Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tool Detects "In-Flight" Webpage Alterations

Posted by CmdrTaco on from the its-like-a-foil-hat-for-your-browser dept.

TheWoozle writes "In a follow-up to a recent story about ISPs inserting ads into web pages, the University of Washington security and privacy research group has teamed with the International Computer Science Institute (ICSI) to develop an online tool to help you identify if your ISP is inserting ads or otherwise modifying the web pages you request."

19 of 197 comments (clear)

  1. Should just block all ads, but... by nokilli · · Score: 4, Interesting

    If that isn't desirable, do a patch to Apache that creates a header that holds a hash of the content.
    The hash gets calculated once for static content, which is usually the bulk of the traffic, no? So
    not too big of a hit.

    Browser sees content. Browser sees hash. Browser compares the two...

    --
    Censored by Technorati and now, Blogger too!

    1. Re:Should just block all ads, but... by vux984 · · Score: 5, Insightful

      All these ideas are neat, but ultimately losers.
      MOVE TO ANOTHER PROVIDER TODAY.

      Why should I do that if I don't know the ISP is modifying the web pages in flight? Maybe I need a tool that could somehow detect that? That would sure be useful. Oh wait...Isn't that what this discussion is about?

    2. Re:Should just block all ads, but... by eheldreth · · Score: 4, Funny

      What if the ISP, having the server's (Apache HTTPD) code, recomputes the hash in the same manner. Browser sees content. Browser sees hash. Browser compares the two...gets an OK.
      1.) Claim the hash is to protect the copyright on your site
      2.) Sue any ISP that alters the site without permission under the DMCA
      3.) ???
      4.) Profit!
      --
      The perversity of the Universe tends towards a maximum. - O'Toole's Corollary
  2. Oh lord the confusion by db32 · · Score: 3, Interesting

    Do we sue the ad folks for inserting ads and stealing content? I mean, in just about any other medium this would wind up in court overnight as copyright and stolen content and so on. But now we have a circumvention tool to detect it...so are we going to get sued under DMCA like nonsense for attempting to circumvent the ad insertion?

    --
    The only change I can believe in is what I find in my couch cushions.
    1. Re:Oh lord the confusion by db32 · · Score: 3, Informative

      Not exactly. A book is just a book. Words on paper. A webpage is FAR more visual than text on page (unless you have been sleeping the last few dozen years). Inserting ads could easily be considered a derivitive work since you are altering the look of the site. What if I didn't want ads? What if my design is a nice soft brown and then you start inserting pink flashing ads? Or God forbid, these clowns insert one of those drive by installer ads, now your business reputation is completely screwed because some major ISP decided to make a buck without checking their sources and your website infected thousands of consumers. Good luck explaining to your customers how it was the ISP magically sneaking ads onto your website.

      --
      The only change I can believe in is what I find in my couch cushions.
  3. Next week on Slashdot by proverbialcow · · Score: 5, Funny

    ISPs intercepting, altering results from online security tool

    --
    The only surefire protection against Microsoft infections is abstinence. - The Onion
    1. Re:Next week on Slashdot by nweaver · · Score: 4, Informative

      We are specifically worried about this case. But we have some thoughts on how to make it more difficult for someone to do that, which will probably end up in a full paper later.

      --
      Test your net with Netalyzr
  4. Answers to questions in this thread by nweaver · · Score: 5, Informative

    We (the authors of the page) will be answering questions in this thread.

    --
    Test your net with Netalyzr
    1. Re:Answers to questions in this thread by nweaver · · Score: 4, Funny

      Strauss Creamery Soft Serve vanilla with sea salt and olive oil from Pizzeria Picco in Larkspur

      --
      Test your net with Netalyzr
    2. Re:Answers to questions in this thread by csreis · · Score: 3, Informative

      Actually, our test page happens to answer these questions, to some extent.

      All of our test pages are marked with "Pragma: no-cache" and "Cache-control: no-cache" in the HTTP response headers, but we're observing changes to the pages anyway.

      Our integrity checking mechanism uses AJAX requests (XmlHttpRequests) to fetch the test page. ISPs can't distinguish between an AJAX request and a normal page request (i.e., they both look like normal HTTP requests), so they inject ads into both. However, we're only asking for a normal HTML file with the AJAX request, so I can't comment on whether they would modify other types of XML data.

      Charlie

  5. Please don't post negative results! by maggard · · Score: 4, Informative

    No need for thousands of "All good in Kalamazoo" & "Up to date in Kansas City" posts.

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
  6. A possible workaround by Spy+der+Mann · · Score: 4, Informative

    A friend of mine had a similar problem with his webpages. They were on a free host (rolls eyes). I wrote a script for him to store special tags to denote the beginning and the end of his webpage content. After the webpage was loaded, a script erased everything and replaced all the html with his marked content. Ta-da, no ads!

    If you want to be stricter, encode your webpage content with base64 to make sure the ads don't intrude your precious content.

    1. Re:A possible workaround by Raistlin77 · · Score: 5, Insightful

      I'll bet that his user agreement with that free host also clearly states that circumventing their added content in the manner that your script does is prohibited. If they discover your script, they'll likely disable his account.

    2. Re:A possible workaround by Excors · · Score: 3, Informative
      For sites like GeoCities that add

      </object></layer></div></span></style></noscript>< /table></script></applet>(...adverts...)
      to the bottom of your page to stop you trying to hide their adverts, it could be good to add <plaintext style="display: none"> to your page just before the point where they add their junk. plaintext is the unstoppable monster of HTML – there is no closing tag, and the rest of the page will be treated as plain text instead of HTML. It's a slightly obscure feature, but it has better support between web browsers than many other parts of HTML and it can be fun to play with...
  7. Inserting Ads by NeoTerra · · Score: 3, Funny

    A certain ISP in Canada delt with this not long ago...

  8. What about upstream modification by SeanTobin · · Score: 5, Funny

    It seems that everyone is concerned about downstream modification, and is completely ignoring the possibility of upstream modification. What if Sprint started modifying upstream http-posts to start a more viral ad distribution system? Not only would they be able to target their customers, they would also be able to target the customers of anyone who could read the post!

    This is the reason that we need to push for network neutrality. When the only choices are between a giant douche which alters content and a turd sandwich which alters content, the customer ends up screwed in the end.

    --
    Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
  9. Old stuff. by TheLink · · Score: 3, Interesting

    Years ago on one April Fool's day, I got a list of ad sites (from the usual /etc/hosts files out there), then got the internal DNS server to resolve them to a server that served up the company logo instead (for all possible url paths).

    FWIW, seemed only one person noticed that the forbes page they loaded somehow had the company logos everywhere :). Nope I didn't get fired or even reprimanded - plus even better - I was saving company bandwidth (remember this was years ago)... Nobody complained about the lack of ads from ad.doubleclick.net and gang.

    I toyed with the idea of substituting ads with reminders (meeting at 2pm, or "you have been on slashdot for 2 hours!") and other more useful information.

    Lastly, I don't think their naive hashing thing checks if you are altering the images - the content may remain unchanged, but linked to contents may change (they aren't checked from what I see), so it doesn't work for my scenario where different ads are substituted for the unaltered URL.

    That said, I'm still curious on:
    1) How many ISPs would bother modifying traffic from those 7 destinations they are testing.
    2) What the various laws around the world say about this.
    3) What those laws say about "sponsored internet access" where an ISP gives a cheaper package/plan where the ads are substituted with the ISPs advertisers with the risk of some corrupted info.
    4) What those laws say about "streamlined internet access" where an ISP provides a package/plan where ads and other crap are removed (or modified) for their customer.

    --
  10. Re:I've got a better method... by spun · · Score: 3, Informative

    Are you pretending to be mentally challenged in order to troll, or do you really not understand even after having it explained to you a little further up the page? It is not the developer's ISP, or the hosting ISP that is doing this! It is the ISP of the people looking at the page. So, you left out a step in your patented eyeball method: signing up for every ISP in existence and loading your page, to see if that particular ISP does it.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  11. Not quite... by nweaver · · Score: 3, Interesting

    This is a war however which we can make damn difficult by using virus-like mutation techniques, so that every checker looks different: force THEM to solve the AV defender arms race.

    As long as the actual API used by the Javascript is common enough that the ad-injectors can't recognize and block our code by keeing in on the API calls rather than the overall Javascript.

    The proper solution, adding integrity checking to all HTTP, seems like its not happening.

    --
    Test your net with Netalyzr