Tool Detects "In-Flight" Webpage Alterations

TheWoozle writes "In a follow-up to a recent story about ISPs inserting ads into web pages, the University of Washington security and privacy research group has teamed with the International Computer Science Institute (ICSI) to develop an online tool to help you identify if your ISP is inserting ads or otherwise modifying the web pages you request."

Should just block all ads, but...

[nokilli]

If that isn't desirable, do a patch to Apache that creates a header that holds a hash of the content.
The hash gets calculated once for static content, which is usually the bulk of the traffic, no? So
not too big of a hit.

Browser sees content. Browser sees hash. Browser compares the two...

--
Censored by Technorati and now, Blogger too!

Re:Should just block all ads, but...

[Bigby]

What if the ISP, having the server's (Apache HTTPD) code, recomputes the hash in the same manner.

Browser sees content. Browser sees hash. Browser compares the two...gets an OK.

Re:Should just block all ads, but...

[ericlondaits]

But the ISP would just need to alter the header with the new hash for the adulterated page (which he can calculate as easily as the browser can). Also, this is no good for Ajax...

Re:Should just block all ads, but...

[nokilli]

Ah, but I thought of this. We expressly disallow ISP's from doing this! :)

Actually... the hash would have to take the form of a signature, wouldn't it. The site would
need to publish its public key in a well-known location, like the root, a la robots.txt.
-
Censored by Technorati and now, Blogger too!

Re:Should just block all ads, but...

[nokilli]

Why no good for Ajax? Whether it's xml or json, it's still content, and there are still headers, no?

--
Censored by Technorati and now, Blogger too!

Re:Should just block all ads, but...

[mdm-adph]

Couldn't the ISP just edit the contents of this well-known location you're looking for when you request it, however?

Re:Should just block all ads, but...

[J'raxis]

Not just a hash, but a message digest.

Re:Should just block all ads, but...

[nokilli]

Not if you put a hash in a header... ermm....

Hey man, I was just trying to get first post, ya know? How the fuck am I supposed to fix this shit in the fifty seconds I had to write this shit down.

Re:Should just block all ads, but...

[ArsenneLupin]

Couldn't the ISP just edit the contents of this well-known location you're looking for when you request it, however? Maybe have it signed by a well-known certification authority, à la SSL?

Ok, but then you may ask, why not use SSL as it is? Answer: much less overhead (only one static file would need to be signed, and hash would only need to be computed once per static html file. And for dynamic files, computing a hash would presumably be much faster than encrypting&signing). And it could be made compatible with name-based virtual hosts too (which SSL is not...)

Re:Should just block all ads, but...

[nokilli]

Oh fuck, forgot my sig.

--
Censored by Technorati and now, Blogger too!

Re:Should just block all ads, but...

[mdm-adph]

Har har! Don't worry, we're all just gonna probably start using SSL for everything, anyway. All of our discussions here will probably be worth shit all (including mine).

Re:Should just block all ads, but...

Excellent idea! I'm cancelling my Comcast right now!

...

Uh oh. Cancelling is expensive, and then I have to move to get another provider.

Re:Should just block all ads, but...

[mdm-adph]

You're right! Why didn't we think of that before! Let me just cancel my Charter account and move to.... nothing. Charter's the only provider for my area.

Re:Should just block all ads, but...

[vux984]

All these ideas are neat, but ultimately losers.
MOVE TO ANOTHER PROVIDER TODAY.

Why should I do that if I don't know the ISP is modifying the web pages in flight? Maybe I need a tool that could somehow detect that? That would sure be useful. Oh wait...Isn't that what this discussion is about?

Re:Should just block all ads, but...

[jZnat]

Learn how to use the sig feature on Slashdot and stop spamming your damn blog.

Re:Should just block all ads, but...

[eheldreth]

What if the ISP, having the server's (Apache HTTPD) code, recomputes the hash in the same manner. Browser sees content. Browser sees hash. Browser compares the two...gets an OK.
1.) Claim the hash is to protect the copyright on your site
2.) Sue any ISP that alters the site without permission under the DMCA
3.) ???
4.) Profit!

Re:Should just block all ads, but...

[BadERA]

ahhhh ... the result of a one-way hash function IS a message digest ... ? :scratch:

Re:Should just block all ads, but...

Agree, GP should be modded "overrated" or some such. sig spamming sucks. Of course, you can just mark the fucktard as a foe and -6 mod him in your preferences...

Re:Should just block all ads, but...

If the ISP can isert an Ad in your webpage, they can recalculate the hash...sorry, nice try though.

Re:Should just block all ads, but...

[GroovinWithMrBloe]

Still susceptible to man in the middle attacks. Anything not encrypted/signed/trusted can be modified, including the hash. HTTPS would better from a security standpoint.

Re:Should just block all ads, but...

...ISP modifies content, ISP recalculates hash, ISP replaces the hash...

...Browser sees content. Browser sees hash. Browser compares the two...

Other than increased CPU time for everyone, nothing has changed.

Re:Should just block all ads, but...

[lord_sarpedon]

Browser sees hash also altered by the ISP There, fixed that for you.

The solution is end to end encryption. Start now.

Re:Should just block all ads, but...

[eiapoce]

I am not very scared. We have a telecommunication law here (italy) that states that electronic communications can be relayed by a third server but not eversdropped or altered. If something like a ISP would be inserting commercials inside a page served by someone else then it would be infringing the law. IANAL and don't know much about the US Law but a consumer group would take a couple of minute to file a winning sue: It's like a postman opening the letters and inserting leafleets inside... wouldn't that be illegal in the US?

Re:Should just block all ads, but...

Solution for ISP

Add the ads
Change the hash

An easy one!

Re:Should just block all ads, but...

[ls671]

Nope, a signed hash is enough

Re:Should just block all ads, but...

[J'raxis]

A message-digest includes a digital signature to prevent tampering. Without this, what's to prevent the transmitter from just altering your hash as they alter the content?

Re:Should just block all ads, but...

[BadERA]

interesting, I'd always thought hash and digest were interchangeable terms. thanks for the info.

Re:Should just block all ads, but...

[J'raxis]

They probably can be in some contexts. But when one speaks of using, as a means of authentication, a message-digest included in the message itself, it needs to include a digital signature.

What ISPs do this?

[InvisblePinkUnicorn]

Do ISPs really do this? I've never really noticed anything like this.

Re:What ISPs do this?

RTFRS?

Read The Frellin Related Stories. :P

Re:What ISPs do this?

My hosting service (the University of Minnesota) sticks a little legal disclaimer (some h5 tags) in a contrasting colot at the bottom of every HTML page it serves for non-official accounts. It's the typical "The University of Minnesota is not responsible for the content...blah blah blah" message.

Re:What ISPs do this?

[ScentCone]

Do ISPs really do this? I've never really noticed anything like this.

None! None whatsoever. No carrier would do that, because it would be unseemly.

[ARE YOUR SEEMS TOO TIGHT? YOU NEED ACME MAGIC WEIGHT LOSS SUPER DIET GINGER ROOT SUPPLEMENT!]

Re:What ISPs do this?

[HeroreV]

That's hosting. This is about ISPs.

Re:What ISPs do this?

[Knara]

That's different. U of MN does that on student accounts that are hosted on their servers. This is basically the ISP you have network connectivity to the Internet through, intercepting an html page on its way to your browser, re-writing it to include their ads, and then sending it the rest of the way to your computer.

The dont add may be they can subtract?

[140Mandak262Jamuna]

When was the last time I saw an ad of a rival to Verizon in my verizon dsl line, I wonder.

Re:The dont add may be they can subtract?

I don't "fail" this test, & I am on VERIZON DSL myself... & GOOD point on your end, though imo?? Sarcastic as hell, lol!

Anyhow, as to this test?

Try it yourself, & see!

(By the way, imo @ least? The creators of this page from ICSI & University of Washington? These guys are doing an AWESOME thing for the common-man/end-user online - helping design a system that checks for "man-in-the-middle" type of attack b.s. basically, if only applied to adbanners & such ("Stick it TO THE MAN!", because Lord KNOWS they stick it to US all the damn time))

APK

Oh lord the confusion

[db32]

Do we sue the ad folks for inserting ads and stealing content? I mean, in just about any other medium this would wind up in court overnight as copyright and stolen content and so on. But now we have a circumvention tool to detect it...so are we going to get sued under DMCA like nonsense for attempting to circumvent the ad insertion?

Re:Oh lord the confusion

[cob666]

are we going to get sued under DMCA like nonsense for attempting to circumvent the ad insertion?

Isn't a web site considered to have copyright protection and haven't there been cases of companies trying to sue Google under the DMCA for caching their web sites? Could the ISP be in violation of the DMCA for modifying the original HTML to include ads.

Re:Oh lord the confusion

IANAL, but based on what experience I have with copyright...

A case might be made that the modified page is a derivative work incorporating the original web page. The creative aspect of the page is almost entirely in the "borrowed" part, though; so it might be possible to make a case that the ISP would need a license from the copyright owner to distribute the modified work.

Of course, that gets tricky. If we're saying that the ISP is distributing the modified work, then isn't an ISP that doesn't modify the page distributing the original work? If so, how do we account for that? Could I post a web page, wait for people to view it, and then sue their ISP's? If not, why not? Are we supposing a compulsary free license impiled by my posting of the material to the web? If so, what are the terms? Do I then have to allow derivative works? If I don't have to allow derivative works, what about proxy translators and aggregators?

In any case, using a tool to detect and thwart the changes is not a DMCA issue. DMCA proscribes circumvention of mechanisms for copy protection. What the ISP is doing isn't protecting their copyright -- they're the one party who clearly doesn't have a copyright interest in the transaction.

Re:Oh lord the confusion

[Intron]

I think the grounds for a suit, if you are a content provider, are that the ISP is creating an unauthorized derivative work from your copyright material. They can add a disclaimer to their customers, but they don't have any protection from the website owners.

Re:Oh lord the confusion

[muridae]

People do not get sued for purchasing a book, even if the author home prints it and just hands it out for 2 cents on the street. The author and copyright holder is the one distributing the work, and in most (if not all) service agreements with hosting providers is a clause stating the author gives them a license to distribute the work for them. No sane judge would let this happen.

Now, again with the book analogy, if I buy a book and sell it to someone else, I should not be sued for copyright infringement. However, if I edit pages of this book without the author's consent and then resell it, then I would have created and distributed a derivative work and would probably get my ass handed to me by the legal system.

This should apply equally to web pages, but IANAL, and the courts still havn't caught up with technology.

Re:Oh lord the confusion

[WNight]

The problem with that line of thinking is that a mechanical translation with ads inserted isn't a derivative work. There must be permission inherent, for them to be able to packetize the data, check for pieces in the ISP's cache, etc. This is obvious because the content owner authorized their machine (the one making copies) to make them for anyone who requested one.

This isn't a derivative work, and thus something they can forbid, anymore than me taking the last half of one Harry Potter book and the first half of another and stapling them together. It's still 100% JK Rowling's, though there are no laws that forbid my mangling or even resale of the book. (Unless I misrepresent it as unmodified, etc.)

The ISPs are likely to have problems as they are trying to hide their ads. This is misrepresentation, as it makes it appear that the original author inserted ads. If they told the customer about it up front, there would be no legal problems regardless of how many ads they wanted to insert.

After all, it's just as mechanical to stick a leaflet in every page of a newspaper as to stick a banner in every div tag.

Re:Oh lord the confusion

[db32]

Not exactly. A book is just a book. Words on paper. A webpage is FAR more visual than text on page (unless you have been sleeping the last few dozen years). Inserting ads could easily be considered a derivitive work since you are altering the look of the site. What if I didn't want ads? What if my design is a nice soft brown and then you start inserting pink flashing ads? Or God forbid, these clowns insert one of those drive by installer ads, now your business reputation is completely screwed because some major ISP decided to make a buck without checking their sources and your website infected thousands of consumers. Good luck explaining to your customers how it was the ISP magically sneaking ads onto your website.

Re:Oh lord the confusion

[WNight]

So? That's not a copyright violation.

There is a chance of a problem is the ISP misrepresents their actions. If they claim the page looked like that before you've then got a lie which could damage the reputation of the page creator. But if you know they're doing it... I can sell you a book I put through a wood chipper.

Re:Oh lord the confusion

[db32]

The ISPs aren't selling used hardcopies like in your situation, they are for lack of a better way of describing it, acting as a publisher delivering the authors content with their additions. I don't think it is exactly a traditional clear cut copyright issue, but precious little on the internet IS a clear cut copyright issue as copyright laws weren't exactly written with the whole digital distrobution thing in mind.

Imagine a boycott website with ads being inserted for the product in question. Or even worse in our ever financially driven and politically charged landscape of stupidity and insanity. A website dedicated to candidate of party X having ads inserted being backed by party Y. The potential for unbelievable abuse here is FAR to great to not take a baseball bat to the domes of the people who made the decision to participate in this ad injection.

UW and Good Tool

[WED+Fan]

I like UW and their tools. I think they've done wonderful work. Paint.NET is fun, easy, and I love that they are still working on it.

Who/what is able add to your pages:

• Host ISP
• browser
• plug-ins
• End User ISP? - in other words, your hosting ISP most definately can add to your page. But, can the end-users ISP, insert it into to the stream as it passes through? Technically, this would be feaseble. Are there examples of this?

Re:UW and Good Tool

[i.r.id10t]

Why not? One of the win32 desktop firewalls (zone alarm pro? IIRC) would modify HTML code on the fly to remove javascript calls to window.open and a few other things to "stop popups"... I guess that the viewer's ISP could easily run everything thru a transparent proxy and either change the page or change the images (see "upside down internet", etc.)

Re:UW and Good Tool

Paint.net was done by Washington State University, not the University of Washington.

They're different schools (and rivals)

Re:UW and Good Tool

[WED+Fan]

Damn, that's right. Oh, well. How do you get a WSU student off your front porch?

Just pay him for the damn pizza.

Next week on Slashdot

[proverbialcow]

ISPs intercepting, altering results from online security tool

Re:Next week on Slashdot

[proverbialcow]

Lest you think I'm merely joking, FTFA:

Caveat 2: Our integrity checking mechanism is not cryptographically secure. If a "party in the middle" were modifying web pages that you visit, it could modify our scripts as well. Instead, our mechanism acts as a "tripwire" that is likely to catch any party that is currently unaware of our experiment. In the future, we could create a huge number of variants on the JavaScript tripwire. This would make it more difficult for a "party in the middle" to reliably determine that a JavaScript tripwire is running.

Re:Next week on Slashdot

[nweaver]

We are specifically worried about this case. But we have some thoughts on how to make it more difficult for someone to do that, which will probably end up in a full paper later.

Re:Next week on Slashdot

[TheRaven64]

Why not simply sign the pages with your private key, rather than just a hash, and distribute the public key over HTTPS. For bonus points, do this with an embedded javascript file that is referenced by an HTTPS URL (and if you're doing this, you could even embed the key in the script), to prevent that being modified. This way you can still distribute most of your contents over plain HTTP and use client-side verification for everything else.

Re:Next week on Slashdot

[Yonder+Way]

"But we have some thoughts on how to make it more difficult for someone to do that, which will probably end up in a full paper later."

Here is my paper:

Use SSL.

Thank you very much for coming. Join us for coffee and danishes in the back.

Re:Next week on Slashdot

[proverbialcow]

That doesn't really solve the problem. The tool is designed to detect whether or not your ISP is futzing with the HTML it's carrying. Even supposing SSL would make it impossible to corrupt, if the ISP couldn't alter the page if it tried, the tool would register a false negative. You would need to be able to allow the ISP to alter the page, but have the tool be able to detect and report that corruption in some inalterable way.

What makes this so tricky is that you can't trust ANYthing the ISP is sending to you, nor trust it to accurately relay any message for you. Even if you do use cryptographic protocols, you're still relying on your ISP to ferry the information back and forth, and thus they can intercept the key exchange and spoof identities.

Solving this problem is non-trivial; I'd be interested in what they come up with.

Answers to questions in this thread

[nweaver]

We (the authors of the page) will be answering questions in this thread.

Re:Answers to questions in this thread

[brunascle]

care to share any of the results yet?

Re:Answers to questions in this thread

Hi,

What is your favorite flavor of ice cream?

Re:Answers to questions in this thread

[mdm-adph]

Is there a way you could set this up on an https connection? Or would that automatically negate any ISP's attempts? (Or would it not matter?)

Re:Answers to questions in this thread

As per proverbialcow:

Caveat 2: Our integrity checking mechanism is not cryptographically secure. If a "party in the middle" were modifying web pages that you visit, it could modify our scripts as well. Instead, our mechanism acts as a "tripwire" that is likely to catch any party that is currently unaware of our experiment. In the future, we could create a huge number of variants on the JavaScript tripwire. This seems like a very silly thing to do - instead of engaging in an arms-race, why not make your tools 'cryptographically secure' - like serving them via HTTPS?

Re:Answers to questions in this thread

[nweaver]

HTTPS, when certificates are properly used, is designed to prevent man in the middle viewing and modification.

Re:Answers to questions in this thread

[nweaver]

Because people don't use HTTPs for everything.

I agree that doing things cryptographically-authenticated would be a good thing (one could probably do a more lightweight opportunistic mechanism, myself and others at ICSI have an upcoming paper in HotSec on the possibility), but most people don't use https, and a lot of web sites don't SUPPORT https for many things.

Re:Answers to questions in this thread

Pages served over HTTPS cannot be modified in transit, it would be redundant.

Re:Answers to questions in this thread

[nweaver]

Strauss Creamery Soft Serve vanilla with sea salt and olive oil from Pizzeria Picco in Larkspur

Re:Answers to questions in this thread

In the cult known as "The Landmark Forum" there is no right choice!
You just chose flavor X because you chose flavor X! No explanation needed!

Fucking cults.

Re:Answers to questions in this thread

[mdm-adph]

No offense, but isn't that kinda... weird tasting?

Re:Answers to questions in this thread

Other than "system overhead"; are there any reasons why we can't/shouldn't/don't "Just use HTTPS" for everything?

-AC so I don't lose my geek license here on /.

Re:Answers to questions in this thread

[nweaver]

One of the big reasons is the certificate model...

If you self-sign, everyone gets a nag panel everytime they visit your web page. If you have verisign or someone else provide you with a certificate, it costs real money.

Also, the HTTPS handshake is expensive, figure ~.1 CPU second per visitor to handle the public key exchange, and it starts to add up. There is a reason why GOOGLE doesn't use https for gmail by default (you have to manually type in https://mail.google.com/ to get gmail through SSL), the key echange is expensive, even by Google's standards.

Re:Answers to questions in this thread

[Lord+Ender]

Without reading the article (a slashdot tradition), why would your service be any better than using SSL? SSL was designed to detect alterations in content, and has been around for ages.

Re:Answers to questions in this thread

[Compholio]

Have you found that these services are applying modifications to requested pages that specifically state not be cached with the no-cache option? Have you found these modifications to also apply to AJAX requests?

Re:Answers to questions in this thread

[nweaver]

Because people don't use SSL, and ISPs are actively inserting adds into web pages.

ANd click the link anyway, we want to have as many people try it as possible.

Re:Answers to questions in this thread

[nweaver]

We do not check for either of those cases (yet).

Re:Answers to questions in this thread

Their goal is to detect crooked ISPs, not to defend yourself against them.

In meatspace it would be like testing bikes to see which brands fall apart, and you show up and say "why don't you just wear a helmet?".

Re:Answers to questions in this thread

[BrokenSegue]

Can your system tell the difference between ISP injected advertisements and spyware injected advertisements? (I'm not sure exactly how your checking for alterations.) If not, you'd have to rely upon finding patterns between ISPs.

Re:Answers to questions in this thread

[nweaver]

Some of the ISP advertising injectors are distinct, so those we can detect positively.

The spyware vs MITM is harder to detect in general, this may be one of the suspicious cases we need to look at for.

Re:Answers to questions in this thread

[jZnat]

People don't go to online banks? Or shop online? Or read their email online? *shock!*

This is the 21st century where cryptography is common...

Re:Answers to questions in this thread

[csreis]

Actually, our test page happens to answer these questions, to some extent.

All of our test pages are marked with "Pragma: no-cache" and "Cache-control: no-cache" in the HTTP response headers, but we're observing changes to the pages anyway.

Our integrity checking mechanism uses AJAX requests (XmlHttpRequests) to fetch the test page. ISPs can't distinguish between an AJAX request and a normal page request (i.e., they both look like normal HTTP requests), so they inject ads into both. However, we're only asking for a normal HTML file with the AJAX request, so I can't comment on whether they would modify other types of XML data.

Charlie

Re:Answers to questions in this thread

[slashd'oh]

Wait a minute... I ordered Soft Serve vanilla but the server (Ice cream soft Serve Provider) added the sea salt and olive oil in transit.

Re:Answers to questions in this thread

[Organic+User]

Can I get a scholarship to Berkeley?

Re:Answers to questions in this thread

[nweaver]

No, it is amazingly good. AMAZINGLY good.

Try it.

Re:Answers to questions in this thread

[nweaver]

Talk to the UC Berkeley Financial Aid Office

Re:Answers to questions in this thread

[Compholio]

ISPs can't distinguish between an AJAX request and a normal page request (i.e., they both look like normal HTTP requests), so they inject ads into both.

Under normal circumstances AJAX and "normal" requests are the same; however, AJAX has a "setRequestHeader" parameter that can be used to set additional headers. This is significant in that HTTP/1.1 states:

The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain.

You've already proved that the cache is violating the HTTP/1.1 RFC by ignoring the response header, I am curious as to whether it ignores the request header as well.

Re:Answers to questions in this thread

[EvanED]

Oh c'mon. You're looking at the uncommon case. Do you really want to suggest that even a sizable minority of the sites you visit on a daily basis use HTTPS?

I visit my banking site a couple times a week. I shop online a couple times a month. I read email online more commonly, but not *that* commonly from a web browser.

By contrast, I visit /. several times a day, I visit Fark a couple times a day, I visit a couple blogs a time or two a day, I visit CNN a couple times a day, I visit a couple other forums a couple times a day each, etc. NONE of these sites use SSL.

Re:Answers to questions in this thread

[maggard]

Because licking semi-frozen bovine lactate flavored with macerated orchid seed pods isnt weird ?

Re:Answers to questions in this thread

Because people don't use HTTPs for everything. I didn't ask why "people" don't - I asked why you don't.

If the possibility exists for someone to modify your scripts in transit, in an attempt to subvert them, you can eliminate that by serving the scripts via HTTPs.

most people don't use https Mu.

a lot of web sites don't SUPPORT https for many things. So serve your scripts from a website that *DOES* support https.

Re:Answers to questions in this thread

[Alsee]

I've been growing concerned that global warming, the single most important issue to the snowman of the country, is being neglected. What will you do to ensure that my son will have a full and happy life? Thank you.

-

Re:Answers to questions in this thread

[maggard]

I intend to try the sea salt/olive oil ice cream (Id already visited the annoying flash site and put the address in my reminders for next time Im out that way.) As someone interested in food flavoring & texture its a compelling combination.

I was just pointing out the ice cream of any sort, including the referenced vanilla, is already an improbable concoction that most wouldnt believe others enjoy if they hadnt grown up with it themselves.

Re:Answers to questions in this thread

[Danga]

There is a reason why GOOGLE doesn't use https for gmail by default (you have to manually type in https://mail.google.com/ to get gmail through SSL), the key echange is expensive, even by Google's standards.

Apparently Google's standards have changed and they do not consider HTTPS too expensive anymore. I just typed in www.gmail.com and it redirected me to:

https://www.google.com/accounts/ServiceLogin?(MORE JUNK CONTINUES)...

I had to try it.

Re:Answers to questions in this thread

[anilg]

AFAIK, this is just for the login.. there-onwards its back to HTTP.. (at least this was how it was some time ago.. they may have changed the policy)

Re:Answers to questions in this thread

[Danga]

You are correct. I am an application developer so web programming is not my expertise so my guess is maybe as long as the login is secure then they do not need to use HTTPS afterwards. To me it sounded like the initial HTTPS hand shake is the most expensive part of using HTTPS so I would think since it must have do that at the login page that gmail would then keep using HTTPS for the rest of the session.

Does anyone know if using HTTPS after using it at the initial logon is worth the overhead?

Re:Answers to questions in this thread

[anilg]

Yes.. there is overhead whenever you use HTTPS.

Using HTTPS requires encryption before data transfer.. now do that for tens of thousands of clients in the form of webmail users, and you see why they don't do HTTPS. However if the user knows enough about security, he can use HTTPS by using https://mail.google.com/ ..

This isn't true in case of orkut, which used to allow https throughout, but I assume their servers were overloaded, and they now only allow HTTP (the login is still HTTPS though)

Re:Answers to questions in this thread

[jZnat]

I spend a lot of time on Slashdot using an SSL connection (you can use https if you're a subscriber; perhaps they'll extend the feature one day when doing so doesn't require more hardware). I check my email using SSL. I SSH to several different computers over an SSL connection. Many sites I visit support SSL connections. Also, related to encryption, my wireless router uses WPA2 Personal (I'd use enterprise if I had a key server set up, but that's not really that important right now), so I'm always using encryption somewhere. I sign my emails using GPG. I use SSL/TLS connections wherever possible and encryption in general wherever possible. I don't do this for privacy reasons most of the time; I do it for security reasons.

Re:Answers to questions in this thread

[EvanED]

In that case, I assert that you're the uncommon case. ;-)

Frames

[benhocking]

What if the ISP is simply putting the web-page in its own frame, and the advertisement in a second frame? Unless you add the ability for web-pages to dictate that they should not be in frames, this one can't really be trapped for like that. The ISP could create its own hash for the served web-page that holds the frames.

Re:Frames

[XanC]

While I'm not sure why frames are any different from whatever other kind of content modification, you're right that the ISP could modify the hash, so GP's idea apparently won't help. SSL would...

Re:Frames

[brunascle]

i dont think they could manage to do this without it being obvious to the user. frames arent exactly subtle.

Re:Frames

[mdm-adph]

No, it's definitely possible to hide a website within another frame. Just remove the borders -- not that 90% of web users know what the fuck a frame border looks like, anyway.

Re:Frames

[brunascle]

but they'll see it once they scroll. and if the ISP doesnt add target="_top" to all the links, they'll see it when only part of the page refreshes.

Re:Frames

[mdm-adph]

...Unless you add the ability for web-pages to dictate that they should not be in frames, this one can't really be trapped for like that...

<script language="JavaScript" type="text/javascript">
<!--
if (top.location != location)
{
top.location.href = document.location.href ;
}
-->
</script>

That should do it. ;)

Re:Frames

[mdm-adph]

They'll see it, and they won't care or probably even notice. (I've got users who can't even find buttons on a web page -- and this is when they look like standard OS buttons.)

Re:Frames

[IBBoard]

Assuming the user has JavaScript enabled and hasn't disabled it to stop the popup and other adverts ;)

Re:Frames

[mdm-adph]

Aww, you're right -- fuck it. I'm going back to BBS.

Re:Frames

[VGPowerlord]

If the ISP is inserting it into a frame on the fly, you've successfully created a page that will continually try to reload itself, as it will never be the topmost ancestor.

Re:Frames

[ixl]

The hash would have to be signed by the originating website. So the frame would be detected, because the hash wouldn't be signed by the domain name that created the other content. Browsers could also display (at least) a warning when an unsigned frameset included a signed frame.

Re:Frames

[mdm-adph]

Good point. You could probably set a cookie the first time you do this, and then check it upon refresh to see if you're still in a frame.

Re:Frames

[Impy+the+Impiuos+Imp]

> What if the ISP is simply putting the web-page in its own frame, and the advertisement in a second frame?

What if we just jail the billionaires who own the ISPs for altering the copyrighted content of web pages?

A 99.9999997183% decrease in salary for hours worked accompanied by a change in lovers from Big Boobs to Big Bubba might be just what the doctor ordered.

Please don't post negative results!

[maggard]

No need for thousands of "All good in Kalamazoo" & "Up to date in Kansas City" posts.

Re:Please don't post negative results!

[mtp85]

It'd be pointless anyway, since everything's up to date in Kansas City.

Re:Please don't post negative results!

[sconeu]

Mod parent up! +1 Rogers and Hammerstein (Oklahoma!) reference

Feature request

[DreamerFi]

make a package that can be used as a simple drop-in to a website to detect this. If enough websites implement something that alerts users that the webpage was altered, isp will be forced to stop doing this.

Re:Feature request

[Qzukk]

isp will be forced to stop doing this.

That, or ISPs will work harder to defeat the detection.

Re:Feature request

[csreis]

We do have a set of scripts that we intend to make available as an integrity checking tool for others to easily use on their websites. We'll be refining them based on what we learn from this experiment, and we'll probably use some randomization to make it harder to detect the "tripwire."

We'll make them available in the not too distant future.

Charlie

Re:Feature request

[DreamerFi]

That is a war that this package will win - probably with some cryptographic checks in version 2.0.

Re:Feature request

[Lockejaw]

Eve can perform key exchange with Alice and with Bob, making them think they have performed key exchange with each other.

Re:Feature request

[DreamerFi]

It isn't a question of doing a key-exchange, it's a question of authentication. I'd probably go for getting a checksum from a https:/// page. Verify the certificate of the server, and you've got a valid checksum to use. The ISP would then have to pretend to be your https server to break this.

Re:Feature request

[Arancaytar]

I don't think so.

The dirtier the ISP has to play to smuggle their ads in, the worse the backlash. Come on - some inserted ads are simply unethical. But if the ISP starts breaking into SSL connections and someone finds out (and they WILL), the ISP is in for a big lawsuit. They may even be committing fraud.

A possible workaround

[Spy+der+Mann]

A friend of mine had a similar problem with his webpages. They were on a free host (rolls eyes). I wrote a script for him to store special tags to denote the beginning and the end of his webpage content. After the webpage was loaded, a script erased everything and replaced all the html with his marked content. Ta-da, no ads!

If you want to be stricter, encode your webpage content with base64 to make sure the ads don't intrude your precious content.

Re:A possible workaround

[Raistlin77]

I'll bet that his user agreement with that free host also clearly states that circumventing their added content in the manner that your script does is prohibited. If they discover your script, they'll likely disable his account.

Re:A possible workaround

That sounds... messy, or at least revealining an unfamiliarity with the DOM.
Probably could have just display: none rules in CSS, most ad content is pretty predictable.
Or at least JS that only snipped out portions of the DOM.
Of course, the whole point of being on a free host is it was paid by ads, he was probably in violation of
TOS and should have been prepared to lose everything on the server at a moment's notice.

Re:A possible workaround

[Jeff+DeMaagd]

A friend of mine had a similar problem with his webpages. They were on a free host (rolls eyes).

Sounds like someone's being a cheapskate. Paid hosting can be had where you get your own virtual server for $1 a month, though a domain name is extra. For as little as that costs, it's almost not worth any time dicking around trying to counter your free host's means of hosting his site.

Re:A possible workaround

[Excors]

For sites like GeoCities that add

</object></layer></div></span></style></noscript>< /table></script></applet>(...adverts...)

to the bottom of your page to stop you trying to hide their adverts, it could be good to add <plaintext style="display: none"> to your page just before the point where they add their junk. plaintext is the unstoppable monster of HTML – there is no closing tag, and the rest of the page will be treated as plain text instead of HTML. It's a slightly obscure feature, but it has better support between web browsers than many other parts of HTML and it can be fun to play with...

Re:A possible workaround

[HeroreV]

You're confused. You mentioned advertisements being inserted by the host of the website, but this is about ISPs adding ads to pages they do not host.

Re:A possible workaround

[GTMoogle]

Heh, back in the old days of CGI HTML chat rooms w/ reloading pages (don't know if those were even common...), we'd figure out html tag injection attacks. The EBIL ones where where we'd put a only we could see (pm to self usually), followed by HTML that would crash the browser... hehehe.

Re:A possible workaround

[Emetophobe]

From the website you linked: "This tag is officially deprecated. That means that this tag is being phased out, and it is strongly suggested that you not use it."

Re:A possible workaround

[Excors]

Indeed, but web sites using deprecated features do not get updated and do not go away, so web browsers continue supporting those features forever, and almost nothing has ever been "phased out" in practice. (Browsers also have to continue supporting features that were never specified or documented at all – e.g. the front page of IMDB accidentally uses <image>, which still gets treated like <img> because nobody wants to write a browser that doesn't work with such sites). Since all the browsers implement those things, and any other HTML consumer ought to work the same if it's going to work as well as possible on the web, HTML5 does specify how things like plaintext are handled, and so it should continue to be supported correctly in the future.

It's still true that deprecated features are usually bad ideas and it's strongly suggested to not use them, and plaintext seems like a particularly bad idea, but the danger of them being phased out and no longer implemented is quite small.

acronym nazi

[darkwhite]

International Computer Science Institute (ISCI) It's ICSI. Pronounced Ee-ksee. It's where they exile you if you're not nerdy enough for Berkeley Computer Science proper, or something ;)

What about the terms of service?

[petercruickshank]

I guess the next step is for the ISP to add their right to do this into your agreement with them.

Re:What about the terms of service?

Yeah, well, it's not you that has the beef - it's the creator of the web site who's had his work modified. Your ISP is making a derivative work of his site, and you can't give your ISP permission to do that, only he can. TOS between you and your ISP won't make a damn bit of difference in this case.

Re:What about the terms of service?

[HeroreV]

I've also heard that sometimes the inserted ads will sit on top of content or otherwise mangle the layout. I wouldn't be surprised if many sites started blocking IP addresses from these ISPs if that's possible.

Inserting Ads

[NeoTerra]

A certain ISP in Canada delt with this not long ago...

Inline HTML Signatures

[goofy183]

I've wondered about this for a while as a way to defeat XSS attacks but would be adding some sort of ability to sign the content in a HTML response be beneficial here? You could use your SSL cert to simply add a signature response body for content transmitted over http. I way to inform the browser to expect the signature that the ISP can't strip out may be problematic though.

The XSS idea would be to have the ability to have multi-part responses from the web server. The browser would put the page together from each part in order but only parts that contained a valid signature from your domain cert would have scripts and such executed by the browser. Then we don't have to worry about escaping scripts and such in the output content.

Re:Inline HTML Signatures

[Jeff+Ballard]

The simple solution to this is to use https: url's whenever possible. Without the private key, your ISP can't manipulate the traffic (and still have it be valid).

Re:I've got a better method...

[brunascle]

they're not talking about the ISP hosting the web page, they're talkign about your ISP adding ads to random sites that you visit. client-side, not server-side.

Re:Huh?

[mdm-adph]

ISP's inserting ads into web pages?... 2. What kind of moron would continue using an ISP like this? Why would an ISP that did this stay in business another day?

This whole subject doesn't make any sense to me. #1 90% of computer users.

#2 Because there's no other choice for most users when it comes to ISP's.

Re:Huh?

Well, I hear that in Soviet America they have to use the ISP decided by their corporate overlords as the only option if they want high speed internet, so they do not have any other option but to use the crappy ISPs for a very high price in that case.

Re:Huh?

[TheWoozle]

1. You're hosting ISP may not do this, but the ISPs of the people who view your webpage may. How would you know? Are you going to sign up for an account with every ISP in existence and test each one for yourself?

2. There are plenty of people who would never know: people who use adblocking software, for one. In any event, many commercial webpages are so overrun with advertising anyway, how would you know that one in the crowd was inserted by your ISP and not original to the page?

The subject doesn't make sense to you because you're not running a small ISP. The potential revenue vs. the loss of a few savvy customers might be a trade-off you'd be willing to make if the upside were big enough.

Positive results.

[KingBozo]

I always thought it was funny that I get tons of MicroSoft ads when viewing slashdot, now it all makes sense with my MSN as my ISP they are inserting those nasty ads everywhere.

Re:Huh?

[Raistlin77]

3. What kind of moron continues to use Microsoft products?

4. What kind of moron continues to use AOL?

5. What kind of moron uses Alexa?

If you can answer 3-5, then you already know the answers to your own questions.

Simple in principle

[jimicus]

I can think of one way to do it - but it wouldn't be too hard for a determined ISP to defeat:

Step 1: Calculate md5sum of webpage, store in separate location.
Step 2: Include on the webpage some javascript to md5sum itself and compare this to md5sum in known location. Issue an alert if it differs.
Step 3: Profit!

Of course, this is awkward for dynamically generated pages and if the ISP is happy to mess around with the page to insert ads, they're probably also happy to mess around with any javascript which detects it coming down the line. Does this method solve that?

Re:Huh?

[fullmetal55]

It's not the host ISP that's inserting the ads, It's the "Client" ISP, for example Joe Smith buys a computer and buys high speed internet from "ECI" the Evil Cable ISP. Joe Smith visits Bob's Website, Bob, who hates ads never put any on his webpage, and instead makes his money through online sales of his product. Now Joe loads up Bob's webpage to purchase a widget from Bob, and he sees Ads all over Bob's Website. Bob who has GHI (Good Highspeed ISP) visits his website and there's no ads. ECI is putting the Ads on Bob's website. and collecting all the revenue from those ads. Profiting off of Bob's Website.

What about upstream modification

[SeanTobin]

It seems that everyone is concerned about downstream modification, and is completely ignoring the possibility of upstream modification. What if Sprint started modifying upstream http-posts to start a more viral ad distribution system? Not only would they be able to target their customers, they would also be able to target the customers of anyone who could read the post!

This is the reason that we need to push for network neutrality. When the only choices are between a giant douche which alters content and a turd sandwich which alters content, the customer ends up screwed in the end.

Re:What about upstream modification

[Red+Flayer]

What if Sprint [verizon.com] started modifying upstream http-posts to start a more viral ad distribution system?

Not for nothing, but I'd imagine Sprint would be more likely to insert an ad for Sprint than an ad for Verizon.

Then again, maybe Verizon is your carrier... so maybe you would be directed to Sprint at Sprint.

Re:What about upstream modification

Psst, the joke is that someone upstream inserted a link to Verizon on the text for Sprint.

Re:What about upstream modification

[Arancaytar]

That is an utterly preposterous idea. Not even the most depraved ISP would resort to that.

Get your free 500 HOURS OF INTERNET today!

Re:What about upstream modification

[NetCow]

This is the reason that we need to push for network neutrality.

Actually, this is the reason we need to push for SSL.

Re:What about upstream modification

[antihadron]

Isn't that whole blog AGAINST network neutrality (regulation of the internet that prevents technologies like the ISP Ad insertion from being applied)? quotes like this make me think so: 'Someone once said that a libertarian is a conservative who's just been arrested. Probably true. But in that same spirit, it will be interesting to hear how the net neutrality crowd describes one of its favorite bogeyman, deep-packet inspection, the next time it helps stop a major denial-of-service attack.' deep packet inspection is a relative of the ad insertion technology.

Analyses

[nweaver]

We've seen a couple cases of NebuAdd, one other that looks interesting, and a fair amount of addblocking/firewall software (eg, ZoneAlarm does some modifications)

We are waiting for the Slashdot and DIGG deluges to pass, however, before we have a more detailed analysis.

Re:Analyses

[mdm-adph]

God, I imagine those deluges are leading to quite a bit of usable data in a short-time frame! Are you planning to modify the results any on any kind of basis that most Digg and Slashdot (well, at least Slashdot) users are somewhat more technically literate (don't know if it makes any kind of difference in a test like this, but I'm curious).

Re:Analyses

[nweaver]

Partially, we want to encourage people to pass it on to their nontechnical friends.

Our initial goal is to not map the space completely, but to

1) Validate the tool operationally

2) Try to find some cases, and analyze those cases.

Also, I think the tech savvy might be MORE vulnerable, as it seems to be small ISPs which are doing this, not the big ones.

Re:Analyses

[whitehatlurker]

With my filtering software enabled, I didn't see your IFrames at all. I don't think you'll get much information from that visit ... on the other hand, my "unfiltered" visit appears to be also unfiltered by my ISP.

Re:I've got a better method...

[mdm-adph]

Actually... theoretically, would this be somehow "between" client-side and server-side? I'm having a hard-time classifying this type of interception.

ISPBlock Plus

[andrewd18]

I've got this awesome new Firefox plugin called ISPBlock Plus. It blocks all the packets your ISP is sending you in-flight. No more ads!

Re:ISPBlock Plus

[mdm-adph]

I tried that one. The internet seemed a lot more peaceful and calm, though less informative.

Re:ISPBlock Plus

[CelticWhisper]

You've been misled. There is no "+1 Peaceful-and-Calm" mod. Just informative. ...So far, at least.

Re:Huh?

2. What kind of moron would continue using an ISP like this? Why would an ISP that did this stay in business another day?

Well, unfortunately for me I want broadband access, and in my area I'm stuck with only one choice for an ISP. So, whether my ISP inserts ads or not I really only have two choices: 1) Learn to like it* 2) Learn to live with no internet access.

* - Of course there is always choice 1b) Learn to use Firefox with the Adblock Plus plugin (which I already do - and it works great!). This is a choice that I'm sure many others will point out.

And yes I've called several other broadband providers and none of them have any plans to provide service to my area.

They WANT to be slashdotted

[ookabooka]

These guys actually want as much traffic as they can get to get a good idea of what isps are doing what. Go ahead, click online tool. It's pretty nifty.

Re:They WANT to be slashdotted

(Posting AC to avoid killing moderation)

People using TOR can try it and see what happens from the ISP of someone else on the network

Old stuff.

[TheLink]

Years ago on one April Fool's day, I got a list of ad sites (from the usual /etc/hosts files out there), then got the internal DNS server to resolve them to a server that served up the company logo instead (for all possible url paths).

FWIW, seemed only one person noticed that the forbes page they loaded somehow had the company logos everywhere :). Nope I didn't get fired or even reprimanded - plus even better - I was saving company bandwidth (remember this was years ago)... Nobody complained about the lack of ads from ad.doubleclick.net and gang.

I toyed with the idea of substituting ads with reminders (meeting at 2pm, or "you have been on slashdot for 2 hours!") and other more useful information.

Lastly, I don't think their naive hashing thing checks if you are altering the images - the content may remain unchanged, but linked to contents may change (they aren't checked from what I see), so it doesn't work for my scenario where different ads are substituted for the unaltered URL.

That said, I'm still curious on:
1) How many ISPs would bother modifying traffic from those 7 destinations they are testing.
2) What the various laws around the world say about this.
3) What those laws say about "sponsored internet access" where an ISP gives a cheaper package/plan where the ads are substituted with the ISPs advertisers with the risk of some corrupted info.
4) What those laws say about "streamlined internet access" where an ISP provides a package/plan where ads and other crap are removed (or modified) for their customer.

Re:Let the legal system work for you

If the pages you create have a copyright notice comment in them, I am pretty sure the ISP's could not modify them without your permission. I am not a lawyer, but it seems right to me.

If it's happening near the client..

[Sloppy]

..why not just use SSL?

I can understand how this wouldn't help with hosting ISPs who insert ads into their own customers' pages, but if you're worried about your readers' ISPs modifying your pages, SSL seems like a no-brainer.

What's the downside? It can't still be CPU, can it? It's 2007 now, and processing power is ridiculously cheap/fast.

Re:If it's happening near the client..

[nweaver]

As I mentioned in another reply:

a) Certificates are a pain and cost $$$

b) CPU isn't free. It costs ~.1 CPU second to do an SSL handshake. This is actually a big-deal amount, there is a reason why Gmail defaults to http except for authentication.

Re:If it's happening near the client..

[TheRaven64]

0.1CPU-second to do an SSL handshake seems like a huge amount, since this would limit you to ten connections a second. Considering that hardware crypto devices that can handle SSL at over 100Mb/s exist, I'm really surprised that the numbers are that high. Can you cite the system you used to test this? Considering that CPU speeds have been doubling roughly every 18 months for a while, I find it somewhat hard to believe that five years ago it was taking around a whole CPU-second to do the handshake. If this is really the case, how do sites like gna.org handle using SSL for every request?

As for the certificate thing, CACert certificates are free. I probably wouldn't trust one with financial data, but for simply verifying ownership of the domain they are adequate. While they are still not included with most major browsers, it's still only one certificate clients need to install, rather than one for every single site.

Re:If it's happening near the client..

[Cheesey]

Big sites do use hardware SSL crypto processors.

Despite Moore's law, etc., the cost of RSA operations on general purpose CPUs is very high. Not a problem on the client side, but on the server side, one hardware accelerator could save you thousands of general purpose CPUs.

Re:If it's happening near the client..

[nweaver]

I don't have the stats for SSL, but for a simple SSH it takes .17 seconds to do a simple handshake, authenticated login, echo, exit (to a system that is .9 ms RTT latency), while only .06 seconds to do a shell script locally of "echo ".

So I'm a little high on my .1 CPU second, but its not THAT far off. RSA in software is slow...

The bulk encryption is cheap, but thats another story.

Re:If it's happening near the client..

[TheRaven64]

I just did a similar test to yours, and I got this:

time ssh localhost echo foo
foo

real 0m0.399s
user 0m0.066s
sys 0m0.017s

This is on an old, 1GHz Athlon. The real time is quite high, but the machine is doing a few other things, so much of that is time spent on other tasks. Since the crypto is all done by SSH, not by a hardware device, it must be part of the 'user' time. This gives 0.066s on an old machine doing the client part of SSH. A decent server chip should be able to do the same thing in 0.01 seconds, making your guess an order of magnitude off if the complexity of SSH and SSL are comparable.

From your figures, you have 0.06 seconds to spawn a shell (an order of magnitude more than I get, but maybe you're using a very old machine or a poor OS), and 0.9s RTT. That gives 0.15s in total, not counting the encryption overhead. The encryption overhead, then, is 0.17-0.15 = 0.02s. Once again, the numbers seem to indicate that SSL is a negligible overhead, and a semi-decent CPU should be able to handle over 100 connections per second.

Note as well that HTTP 1.1 allows the same connection to be used to transfer multiple resources, so an AJAX web app might easily handle a large number of AJAX responses with a single SSL setup cost.

Re:If it's happening near the client..

[cswiger]

"0.1CPU-second to do an SSL handshake seems like a huge amount, since this would limit you to ten connections a second. Considering that hardware crypto devices that can handle SSL at over 100Mb/s exist, I'm really surprised that the numbers are that high. Can you cite the system you used to test this?"

The key thing to notice here is that doing the initial key handshake involves 1024-bit RSA or DSA public keys, typically, whereas the number you are quoting is the streaming rate for doing 56/128-bit symmetric encryption via DES, 3DES, or AES. The difference in workload between the initial public-key crypto used to set up a temporary session key as a shared secret, and the workload for doing the subsequent symmetric crypto using this session key is huge.

If you want to understand the difference, try running "openssl speed" on your favorite machine. A ~ 1GHz Intel box can do about 120 1024-bit RSA keys per second; about 20 2048-bit RSA keys per second; or 3.3 4096-bit RSA keys per second. By contrast, it can stream DES at 20MB/s or AES-128 at about 17MB/s.

Re:If it's happening near the client..

[ekhben]

Connection establishment time blow-out. With HTTP you send a request, probably in a single network packet. Server received request, sends response, probably in several packets. With HTTPS, you initiate an exchange that will last for several iterations (client hello, server hello, client key, client finish, server verify, server finish) before you send the HTTP request. For a typical web page, this will triple the response time and likely double bandwidth per request, depending on the size of the HTML, images, scripts, and styles requested.

Keep-Alive can ease the pain of both, but IE, Apache, Keep-Alive and SSL is a mix you must avoid lest you run afoul of a long-standing bug. I can't find anything to confirm or deny that the bug is fixed in IE7, but IE7 is not yet prevalent enough to ignore IE6 bugs. You can turn off Keep-Alive (and SSL clean shutdown, and HTTP/1.1, all problematic) for IE only easily enough in Apache config.

HTTPS does not work with named virtual hosts. Because the SSL handshake occurs BEFORE the HTTP request has been sent, the only information the server has to go on is the IP address the client connected to. Server certificates include the server's name, else they are invalid. The server must then present a name to the client when it does not have the name the client wishes to connect to. With IPv4 consumption growing continually, using 30 IPs instead of 30 named virtual hosts is not an ideal world. You can use globbed server names in certificates, but support for this is shaky in both browsers and certifying authorities. STARTTLS solves this problem, but has very limited browser support. With no IE support, it's as stillborn as XHTML.

And you need a certifying authority. If you simply self-sign a certificate, you've done nothing at all. Your malicious ISP can self-sign a certificate themselves, claiming to be the remote server, and simply decrypt the stream from the server and reencrypt it after modification. Certifying authorities will charge you for the service.

So, we have (1) increased request latency and bandwidth cost, (2) loss of support for named virtual hosts, and (3) cost of purchasing and renewing a valid server certificate. Plus a small amount of (4), increased CPU cost -- but you're right about that, CPU power scales faster than available bandwidth. :)

Re:If it's happening near the client..

[TheRaven64]

Thanks. I am still not completely convinced that this is a significant overhead. Running 'openssl speed rsa1024' on my laptop (Core 2 Duo 2.16GHz, OS X) and server (1.42GHz PowerPC, OpenBSD). The results were quite surprising; 150/s for the laptop and 135/s for the server. I ran the test on a 1GHz Athlon running FreeBSD and a 450MHz PII running OpenBSD and got 177/s and 59/s respectively. All of these results seem roughly commensurate with the processor speed except the OS X one, which is much slower than I would expect.

That said, a relatively old machine (1GHz Athlon) can do almost 200 signs per second with a 1024-bit key. For general use, where all you care about is that the ISP isn't re-writing the contents in real-time, a 512-bit key would probably be enough; it doesn't matter if they crack it in a couple of minutes, as long as they don't crack it before the page has loaded. With this key strength, my old Athlon can do 767 signs per second. You can crack this fast enough if you spend enough money on dedicated hardware, but you're probably not going to make enough on ad revenue to justify it.

Either way, these tests show that even a relatively slow machine can do an 1024-bit RSA signing operation in under 0.01 CPU seconds, which is an order of magnitude less than the grandparent claimed. For a decent server chip, I wouldn't be surprised if the timing was getting closer to 0.001 CPU seconds. At that speed, it makes sense to just enable it for everything. Of course, you can't get a paper published saying 'if you turn on SSL, you get more security than if you don't.'

Re:Huh?

[Lockejaw]

1. What kind of moron would never look at their own web site as they develop it and not notice this?

The same kind who doesn't want to travel around the country testing it with all the ISPs the visitors might use.
Or maybe just the kind of moron who won't even RTFS.

They invented that in 1995

It's called SSL / TLS. It uses a certificate, signed by a trusted certificate authority, to sign a cryptographic digest of a page, and to prove to the user that the page was generated by the entity that claims to have generated it, and the page was not modified. SSL / TLS doesn't even have to use encryption. It can be used to serve plaintext pages with signed digests, which prevents exactly what this attack is: a man-in-the-middle alteration.

And they are claiming a new tool to do something which a universally-deployed tool has been doing for ten years now.

------------
Software development blog

Re:Huh?

Considering that the customers that are likely to notice this are probably the same customers that use the most bandwidth, I can see and ISP doing this as a tactic to shed thier least profitable customers.

Only https can be trusted

[SpaceLifeForm]

If it's plain ol' http, anything can be modified on the fly,
including hiding posts to blogs.

All blogs should be https, in fact, all websites should
be https, even if you have to roll your own SSL cert.

Re:Only https can be trusted

[cdrudge]

We had that a while back. Developers were trying to figure out the best way to secure only a section of the site that had to be secured, but the reset of the site didn't. We were dealing with some odd security issues going between zones. I just made the suggestion, "Why don't we just https everything?" No one had really thought about that and there wasn't a real compelling reason why we couldn't just do that.

Re:Only https can be trusted

[TheRaven64]

If you don't want the overhead of SSL for every connection, you could always use something like this, where the contents of each page is signed by your private key, and some Javascript that retrieves the public key over HTTPS.

all websites should be https, even if you have to roll your own SSL cert If you're rolling your own certificate, and not pre-sharing it, then SSL is vulnerable to a man-in-the-middle attack. Most people shrug this off saying MITM attacks are hard to perform, but since the insertion of ads in this way is a MITM attack then that argument doesn't really work here.

Re:I've got a better method...

Man-in-the-middle

Re:I've got a better method...

[spun]

Are you pretending to be mentally challenged in order to troll, or do you really not understand even after having it explained to you a little further up the page? It is not the developer's ISP, or the hosting ISP that is doing this! It is the ISP of the people looking at the page. So, you left out a step in your patented eyeball method: signing up for every ISP in existence and loading your page, to see if that particular ISP does it.

Re:I've got a better method...

Hey, Christian: judge not lest ye be judged. I don't think Christ said anything along the lines of "Thou shalt mock the stupid, for they are humorous, and will not understand your taunts."

If you post on a site with a lot of atheists and agnostics while shilling for your Christian music, and then turn around and act un-Christian, expect to be called on it.

Not quite...

[nweaver]

This is a war however which we can make damn difficult by using virus-like mutation techniques, so that every checker looks different: force THEM to solve the AV defender arms race.

As long as the actual API used by the Javascript is common enough that the ad-injectors can't recognize and block our code by keeing in on the API calls rather than the overall Javascript.

The proper solution, adding integrity checking to all HTTP, seems like its not happening.

Re:Not quite...

[nweaver]

Also, detecting the absence of the checker is insufficient, because Javascript might be turned off.

Re:Not quite...

[DreamerFi]

The proper solution, adding integrity checking to all HTTP, seems like its not happening.

True.

Sad, but true.

Re:Not quite...

[Hoplite3]

Wouldn't a simple solution be to send traffic through https? The protocol exists, all major browsers support it. Some low-end machines might have trouble doing all of the cryptography in addition to page rendering, but multicores and dedicated crypto hardware are both becoming common and could change that.

After all, encrypted traffic looks like a stream of random numbers to the ISP, right? Hard to modify.

Re:Not quite...

[Chandon+Seldon]

Two problems:

1. SSL is reasonably easy on the client side, but serving SSL still causes a significant performance hit on a server. A server that could handle 5000 requests per second with normal HTTP might only be able to handle 1500 with SSL enabled.
2. Digital certificate issuance is a horrible mess. If you don't get a certificate from one of a very few issuers, browsers will flip their shit and tell the end user that your page is horribly insecure. Becoming an issuer in that category is possible, but Microsoft policy makes it costs about $50,000/year (and IE compatibility is pretty important) - which is why there is no mainstream non-profit certificate issuer.

Why the fuss?

[antihadron]

I understand the first knee jerk reaction people have with the concept of ISPs sticking ads on content. Kind of a NIMBY thing. However if you think about it, people have been making money out of other people's content for a long time in the Internet. What's a search engine really but a way to generate ad revenue by organizing other people's content? This reminds me of when content providers were complaining that search engines' tactics of deep indexing their sites was allowing the users to bypass their home pages (where the ads were hosted). I understand why ISPs are going to be moving in this direction. Just compare the market valuations of the big 'Internet' plays with those of the large ISPs. Why should Google's market cap. be 158.38B and Comcast's 88.20B? Google and other companies like it honestly have done very little but leech off of other people's content (Search, News, Groups, Images, Videos, etc.). Their business model is to provide ads. (content providers: where is the outrage here?). What type of company would you miss more if it were to disappear tomorrow (search engine vs last mile ISP)? Comcast and the other providers in comparison have made a massive investment in infrastructure that they have to both innovate and maintain. Look at Verizon and FIOS as an example. Do you see Google spending B's to roll out fiber? To some degree they have been left out. They are are in an industry where their product has become a commodity where people make decisions largely based on price. These technologies give these companies an opportunity to change the nature of the game. Sure its greedy, that's capitalism, but its not evil. Nor is it illegal if done properly. Its an agreement between two parties, one the provider, the other the consumer who wants a FREE/cheap (cost) Internet. If you want 'free' Internet you are going to have to pay for it somehow. Either through the government through taxes, or though something like ads. Personally I prefer the ads, if I do not like them I can pay (time or $$) for the option to not have them.

the good, the bad, and the ugly

Most slashdotters probably consider an isp inserting ads to be a bad thing for a variety of reasons (ethical and technical). Yet most slashdotters don't have a problem running a filtering proxy, adblock, greasemonkey, using tivo/myth tv to skip over ads, etc. Double standard?

Re:the good, the bad, and the ugly

[antihadron]

I guess also that most would consider free services a good thing. Most free things on the net are supported by ads. Why can't Internet access be free? If you can make money (as an ISP) and give your service awy for free, you have on hell of an incentive to get your service anywhere you can. Free ad supported internet in airports and other public areas could actually work (vs. the crappy for fee stuff you have to signup for.).

Also I would rather have my ISP gain revenue by running ads on content than some other means they have at their disposal that cannot be detected by a script. At least this is not the secretive gathering of all web activity and selling it to the highest bidder. Many ISPs (and search) already do that. If I want privacy or unadulterated content I can use Tor or some other service. There is no privacy on the web anymore. There are too many ways to connect the dots. That fact will not change until there is widespread adoption of encryption and anonymization technologies for all transactions on the web.

Re:the good, the bad, and the ugly

[achbed]

The difference here is that *they* have control of the changes. The ISP is being paid by the customer for connectivity. There is (in most cases today) an expectation that any data sent across an ISP's links will be unaltered. By running adblock, greasemonkey, or similar packages on the local machine, the end user is explicitly changing the data. But that does not happen without the end user knowing about it.

Also, if my ISP is doing this to generate ad revenue, I would be up in arms and demand a cut of the revenue stream. Otherwise, I can just take my packets elsewhere thank you. I don't need to pay a company to sell my eyeballs.

Already Part of HTTPS?

[Doc+Ruby]

Doesn't just using HTTPS as the protocol to retrieve pages at URLs make the server sign the code, and encrypt it so no middlemen can change it "in flight"? I guess if the HTTPS server is controlled by the ISP, the server just signs the altered pages. But what kind of downstream test can stop that?

Could it be turned around?

Could someone find out that you are using Adblocker this way?

Damn...

[elysium-os]

Well if we block changes then how will my /. duplicate removal software work?

Re:Let the legal system work for you

[Keith_Beef]

Except that in the contract, as governed by the terms and conditions, you probably assigned your ISP right to insert ads or otherwise modify your content in exchange for hosting and serving the content (in addition to any fee you pay for the service).

This is effectively what my former ISP, Club Internet, was doing when it insisted on inserting JavaScript into the header of every page, in order to display advertising.

The very existence of your content on the server is dependent on the terms of the contract and uploading the content happens later than the date the contract became effective, I think that you would have a very hard time attacking your ISP.

The ISP will simply point out the terms and conditions you agreed to, and say "stick to the terms and conditions, or you are free to take your business elsewhere".

Beef>