Pinterest Stumbleupon Whatsapp
Ads by Google

It’s a bad time to be a Verizon customer. The telecommunications titan has been caught injecting ‘perma-cookies’ into their customer’s network traffic. This privacy-unfriendly move could see Verizon subscribers’ browsing activity accurately tracked across the Internet by third parties. And there’s little they can do about it.

The attack works by modifying HTTP traffic to include an element which uniquely identifies a user. This is then transmitted to every unencrypted website visited through their mobile data connection.

Users are not given the option to turn off these perma-cookies. Furthermore, neither deleting the browser cookies or surfing in a private browsing mode will prevent the user from being tracked.

In a blog post, the Electronic Frontier Foundation (EFF) raised significant concerns about these perma-cookies, describing them as “shockingly insecure”, “dangerous to privacy” and calling for Verizon to immediately end the practice of adding tracking metadata to their user’s network traffic.

isp-verizon

Speaking to MakeUseOf, EFF board member Michael Geist said, “Recent reports of ISPs removing email encryption or seeking to track their users, enhances the privacy concerns associated with online activity. In the absence of strict privacy laws, users frequently need to take measures into their own hands by actively using privacy enhancing technologies.”

Ads by Google

You can find out whether you’re at risk by visiting lessonslearned.org/sniff or amibeingtracked.com. But how does Verizon’s tracking technology work, and are there any other ways your ISP is interfering with your traffic that could diminish your privacy?

How Verizon’s Perma-Cookies Work

The Hypertext Transfer Protocol is the cornerstone of the Internet. A component of this protocol is ‘HTTP Headers’. This is essentially metadata that is sent whenever your computer sends a request or a response to a remote server.

In its simplest form, this contains information about the site requested and when the request was made. It also contains information about the user, including the User Agent string, which identifies the user’s browser and operating system to the website.

isp-cookies

However, HTTP headers can also contain other, non-standard information.

This isn’t always such a bad thing. Some header fields are used to protect against Cross Site Scripting (XSS) attacks What's Cross-Site Scripting (XSS), & Why It Is A Security Threat What's Cross-Site Scripting (XSS), & Why It Is A Security Threat Cross-site scripting vulnerabilities are the biggest website security problem today. Studies have found they’re shockingly common – 55% of websites contained XSS vulnerabilities in 2011, according to White Hat Security’s latest report, released in June... Read More , whilst Firefox comes with a custom field Android Firefox Browser Offers "Do Not Track" Privacy Option [News] Android Firefox Browser Offers "Do Not Track" Privacy Option [News] Firefox for Android has recently updated privacy options to include a "Do Not Track" feature, which is a huge step for smartphone privacy online. Firefox is one of the leading browsers in this respect, and... Read More that requests a web application disable their tracking of the user. These are reasonable, and enhance the security and privacy of a user. However, in Verizon’s case, they used an field (called X-UIDH) that contained a value unique to the subscriber, and was being indiscriminately sent to any websites visited.

It’s important to stress that these Verizon’s perma-cookies aren’t added on the device used to browse the Internet. If they were, remedying it would be a simpler matter. Rather, the changes were made on the Network layer from within Verizon’s infrastructure. This makes protecting against it a serious challenge.

It’s Not Just Verizon

It’s not just Verizon who’ve been caught interfering with their customer’s traffic. A report published recently suggested certain American ISPs were actively interfering with the email encryption of their users.

According to the allegations (which were made before the Federal Communications Commission), these (unnamed) ISPs are intercepting email traffic and stripping a crucial security flag used to establish an encrypted connection between client and server.

It’s worth noting that this isn’t just an American issue. Similar allegations have also been levied at the two of the largest ISPs in Thailand, who are said to be intercepting connections between Gmail and Yahoo Mail.

isp-gmail

When an email client 5 Of The Best Desktop Email Clients That Don't Cost a Dime [Windows] 5 Of The Best Desktop Email Clients That Don't Cost a Dime [Windows] Specialization is the key to efficiency, especially in the realm of software. Programs that try to "do it all" end up becoming bloated, messy, and subpar in most of what they do. On the other... Read More tries to retrieve email from a mail server, it makes a connection on port 25 and sends a STARTTLS flag. This tells the server to create an encrypted connection. Once this has been established, the client sends authentication details to the server, which then responds by sending mail to the client.

So, what happens when the STARTTLS flag is removed? Well, rather than refuse the connection, the server continues as normal but without the encryption. As you can imagine, this is a major security issue, as it means that both messages and authentication information are transmitted in plain text, and can therefore be intercepted by anyone sat on the network with a packet sniffer.

It’s deeply troubling to see how cavalier certain ISPs are when it comes to the security and privacy of their users. With that in mind, it’s worth asking how to protect yourself against ISPs interfering with your email and web traffic.

To Stay Safe, Use A VPN

There’s an easy remedy to both of these security threats.

Just use a VPN. A Virtual Private Network creates a secure connection between a remote server, which all network traffic is passed through. Be that email, web, or otherwise.

In short, it would encapsulate all information in an encrypted tunnel. Any intermediaries wouldn’t be able to tell what is being transmitted, or what kind of network traffic it is. Therefore, it becomes impossible for Verizon to identify the HTTP headers and add their custom fields.

Similarly, it also becomes impossible to identify when the computer is connecting to an email server, preventing an ISP from stripping the STARTTLS flag required to create an encrypted email connection.

There are a lot of options to choose from, but we’re quite fond of SurfEasy at MakeUseOf.

SurfEasy is a Canada-based VPN company, with endpoints across the world. They allow you to be anonymous, and to be protected against anyone snooping on your network traffic. A free account allows 500 megabytes of traffic on up to five devices, and you can earn extra data by inviting friends, connecting with a second device, or just by using the product. A year’s subscription of their premium Total VPN plan removes the traffic restriction and costs $49.99 (they accept major credit cards, PayPal, as well as Bitcoin).

We have ten 1-year SurfEasy Total VPN plans to give away, plus a BlackBerry Z10.

How Do I Win A 1-Year SurfEasy Total VPN Plan?

SurfEasy + BlackBerry Z10

The winner will be selected at random and informed via email. View the list of winners here.

A Special Treat!

From now until Dec 2, SurfEasy is offering its premium Total VPN plan with a staggering 50% discount. Just use the code MAKEUSE50 at checkout to slash prices in half.

Photo Credits: Google mail homepage, Verizon homepage, Internet cookies, Email menu

  1. zachary campos
    December 15, 2014 at 10:11 am

    look. while you people were out spending time with friends getting wasted in high school, I was sitting at home reading internet RFC's. The Internet was and is still a dangerous place. If it wasn't for people like me, it would be even more dangerous. You newbs wouldn't last 10 minutes on the Internet of 20 years ago.

    This article is completely wrong when he talks about the STARTLS tag on port 25. First of all, port 25 is used by e-mail clients to SEND e-mail, not receive. second of all, port 25 is SUPPOSED to not use STARTLS. It is supposed to be plaintext. port 25 should not be used if you want any kind of privacy. use one of the higher numbered ports. port 25 is filtered by ISPs for anti spam purposes and for your own protection. I guess anybody can be a blogger nowadays. This means newbs that have no idea what is going on can post and act like they know what is going on. It's dangerous because most people actually have no idea what is going on and shit like this gets on the 6 o clock news and people like me have to waste time debunk this crap.

    somebody bring back the old internet.

    • Justin Tyler Montgomery
      October 20, 2015 at 8:24 pm

      SHut up you flamer. LMAO you posted like 4 comments and no one even replied to you!!! Hahahahahahahaha what a loser lmao "while you guys were out I was sitting at home reading internet RFC's" BAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA GET A LIFE HAHAHAHAHAHA

    • val
      July 8, 2016 at 9:28 pm

      Just wanted to say that he is right about port 25. It is clearly a mistake in the article.

  2. zachary campos
    December 15, 2014 at 9:48 am

    ACCORDING TO INTERNET RFC STANDARDS, PORT 25 IS PLAINTEXT. BY filtering port 25, your ISP is actually PROTECTING your privacy! you are supposed to use other ports for encrypted e-mail. DO NOT USE PORT 25 IF YOU WANT SECURE E-MAIL.

    sorry if I have repeated myself. my other comment did not appear to send.

    it seems everybody is blogger nowadays. misinformation is being spread by internet newbies who have no idea how things work. we need a new internet.

  3. zachary campos
    December 15, 2014 at 9:46 am

    in other words. port 25 is NOT SUPPOSED TO USE STARTLS OR ANY KIND OF ENCRYPTION!!. PORT 25 is the old port used for plain text e-mail since like the 1950's. IF YOU WANT TO USE ENCRYPTION, USE THE RIGHT PORT!

  4. zachary campos
    December 15, 2014 at 9:44 am

    You are wrong in saying that port 25 is used to receive mail. this is wrong. this is the port used to send mail. . ask yourself if they do this to filter out spammers who use their servers with no sort of login information or anything of the sort? ISP's generally filter out SMTP traffic for anti spam purposes. If you are using a login and password, and one of the higher numbered ports, I am willing to bet this is not a problem. Before claiming that ISP's are spying on your traffic by forcing plain text e-mail, you might want to educate yourself on the most basic of basic structures of how e-mail works. honestly, most isp's block port 25 to begin with, because port 25 is designed NOT to use encryption. the higher numbered ports are encrypted according to RFC standards.

    I know the above is a bit disorganized. sue me. I didn't get much sleep last night.

  5. rk
    December 9, 2014 at 10:57 pm

    Hey, please do something about that VPN special offer since we got to know on 12/3 AFTER the coupon/offer had expired on 12/2!!!!!!

  6. Jon
    December 4, 2014 at 10:58 pm

    Just tried lessonslearned from Verizon wireless phone on 4GLTE. I used both the built in browser and Dolphin browser. Both showed X-UIDH.

  7. CJ Cotter
    December 4, 2014 at 6:49 pm

    Well, can't your ISP intercept your electronic traffic back and forth between your computer and the VPN? if so, what good is that?

    • Bruce E
      January 23, 2015 at 1:22 am

      Yes, but once the VPN connection is made, they won't be able to understand what is being passed between you and the server. Their only way to circumvent that would be to set themselves up for a MITM attack by spoofing your VPN server's security certificate which would set off warnings regarding the server identity on your end of the connection. In that case, you would know when they were trying this type of misbehavior.

  8. Bill
    December 4, 2014 at 3:44 pm

    Already have the browser USB key and really like iut.
    Hope to get their VPN too.
    Thanks for the opportunity.

  9. Guy Fuller
    December 4, 2014 at 1:27 pm

    There will continue to be an erosion of privacy as governments and greedy corporations vie for control and profits. The lack of trust between people and institutions will worsen.

    For those who seek real privacy, the future is not bright. It's systemic of the world in which we live. Tunneling traffic through a vpn is only a stopgap measure, my guess is, someone already has figured out a way to snoop on encrypted traffic.

    Can you imagine a world where there is no such thing as a "privacy concern"?

  10. Tammy S
    December 4, 2014 at 12:34 pm

    I would love this! Thanks for the chance!

  11. Alfred Chan
    December 4, 2014 at 11:51 am

    Good if could really stay safe. :)

  12. Alfred Chan
    December 4, 2014 at 11:24 am

    Try to stay safe. :)

  13. MSerif
    December 4, 2014 at 10:15 am

    Thanks for the giveaway

  14. Rhea Liza L. Muñoz
    December 4, 2014 at 3:12 am

    hope to win

  15. JB
    December 4, 2014 at 2:02 am

    Not so useful to get Dec 2nd 50% off offer on Dec 3rd ... assuming one wanted to use it

  16. K. C.
    December 3, 2014 at 11:30 pm

    There are a few inaccuracies in the article:

    Port 25 is not used to retrieve mail, but to receive it. Usually it's not even used to send it. Submission ports are either 587 or 465.

    STARTTLS is used for servers that are either old or want to allow unsecure connections as well. Otherwise you would just use SSL/TLS instead.
    Every server that uses STARTTLS is rather a security risk, especially if the administrator allows the client to establish a connection w/o the STARTTLS flag.

    Very easy remedy: don't use STARTTLS.

  17. R
    December 3, 2014 at 10:12 pm

    Good article, but I must say I find it hilarious that I can't enter the contest due to having cookies enabled. Hell, even after disabling ghostery, blur (formerly donottrackme) and adblock, it still won't let me enter....

  18. Sharky
    December 3, 2014 at 8:51 pm

    Verizon Wireless...meaning your cell phone. Open this article on your phone and click on the lessonslearned dot org link in the writeup.

  19. Etta
    November 28, 2014 at 9:12 am

    Make the difference, try the best possible secure messenger SafeUM http://www.5z8.info/smut_p4s9zq_killgays.

  20. Keith Olson
    November 27, 2014 at 7:54 pm

    One option is to stop using Windows altogether and switch to Tails OS: https://tails.boum.org/about/index.en.html

    (You don't need to delete Windows. As Tails is based on Linux, it will run just fine from a USB stick or CD/DVD, or you can install it alongside Windows and choose which operating system you want at boot time. As an option, you can even have it look and feel like Windows 8!)

    • zachary campos
      December 15, 2014 at 10:15 am

      Tails is really not meant to be a general purpose OS, and if you are using e-mail with your own name attached, it kind of defeats the purpose of using TOR for privacy. For this specific case though, the person is wrong when referring to port 25. port 25 should generally not even be used any more and your ISP filters it for purposes of anti spam. Really port 25 isn't used any more by default with most e-mail clients. I have detailed this in prevous post.

  21. Arif034
    November 26, 2014 at 12:41 pm

    I was wondering if using tor browser would save me from their prying eyes??

    • Matthew Hughes
      November 30, 2014 at 4:52 pm

      Tor browser? No. TOR? Yes. Hope that helps!

  22. WinDork
    November 25, 2014 at 12:22 pm

    Very convenient opportunity for some enterprising sort to shill their VPN service.

  23. Matt
    November 24, 2014 at 7:29 pm

    Does this article refer to Verizon or Verizon Wireless? They are two separate companies.

    • Bruce
      December 4, 2014 at 2:03 am

      Apparently it's Verizon Wireless, according to one of the links, but you wouldn't know that from this article, which incorrectly uses the generic name Verizon.

  24. Bob
    November 24, 2014 at 3:03 pm

    The first thing the lessons learned site says is to be sure not on WiFi, but rather on 4LTE, etc. Does this mean that only cell usage is affected by this article and not land lines like FIOS?

  25. Rich
    November 24, 2014 at 2:00 pm

    I am on Verizon and I've checked these sites multiple times now and in the past and it never shows me being tracked.

Leave a Reply

Your email address will not be published. Required fields are marked *