

Widespread Hijacking of Search Traffic in the United States - Phoenix26
https://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us

======
daemonize
This says a lot about the ISP's ethics if they are shown to be consenting to
this. One thing I didn't see in the EFF article is something a user could do
about it: use SSL! This may eventually force these companies into more
nefarulious and active techniques of hijacking, but it should alleviate the
basic technique they are employing now, if i am not mistaken.

~~~
osivertsson
From the EFF article:

"And the best protection against the privacy and security risks created by
this type of hijacking is to visit sites using HTTPS rather than HTTP, which
can easily be achieved using EFF's HTTPS Everywhere Firefox extension"

~~~
pnathan
My understanding is HTTPS only encrypts the content of the page, not the
actual URL request.

(And it's worth noting that proxies can unwrap HTTPS).

~~~
rwolf
This is something I keep circling around. The host doesn't seem like a thing
you could encrypt, because the intermediaries need to know where to send your
packets. It seems like https encrypts the headers:
[http://stackoverflow.com/questions/187655/are-https-
headers-...](http://stackoverflow.com/questions/187655/are-https-headers-
encrypted) but does this include the Location header?

~~~
paxswill
The HTTP request itself is encrypted, but the IP packet (including the source
and destination IP addresses) is not. SSL/TLS is application level encryption,
and if you wanted to encrypt the actual packet, you need to switch to
something like IPsec, but even then you need some sort of routing method
(which I can't remember).

~~~
count
IPSec can work in many different ways. One of those is to encapsulate the
entire packet as the encrypted payload of a new packet, with the new packet
having headers in plain text leading to the other end of the IPSec tunnel.
That other end will then decrypt and forward as appropriate (this is called a
'tunnel').

------
abraham
Encrypted Search for Google: <https://encrypted.google.com/>

If you use Chrome a quick way to add it as a search engine:
[https://chrome.google.com/webstore/detail/lcncmkcnkcdbbanbja...](https://chrome.google.com/webstore/detail/lcncmkcnkcdbbanbjakcencbaoegdjlp)

