Superclick is evil?

I'm on my honeymoon in a hotel in Maui.

In theory the internet costs $15/day here, but due to a deal with Fairmont's "President's Club" I'm getting it for free. Guess I should be more thankful, but I'm not.

A company called "Superclick" provides internet connectivity for the Fairmont Kea Lani (and I just read Marriott and a bunch more have signed on). When you try to use your connection, you'll notice:

1. a lot of redirecting and other weirdness (sometimes with an IP and sometimes with "superclick" in the URL)
2. that every new URL you type ends in "?",
3. and if you look closer, you'll find secret frames around your webpages.

It turns out that Lorna and I both noticed and both got upset about it, so I'm spending a (small) amount of time figuring out how this thing works and what it's after. After all, I'm still on my honeymoon.

If you're running an older browser, I understand you'll get pop-under ads too, but Firefox seems to be mostly taking care of that for me.

I've spent a few minutes sniffing traffic, and Superclick's system appears to work like this:

1. They run a transparent Squid proxy on port 80. (A transparent proxy is one that is implemented for every connection on port 80.) You can verify this by connecting to a host that doesn't respond and getting an error page. Mine is a genuine squid error: "Generated Mon, 08 Jan 2007 11:13:36 GMT by localhost (squid/2.5.STABLE14)"

2. This squid creates a page that hosts a frame with (a) their page, and (b) the page you requested. Their page looks like this:

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<a href='http://mds.superclick.com/mds/adclick.php?hotelid=1330&bannerid=263
&zoneid=62&source=&dest=http%3A%2F%2Fwww.superclick.com' target='_bl
ank'><img src='http://mds.superclick.com/mds/adimage.php?filename=1pixel_trans_2
.gif&contenttype=gif' width='1' height='1' alt='' title='' border='0'></a><d
iv id="beacon_263" style="position: absolute; left: 0px; top: 0px; visibility: h
idden;"><img src='http://mds.superclick.com/mds/adlog.php?hotelid=1330&banne
rid=263&clientid=115&zoneid=62&source=&amp;block=0&capping=0&
;cb=a6e9a1a491ae0a580b3a1e58db523195' width='0' height='0' alt='' style='width:
0px; height: 0px;'></div></body>
</html>

i.e. their page does some tracking of each new page you visit in your browser, outside what a normal proxy (which would have access to all your cookies and other information it shouldn't have, anyway) would do. This "adlog" hit appears to also track a "hotel ID" and some other data that identifies you more directly.

Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.

While it is possible for the tech-savvy to establish a VPN to one's home network to avoid all this nastiness, but it suggests a bad trend - a lack of privacy when browsing, even through connections you're paying for?

Superclick advertises that it "allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network. ``Perhaps the most powerful aspect of MDS is that it can be integrated onto any third-party managed network, not just our own proprietary SIMS network,'' Natale added, ``In addition, we have developed MDS Analytics which provides marketers with real-time network performance and usage analysis, thereby enabling them to evaluate the ROI of their marketing efforts.''

Nice stuff. Now back to the honeymoon.

13 comments:

  1. Interesting sleuthing but where are the pics of the wedding and such? Or do we have to rely on Lorna-Stereopsis-Matic, (formerly Lornamatic in the maiden days)...?

    ReplyDelete
  2. How did you determine that they were tracking HTTPS URLs? If I understand SSL correctly, it should not be possible for them to get the entire URL when you're using HTTPS.

    They can monitor the host names you connect to by looking at your DNS requests, and they can see the IP addresses your browser connects to, but the URLs (as with all the data you exchange with the HTTPS server) should be completely wrapped in the end-to-end encryption provided by SSL.

    If they're getting the URLs, then that indicates something MUCH more dangerous is possible. It means that they somehow have access to data that should be completely protected by the SSL session. Either they have a "bug" in your browser that intercepts data pre-encryption, or they've somehow tricked you into some kind of man-in-the-middle situation (where instead of your SSL session being with your chosen web host, it's with a Superclick proxy, which in turn establishes an SSL session with your intended server).

    ReplyDelete
  3. Firefox with Adblock Plus extension: just put superclick.com in your filter list -- buh bye, Superclick!

    ReplyDelete
  4. Herf and Lorna,

    Congratulations!! Thanks for the heads up on the lack of privacy in your own hotel room. What's next? Cam's in the fire detector?

    Have fun!

    ReplyDelete
  5. thanks for posting this. I'm currently at the Hyatt Regency Orange County (on business though, left my laptop at home on my honeymoon!) and I was seeing the strange superclick shit too. Good to know about this... this is the last time I'll pay a hotel for internet access.

    ReplyDelete
  6. I am currenly in Candlewood Suites in Santa Clara, California. The internet access here is free, however, it is provided by "superclick". It sniffs all http transactions, including all web sites you are accessing, all your logins and passwords entered without https (I am not sure if https protects in this case). This is really an *evil* company which makes the internet connection useless. They may simply ignore the information they are collecting, but I personally feel uncomfortable that someone explicitly spying, especially when I am accessing my business computer. Yes, they can be blocked if one switches to VPN, but they also invented a penalty - all VPN connections via their "GigaSpeed Internet" {this is written on the RJ45 label) - are VERY SLOW, slower than over the old 14K voice modem!

    "SUPERCLICK Networks Inc. provides high speed internet access for hotel guests and specialty IP services to the hospitality industry."

    By the way, their spy server address is 63.80.152.266, and the company name: Superclick Networks.

    http://strategis.ic.gc.ca/ccc/search/navigate.do?language=eng&portal=1&estblmntNo=234567068426&profile=completeProfile


    Users, BEWARE!

    ReplyDelete
  7. I would agree with the previous comment, I am staying at a Candlewood Suites in Chicago, and the Superclick Proxy (which is really a Logger/Tracker) - intercepts every single website I visit... I installed a linksys travel router modified with dd-wrt and I still get a pop up every few minutes, (notifying me of my room #, and ip address)... and keeps appearing.. and if I try to run certain types of applets (javascript) - they won't load... the only way around this seems to be VPN, but in some cases VPN doesnt seem to work and moves REALLY SLOW!!!

    THIS NEEDS TO BE MADE PUBLIC!!

    -- also Inter Continental Hotels owns Candlewood and most other superclick "free internet" hotels.

    ReplyDelete
  8. I too am on business accessing a "free" internet service that is provided via Superclick. I'm at a Staybridge Suites in Atlanta. This is crap and like others have said, should be made very public. Thanks to those who posted earlier to clear up the risks here. I'll be very careful where I login. I was seeing the same kind of popups even when using my company's VPN. It's amazing how tricky this can be.

    ReplyDelete
  9. I ran into a similar incident while on business travel. I got pretty fed up with it and documented the whole thing on my blog too! Got a few screen shots of what they are up to with the browser if anyone's interested.

    http://michaelcoates.wordpress.com/2008/01/08/hotel-snooping-on-your-browsing-activity

    ReplyDelete
  10. Anonymous3:37 PM

    you know its funny how you guys are ready to insult but don't get the understanding of it.
    only reason for some of the monitoring it so limit users from ABUSING the network such as downloading or taking up bandwidth so that everyone in the hotel can enjoy it..

    second of all, i mean your on your Honeymoon and you want to goto the web?? dude you are a NERD ... go on the beach and get laid with your wife stop going to www.redtube.com :P

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. Would you let a perfect stranger use your internet connection to commit computer fraud, look at kiddie porn, spam hundreds of people and spread viruses?

    Yeah... I didnt think so.

    Superclick makes hundreds of thousands of dollars in revenue each year. They dont need your banking info, and they couldnt care less about your myspace login password.

    So unless your into kiddie porn or computer fraud, I wouldnt worry about it too much.

    ReplyDelete
  13. Here is one of superclicks ads

    If you want to increase the brand awareness and overall profitability of your online business, then you need website traffic. We can provide you with the quality that you need for a fraction of the cost.

    With our high quality pop-unders, your website will be displayed full page for maximum results and will have an instant audience starting within the next 24 hours.

    Using proprietary technology we can deliver thousands of targeted visitors directly to your site each month. Unlike average banners, pop-ups, and pop-under displays, our advertising delivery system presents your site in a full size, fully functional application window. In addition, our advertising is delivered only when users are visiting sites similar in content to your own, meaning visitors we deliver to your site have an interest in the type of product or service you offer.

    ReplyDelete