Hacker News new | past | comments | ask | show | jobs | submit login
Ruin My Search History (ruinmysearchhistory.com)
333 points by gadtfly on June 9, 2016 | hide | past | favorite | 199 comments

Spoiler alert! From the base64 encoded array in the source:

['how to appear funny', 'why are my thumbs uneven', 'am i lack toast and tolerant', 'your youre difference', 'why doesnt my poo float', 'midget google images', 'tall midgets??', 'homemade lube?', 'i hate my boss', 'what counts as fat', 'how to tell partner they fat', 'is it normal to still love my ex', 'how to get back with ex', 'penis remove dog how to', 'romantic ways to propose', 'engagement rings', 'sex shop in my city', 'how to tell if partner cheating', 'ways to kill someone hypothetically', 'undetectable poisons', 'how to delete search history in browser', 'ashley madison hack', 'view ashley madison list', 'ashley madison list my city', 'paternity test', 'mail order paternity test', 'attracted to mother why', 'is incest illegal in this country', 'latest laws incest', 'seduction guide', 'rohypnol safe dosage', 'smelly penis cure urgent', 'common STIs', 'STI test in my city', 'average penis size this country', 'do penis pumps work', 'best budget penis pumps', 'does liking men mean im gay', 'signs of being gay', 'how to come out as gay to dad', 'age of consent here', 'why is age of consent so old here', 'country low age of consent', 'flights philippines', 'isis application form', 'how to join isis', 'cheap syria flights from here', 'syria hotels with pool', 'bing', 'donald trump', 'OH COME ON DONT JUST COPY AND PASTE THE LIST FROM THE ARRAY YOU CHEEKY SCAMP']"

How to reverse the damages:

1) Go to https://history.google.com/history/

2) Select the offending searches

3) Click delete on the top right (then click delete again)

Better yet, delete the entire search history and turn it off.

Not only that, you are being tracked in many other places. See the "Show more controls":

> https://www.google.com/settings/accounthistory

I have a handy page I knocked up that I use periodically to minimise my Google footprint:


I thought I'd been careful with the settings but I think at some point I must have missed something, fucking android, last google phone I buy full stop.

You could've bought another phone instead of posting.

Why don't people just visit in incognito mode in the first place?

Because that's annoying, history is useful sometimes, and logging in to multiple times to multiple sites is a chore.

Edit: grammar

Not visit all sites in incognito. Visit this specific site in incognito, since it has "Ruin my history" in the title.

It depends. I have multiple windows (incognito and normal) containing many tabs. It takes copying the URL, Alt+Tab, Ctrl+V, Enter.

History is important, but the site is called "ruinmysearchhistory.com". I visit websites I know with my normal window, the rest is mostly in incognito and if it's something I want to remember, I'll make sure to include it (i.e: visit it in normal mode, Evernote, Bookmarks, email to myself, etc).

You could just 'Right Click->Open in Incognito' instead of manually copying the URL, at least in Chrome.

Firefox and Pale Moon both have "Open Link in New Private Window".

IE has some kind of private browsing option as well, but I don't know what would be the equivalent way to invoke it.

I do that when I'm already in incognito mode, not in normal mode because I don't know where the tab will be open (I have multiple incognito windows and I like to know where each tab is/will be).

I google things I don't want in my history in incognito mode. The question is: does it prevent being tracked by Google?

i do that too but i'm pretty sure my browser and my isp send enough information to google to perfectly identify me.

Even better yet, don't keep a logged-in session for these tracking-giants. I only ever log onto gmail in an incognito window (and if I had Facebook, same there). On my mobile device it's a different story, so even more better yet, also turn the search-history off (you're using DDG anyway, right ^_^)

There are bigger problems and one's which put people at serious risk when forensics investigators don't know how fragile the search history implementation really is:


You'll note in the search history that the referrer is still there so from a forensics perspective it's known the history was populated via CSRF. That can be bypassed. Google has indicated they aren't going to fix the problem.

I'm pretty sure Google won't actually delete any of them from their internal profile of you though.

They actually do delete.

How do you know this for a fact?

If the roles were reversed would you delete? Or would you just like and say you did?

(Tedious disclaimer: my opinion only, not speaking for anybody else. I'm an SRE at Google.)

I can happily endorse the company's public statements on this subject: personal data will be deleted within the timeframes specified (for obvious technical and that's-a-bad-idea reasons, it's not instant). Part of SRE's function is to arrange for SLAs to be met, including deletion SLAs.

from any data warehouse as well?

It is fully deleted.

does the data get sent anywhere else before it gets deleted?

Yes. The only way to delete things at scale is to ship them over the network to a dedicated cluster of machines running a proprietary fork of /dev/null. Google has invested man decades into this system and holds numerous patents on the design.

Why wouldn't they just use MongoDB? It's already web-scale.

Dont worry the NSA keeps a copy for you just in case.

Dropbox's #1 Competitor

Backhaul as a Service

What's an SRE?

"Site Reliability Engineer", I think.

What matters much more than whether Google deletes is whether some other group has access to and stores that data before Google deletes it. Almost assuredly the answer is yes. Search history is a tremendously powerful tool and insightful data point for anyone. There's no way government groups aren't using it. It takes up almost no room for storage, either.

> Almost assuredly the answer is yes.

[citation required]. Google goes through great lengths to make sure that's not the case, both technically with legal defense against overreaching subpoenas.

> "Search history is a tremendously powerful tool and insightful data point for anyone."

Can confirm. Near the end of internships I use my browser history, and mostly the search history contained in that, to figure out what I've done so I don't forget anything in the report. It's a near perfect way to tell what I've been up to any day.

If I were representing a big, well known company with lots of money to give out in settlements, I'd be much more likely not to say anything than to bother lying.

That's not universal. When a company screws up, an individual rarely goes down for it. The impact of the crime is often absorbed by many people (or no one).

If I were in charge of a publicly traded company I most definitely wouldn't want a scandal like that lurking beneath the surface. It would absolutely leak.

The existence of classified programs that remain classified and unknown for years is evidence against this oft-used argument.

The only reason you know of the existence of these programs is because they leaked...

Which would almost certainly imply there exist programs that have never leaked...

ie, datasets that are maintained and properly encrypted in a 'CEUE' (Create Encrypt, Update, Encrypt) app.

No they don't. They just don't show it to you. They hide your search list, but it's still included in your Google profile.

By now, they probably filter the array from the history.

I was very pleased to find that, at some point in the past, I saved myself from this situation. When I completed step 1, I was greeted by a nice blank list. I clicked over to my settings and found the following good news:

>Your searches and browsing activity (paused)

Do people actually use Google Search while being logged-in in Google?

Absolutely! The saved search history is incredibly useful for shaping and filtering search results to make them more targeted and helpful. I also see more relevant adverts, and less generic ones, which makes them much less annoying. People of a certain technical mindset have a knee-jerk "Privacy! Surveillance! Evil!" response, tuned to the worst possible world type of scenario, where the rest of the Internet is populated entirely by malicious bad actors, seeking to harm users. The reality is much more nuanced: most of the rest of the Internet neither knows nor cares about you; the majority of the rest are trying to provide useful services to improve their users lives, sometimes trying to make money by doing this; a minority are bad, either trying to steal from or scam you.

In terms of Google search, the fact it retains context is actually useful most of the time, and the edge cases where it is harmful are easily avoided by countermeasures like logging out, using DuckDuckGo, installing Tor or switching to incognito mode.

> tuned to the worst possible world type of scenario,

With the possibility of a racist American president looming, search results which could signal one's ethnicity become a valid concern.

> the majority of the rest are trying to provide useful services to improve their users lives

And if the ads or results on subjects you're interested in just happen to take a line against what you personally believe on the subject, and instead happen to tout an agenda that benefits the (right-wing/capitalist/US-centric) corporate or political interests of Google and FB and the like, is it still just about improving your life?

> The saved search history is incredibly useful for shaping and filtering search results to make them more targeted and helpful.

Google gets my approx location from my IP whether I like it or not, which is really all the targeted results I need.

What else is there? There is so little remaining of the actual web search engine that Google used to be 10-15 years ago, I only ever use it for the typical "local" queries that indeed benefit from knowing what city I'm in.

All the other stuff I need to find on the web, if I were to trust Google it might as well not exist. It used to be that any keyword-combination you could imagine that would (reasonably) appear on some website somewhere, would get you that website, some others and a bunch of spam. Google was good at sorting the spam downwards, but if you wanted, you could browse it (then about 10 years ago they limited this to max 1000 results even if they reported millions).

Today, you get nothing. You get a bunch of results that vaguely match the topic of your keywords. Your search keywords that happen to appear are bolded, but that's just a visual effect now, suggesting they tried looking for all your keywords and this was just the best they could find. Except bullshit because I remember the old web, it was smaller, but it was still incomprehensibly gigantic, and already everything was there, and Google could find it under half a second, with their old tech. (where did all the web go?)

So let's be honest, they're not really looking. It's like an annoying salesman, you enter a shop, ask for a specific thing (which they may or may not have), and the salesman tries to convince you that the thing they want to sell you is the thing you were really looking for.

This is what your "targeted" "suggestions" are doing to you. They're targeted to suggest you that you want that something which they want to show you.

Which is, admittedly, all sorts of useful for "local" searches, which is truly the only thing I use Google "web" search for nowadays. Otherwise it's DuckDuckGo which can send me straight to the websearch that has my answer (discogs, wikipedia, various image search engines..). It's not as good as Google used to be (although back then I had my own tools for the meta searches), but it's also not worse than what Google is now.

oh and I didn't even touch on the part where you said that better targeted relevant ads are less annoying. The idea that ads can be "relevant" comes from the ad networks, but there's no such thing. If it was relevant it'd be a search result. If it requires payment to appear between your results, then either it is less relevant than its paid position would suggest (at the cost of another, by definition more relevant, result), or it actually is relevant and the fact that you seen it only because it was paid for means the engine is not actually doing every simple thing to show you the most relevant results, but actively hiding some. Sure this is a business model, what gets me about it is that Google one day used to be so much better than this and used that credit to build something trashy like this. If they were a new search engine nobody would give it a second look.

Of course. Most people aren't going to logout of Gmail when they want to do a Google search.

Who ever logs out?

Me since I rarely log in in the first place.

I only googlog in to my association's "shared account" and log out straight away.

Also I mainly use DuckDuckGo and bang !g only when needed.

Privacy actually matter to me...

DDG is great! I've been using it for almost six months straight now! I'm glad we're not contributing to the monoculture! Keep it up!

I don't, but frankly Google isn't in my cookie whitelist so their cookies never get stored beyond using a Google service (like YouTube or, uh, I actually don't think I use another Google service).

Why do you even login?

Gmail? Google Apps for Business? Youtube? Google Analytics?

For YouTube you don't need to log in; the rest I don't use.

And YouTube is actually better when you're not logged in, because ironically the suggestions are better. Logged out you get to see the sidebar with videos related to the current video you're watching (which makes sense), logged in you get a sidebar filled with "suggestions" of shit that have nothing to do with what you're looking at, instead some vague mix of topics you watched last week.

It can even become rather offensive, IMHO.

I don't always watch videos because I agree with the uploader or audience. I can watch a racist dude rant because it fascinates me, to laugh at them, or because I wanted a reminder that such people actually exist. When the (not logged-in) sidebar with related videos then is filled with more racist trash, I'm like "fine, makes sense. related videos. okay. not clicking, but there they are".

Another time I had been watching videos on my Android phone (afaik the YouTube app doesn't let you be not logged-in) on a subject related to feminism. I don't use the app that often and I can't recall what the clips had been about (but probably nothing very umm "high brow"). So, the next week I open the YouTube app, find a whole bunch of "suggested" videos about apparently people calling radio shows and "guy tells those feminists what's what!" or "this guy's reaction puts feminist in place!" trash. If it had been "related" to a video I had just watched, I'd be like "fine, makes sense". But in this case, whatever I did was a week ago and apparently made Google believe these are my interests. Notice how that's a bit more personal? "related to current video" versus "related to this guy's interests". So I'm really offended and think "fuck you and mind your own business". If your algorithm is that stupid, maybe you just shouldn't use it and don't even for a moment pretend that your prejudiced joke of a "profile" is of me and I don't want to be associated with it. Ugh.

Umm, yes?

"Bing" - the most embarrassing of them all. Watching it run is like holding a burning match and not letting go.

I live in the UK so I expect the police to knock tomorrow.

It could be a lot worse. A nasty malicious attack would do searches for making a bomb, joining ISIS, piloting a 747, bypassing airport security, etc. In these days and age, this is a guaranteed full body search and a registration on the no fly list next time you want to fly to see your family for christmas.

The one about joining ISIS is in there.

It's not JUST that, though -- it also modifies "my city" and "this country" to be your location, too!

It didn’t for me. I’m in SF. I ran this in a Safari private browsing window.

Did you block "ip-api.com"? Via hosts or some ad blocker?

Oh — probably something like that, yeah. I have uBlock installed in Safari.

Nice fallback (to just “my city”). It gets the intent across just fine, third-party failure (or client-side blocking) be damned :)

The decoded code:

> http://pastebin.com/jWT37M2D

For those wondering how this works (I'm not too good with webdev and thought a site can't just open another tab and control it remotely):

The code driving this is at: http://ruinmysearchhistory.com/ruin.js?1

It uses window.open to run the search:

    window.open('https://www.google.com/search?q='+ encodeURI(ruinSearchQuery),'ruinmysearchhistory');
But the second parameter will set a name to the newly open tab. Calling window.open with the same name again will reuse the existing tab:


So it doesn't actually control the google site but keeps reloading it with new search urls. This may be obvious to everybody, but it did confuse me a little.

Related: https://www.reddit.com/r/AmazonWTF/ (NSFW!!)

I've heard people complain after being subscribed to that subreddit that Amazon's relevance engine becomes unusable for them (and while unsaid, I imagine they can't browse Amazon with anyone else at their computer).

OP, take note. :P

I had a weird one yesterday. I went to the New York Times using private browsing and read a single article in the relationship section (something about wedding speeches) and then noticed that the next page I went to 90% of the recommended articles were engagement announcements.

I guess things are hard when you only have a single data-point to base recommendations off.

Very true. The difficult problem in this case is that it's impossible to serve anything else, even though there are various techniques out there that still identify you when using private browsing (such as canvas fingerprinting - https://securehomes.esat.kuleuven.be/~gacar/persistent/index...): even if they're using such techniques under the hood (and that study, apparently from 2014, says 5.5% of top 100k sites were using it), they can't use it for recommendations, for obvious reasons (browser vendors would get eaten alive, private browsing would be overhauled, this technique would no longer work, everyone goes home sad).

I always find it amusing when you sign up for a service, and then for the next little while, half the ads you see are for that service. "Uh... but I've already signed up..."

It's especially hilarious when you see ads for something while you're using it.

So they got the retargeting part right, but forgot to add a second tracking code for those who signed up. "Woops"

I got ads for a mouse (similar model) after it was bought.

I think I learned in my marketing course that we (statistically) tend to look out for ads for things we have bought after the purchase.

The reason is hypothesised to be because our brain is actively seeking confirmation of previous decisions.

That said, your case most definitely was because of indiscriminate retargeting. Also I guess the effect I mentioned is more visible for bigger purchases : )

Ha, they've actually put in a rule to link to an image rather than the listing to stop this from happening.

I laughed so hard, that co-workers started staring at me. Had to abort before anyone looked. I think i will hide this like a LMGTFY link and slack it.

Reddit has kind of a cool discussion about it there: https://www.reddit.com/r/InternetIsBeautiful/comments/4nc763...

    Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot. Why did this happen?

    IP address: *
    Time: 2016-06-10T00:07:58Z
    URL: https://www.google.com/search?q=donald%20trump
It appears Google is not too happy with Donald Trump.

That happens when your IP spams Google with too many queries too quickly.

It also occurs if you cotinually tweak a single search term, for example adding more and more exclusions to try to bypass Google's 'suggestions'. I encounter it about once a month.

Yeah, I get it a couple of times a week when I try to search for old technical stuff, where google constantly reformulates my search and includes what it thinks are synonyms.

Google has some kind of "verbatim mode" which usually works better for technical stuff. (Search tools -> All results –> Verbatim)

Yup, putting things in "quotes."

Nowadays verbatim mode may be synonymous with quotes, but it wasn't always. Google totally nuked it's verbatim search... just try searching for some command line option flag, e.g. "vagrant --debug" or something even more esoteric and watch it fail.

Yeah. I suspect that in this particular example it's getting confused by the dashes, which it interprets as an ignore flag. Very silly...

I've actually found that other search engines are actually better at technical searches than Google is nowadays: once, I was trying to search for Ketmax, a disassembler for DOS that could step both forward and backward in code. It was neat. But I couldn't find it.

No, Google, I don't want drugs; I don't want bikes; and I'm not Vietnamese (?!).

Trying a bunch of alternate search engines in rapid succession, ixquick quickly found a bunch of old FTP server index references: I forgot the "35.zip" on the end, and, in fact, just appending "35" was enough for Google to find it. (I'm not writing the concatenated string here so that I don't alter Google's index of the word.)

The Internet has gotten so big in recent years, and become completely overrun with useless information in triplicate; I can't help but wonder if it's forced Google search to take a more generalized approach to the way they sort and index information, with some loss of precision, in order to deal with the volume of fluff.

I was playing around with syllables a few months ago and discovered that the word "exikyut" appeared to be completely unindexed (except for a couple of junk "letter combination" sites), so I used it to make a few accounts. Then Google suddenly turned up a tweet from 2011 where someone had used my "new" username in conversation years prior. That was weird, being told it didn't exist then being told it did...

So yeah, Google's index is very imprecise. Great at sending you to StackOverflow for 1st year JavaScript questions, but nothing like Code Search used to be.

I also used to encounter it while using TOR. Not sure if it's still an issue however, as I try to refrain from direct use of Google.

This search didn't match rest of your user-profile, so they wanted confirm that was you and you should be on a special list ;)

They call that a DDoT.

I know it's googles way of preventing robotic searches but still, I wouldn't be shocked if in the future it's discovered that google was anti-trump in a way.

Run this and you will be profiled by the NSA as a hapless geek HN reader.

It's on the frontpage of reddit too now - I wonder what NSA list that would make...

Mission accomplished?


['how to appear funny', 'why are my thumbs uneven', 'am i lack toast and tolerant', 'your youre difference', 'why doesnt my poo float', 'midget google images', 'tall midgets??', 'homemade lube?', 'i hate my boss', 'what counts as fat', 'how to tell partner they fat', 'is it normal to still love my ex', 'how to get back with ex', 'penis remove dog how to', 'romantic ways to propose', 'engagement rings', 'sex shop in my city', 'how to tell if partner cheating', 'ways to kill someone hypothetically', 'undetectable poisons', 'how to delete search history in browser', 'ashley madison hack', 'view ashley madison list', 'ashley madison list my city', 'paternity test', 'mail order paternity test', 'attracted to mother why', 'is incest illegal in this country', 'latest laws incest', 'seduction guide', 'rohypnol safe dosage', 'smelly penis cure urgent', 'common STIs', 'STI test in my city', 'average penis size this country', 'do penis pumps work', 'best budget penis pumps', 'does liking men mean im gay', 'signs of being gay', 'how to come out as gay to dad', 'age of consent here', 'why is age of consent so old here', 'country low age of consent', 'flights philippines', 'isis application form', 'how to join isis', 'cheap syria flights from here', 'syria hotels with pool', 'bing', 'donald trump', 'OH COME ON DONT JUST COPY AND PASTE THE LIST FROM THE ARRAY YOU CHEEKY SCAMP']"

TrackMeNot is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one's tracks), but instead, paradoxically, by the opposite strategy: noise and obfuscation. With TrackMeNot, actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with Firefox and Chrome browsers and popular search engines (AOL, Yahoo!, Google, and Bing) and requires no 3rd-party servers or services.

If you create a form to submit new searches I will definitively help you (Cómo votar a Trump si eres mexicano)

¿Cómo votar por Trump si eres mexicano?

You are indeed correct.

a is Spanish Spanish

por is Mexican Spanish

I'm rusty but, como votar por Trump si __seas__ Mexicano? Or is the eres Mexican, too?

If you are indeed Mexican, the subjunctive shouldn’t apply anymore, as there is no doubt/speculation/hope involved. (Caveat: Non-native and also a bit rusty)

What you mean is "si fueras mexicano". "si seas" is just wrong.

"fueras/fueses" would be the right verb form, but that would be equivalent to "How to vote for Trump if you WERE Mexican" as opposed to "How to vote for Trump if you ARE Mexican".

Buy yourself a non-voting american. I'm sure there's a few left.

*I’m sure there are a few left

(Since we're apparently debating grammar in this sub-thread)

I should really start a website that lets people bid for each other's votes online.

I believe you'd make a killing, but I'm not sure it would be legal (and if so, I'm pretty sure they'll put a stop to it asap).

Vote buying and selling is election fraud per 18 U.S. Code § 597 [1]. In fact, it's not even legal to make the offer, in either direction:

"Whoever makes or offers to make an expenditure to any person, either to vote or withhold his vote, or to vote for or against any candidate; and

Whoever solicits, accepts, or receives any such expenditure in consideration of his vote or the withholding of his vote—

Shall be fined under this title or imprisoned not more than one year, or both; and if the violation was willful, shall be fined under this title or imprisoned not more than two years, or both."

[1] https://www.law.cornell.edu/uscode/text/18/597

I almost fell off my chair. They should come up with a way to contribute to this list

Some what related is the UTM Mangler; a browser extension that auto-replaces UTM campaign parameters with more interesting alternatives: https://chrome.google.com/webstore/detail/utm-mangler/ngddln... (source code: https://github.com/huntwelch/UTM-Mangler)

This thread makes me really happy for my recent installation of NoScript.

most of these searches look like my regular browse history

Well, I'm probably on a list now. Thanks for that.

Everyone is on some kind of list. That's the beauty of automated mass surveillance.

We are all on multiple lists...

Now we've just been added to another list of people that know they're on lists.

you already were in a list.

I so badly want to extend this. I want more terrible searches!

Just scrape keywords off 4chan and some deep web sites. Cops knocking on your door in no time.

Use incognito window to see what this is going to do

That protects your saved history but doesn't help with anyone monitoring your searches, like corporate or political overlords.

Send your boss the link in an email hiding the address.

Problem solved.

Well the https should protect them from the government.

Incognito doesn't do anything as far as Google or your ISP is concerned though.

looking at the search terms above, I wouldn't want to run this from any IP that was traceable to me.

Next step is a chrome plugin that randomly searches for stuff in the background.

Privacy through noise? through obfuscation? I need a word for this

They should have left out the gay stuff. Might have potential to stir up a heterosexual relationship, but makes it look like it's a bad thing on it's own.

Or when you consider that most people in a relationship are in a heterosexual relationship, you target a lot of people.

This is super irresponsible to have on HN. Not funny. Especially for people who live in despot countries. Not sure if the USA counts quite yet.

Well the queries to google use https, so ISPs and government monitors shouldn't be able to see the queries. If you have malware on your computer, or if Google is giving your search history out to despot countries (I don't think they are), you might be worried.

Google doesn't do certificate pinning with HPKP. So nothing stopping a despot country from using certs signed by a valid CA. And of course there are compromised CA's. The US is just smart enough not to do this for mass collection, otherwise they'll get caught.

It seems that Google does public key pinning, but possibly only through preloaded lists in browsers such as Chrome and Firefox. This blog post mentions them catching a bogus google.com cert from a trusted root


This says Google does use HPKP, but I don't see headers myself. https://calomel.org/http_public_key_pinning_hpkp.html

Interesting. A search in chrome://net-internals/#hsts for Google does indeed show the public key pinning. I guess they do own Chrome and could get their public key hashes baked into other browsers too.

Are you hiring to come up with the crazy in this list? I would like to apply.

"ways to kill someone hypothetically" oh oh cops knocking anytime now...

Kind of glad i used the tor browser bundle for this, pretty funny though.

Please mark the post NSFW

Will check this out next time I'm in an Apple Store...

This screwed me up. I gave the 5 second attention and I thought it was doing the opposite (i.e flood with SFW links and sanitize my search).

Just got a letter from my supervisor. Had no idea it would 'ruin' my search with perverted garbage. Thanks for that.

After the 7th or the 8th query, Google's captcha kicked in, asking me to prove my humanity before continuing.

Game Theory: If enough people click this, does Google stop showing stupid ads to everyone eventually?

Would Google be forced to pay less per click, disincentivizing advertisers? I'm not sure.

no, but the ads will be more funny and ad payment disbursement more distributed.

in the reverse, it could fire the backup mechanism and start showing very generic ads.

Some of these ISIS searches make me slightly concerned ... but other than that, not bad.

Now do this for facebook profiles

From the title, I guessed this would be some attempt to spoil or camouflage the profile that google keeps on each user, thus decreasing the value of profiles, thus fighting back.

While I expected the attempt to be flawed, according to mmastrac's analysis, this is a joke. (And a pretty 'meh' one, at that!)

There's an actual thing that does this:


OK isn't this dangerous though? I don't want to get on any lists.

Warning: people should know this is NSFW for anyone with a company that monitors your web usage.

I also wouldn't run this from an authoritarian country where local officials may not appreciate the joke.

Do companies really MITM SSL traffic in order to watch employees surfing habits?

You bet they do! In the past I have had to manually install my company's certificates as a root CA. The annoying thing was that the certs they use are expired and use SHA-1, so I also had to explicitly tell my browser to trust expired/unsafe certificates as well. All in the name of increased security!

I would quit a job like that, unless there were seriously profound reasons for such a grotesque invasion.

1. There are proper ways to restrict activity without resorting to eavesdropping.

2. If they don't trust you enough to be responsible and use good judgement, you're probably stuck in a dead-end situation anyway.

3. In the more rare scenarios, where you might be operating live-saving or life-threatening equipment, or handling the salaries of many people, and dealing with monentary quantities in the many millions of dollars, guess what? You probably shouldn't be using an ordinary computer, with a web browser connected to the internet to perform those sorts of tasks, within the same operating system environment as ordinary web surfing to begin with.

Some companies in highly regulated industries intercept, and inspect all traffic purely because it's easier. Though if this raised a flag, and you showed them what link you clicked, any sane IT department would laugh and start sending the link to their friends.

Other companies (tech compnies, even) engage in ridiculous behavior like timing the minutes of your bathroom breaks, and so forth.

Call centers, data entry, tier one support.

Yep, IronPort is one product, but our network guys have been saying something about it being built into the latest Cisco series 6 routers?

That's the enterprise life

Are there really people that believe there's a possibility that they don't?

I'm no security expert, but I was under the impression that HSTS pinning would make that hard to do, especially on sites like google.com.

And I can't quite parse your sentence to know if you're implying that all companies do... (or just that I shouldn't be so naive as to assume none are), but I can see the cert chain for google.com in my browser at ${big_company} and it doesn't seem like I'm being MITM'd.

You have conflated two technologies - Strict Transport Security, which is a header that tells the browser to stick to TLS connections only. If your admin has deployed a CA that your browser trusts and uses a cert from that CA to MITM your traffic, they will have no problems doing so ;)

Certificate pinning, on the other hand, allows a client to refuse to connect to a TLS service that fails to prevent the correct certificate. This is generally a win, however it still doesn't give you what you want.

Firefox and Chromium (including Chrome) browsers will only validate certificate pins if the presented certificate is a public trust anchor (in otherwords, the certificates deployed by the operating system). If the certificate chains to a private trust anchor (a certificate installed by your admin), Firefox and Chromium based browsers will smile, wink, and play along.

So, yes, in theory these technologies could protect you, but the vendors that implemented Public Key Pinning opted to support the enterprise use case instead of protecting users.

And not just enterprise use cases. I personally MITM my own https traffic sometimes to see what is going on.

It relies on HTTPS, which relies on certificates telling the browser that the website is what it claims to be, which relies on a list of trusted root CA certificates installed on your computer, which the company controls. Most companies will install a trusted root CA cert that is themselves onto employee computers (otherwise you'll get SSL errors when accessing internal HTTPS pages since they're not signed with those public root CAs).

My understanding is that, yes, this would be caught by pinning, which is why Chromium disables pinning for "private" root certificates, which is what it considers the ones that your employer has set up on your computer: http://www.chromium.org/Home/chromium-security/security-faq#...

Rule of thumb: if an adversary has physical access to your computer, treat it as compromised.

Okay? I'm very familiar with that principle, but I don't understand how to take that statement and apply it to the situation at hand. No one has ever operated this computer except me (though I did enroll the corp wifi certs).

So again, how could I be MITM'd without being aware of it, given HSTS?

Yes, someone could have snuck in a hacked copy of Chrome Canary that exposes phony cert chain information... but that's not what we were talking about, and I don't think most IT departments have the sophistication required to pull that off.

If you enrolled the wifi certs into your system certificate store, certificates signed by them ignore HSTS, for exactly this use case.

I can't find any information about this. Can you point me at some additional information? Thank you in advance!

Here's a good write-up on how to see if your company is listening in on your encrypted web traffic:


(Note: MITM is just one way companies monitor employees, but by no means the only way. If your company provided your work computer to you, or if they installed anything on your BYOD computer, I would treat everything you do on that computer as cc'ed to your boss by default.)

I mean, that's how I MITM SSL traffic on a daily basis to do development.

None of that speaks to HSTS/Pinning... which is the feature meant to protect against this sort of thing. I'm specifically asking about how a company can bypass HSTS/Pinning without modifying my local browser.

Everything I'm reading indicates that's not possible.


>Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.

That last sentence is key. From Wikipedia: some browsers "disable pinning for certificate chains with private root certificates to enable various corporate content inspection scanners and web debugging tools. The RFC 7469 standard also recommends disabling pinning violation reports for such certificate chains."

Perfect! This is the missing link! Thank you for helping me understand.

What does that have to do with wifi certificates?

If you add CA certificates for the Wifi they probably (I'm not sure if you can tell it manually to not do that) are added to the system-wide trust store. IE and Chrome check that for CAs, Firefox will soon (https://bugzilla.mozilla.org/show_bug.cgi?id=1265113)

(all this for Windows, I believe the same is true for OS X, Linux depends on your specific your setup)

> If you add CA certificates for the Wifi they probably (I'm not sure if you can tell it manually to not do that) are added to the system-wide trust store.

Internet Properties -> Content -> Certificates -> Advanced

You're fine. It's people using company computers that are being monitored.


Recently did an on-site pentest at a place that does this (a municipality in the Netherlands). First thing I did was go to https://torproject.org but of course that was blocked. Eventually I found a third party site that offered old versions and via an obfs proxy and bridge node I could get on the Internet uncensored (lots of sites were blocked).

So yup this happens. Is it effective though? No, this took me 15 minutes and I wasn't even an employee with months if not years of time on their hands.

I am aware of at least one lawsuit against an employee in which the firm has used a Google query an employee made as an evidence.

Sounds like it. Our university web security lab was testing this.

The search term is in the url.

Which is still not normally visible to an outsider in an HTTPS request... (other than the cases we're discussing in the sub-thread where the company has installed a root CA and is seeing all of the traffic anyway).

HTTPS protects everything but the domain name. If you're not using SNI it might protect the domain too.

> people should know this is NSFW for anyone with a company that monitors your web usage

All the more reason to do it IMHO :)

NSFW? It simply NS

Maybe i am wrong, but doesn't google encrypt at source (esepcially if you are logged in, using ssl enabled, or have some security features enabled). This should go through as regular search then.

Great idea, I'll let this run all day long.

I'm 'ruined'!


laughed really hard :)

Why vote this crap up?

This is beautiful.


Such disrupt. So convergent. Wow.

Got a really good LOL out of this. I wish HN had a little more humor, not Reddit levels, just a wee bit more.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact