Verizon reveals Continue reading The Lowdown on Phone Carrier UIDH Injection

Comcast Injected Ads Highlight One More Danger of Public Wi-Fi

Comcast has begun injecting ads into webpages accessed by users using one of its 3.5 million public Wi-Fi hotspots. With this action, Comcast joins the list of businesses (e.g. airports) that provide Wi-Fi service with ads.

The injection itself happens using Javascript. Despite Comcast’s claim that they have “multiple layers of security ‘based on industry best practices,'” a staff member of the EFF says even if Comcast has no malicious intent, and even if hackers don’t access the Javascript, the interaction of the Javascript with the website could create new security vulnerabilities. To prevent the ad injection, he recommends using https, which isn’t provided by all websites.

Another potential solution is to use a VPN, which encrypts all the traffic between you and the VPN provider instead of between you and the website.

I have not personally used one of these public hotspots, so take this with a grain of salt, but it may help to turn off all Javascript while using the hotspot. Using a browser extension like NoScript probably won’t work because a normally trusted, unencrypted webpage with an ad injected will likely appear to be coming from the same trusted domain. Continue reading Comcast Injected Ads Highlight One More Danger of Public Wi-Fi