Slashdot Mirror
Study Confirms ISPs Meddle With Web Traffic
Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld:
"To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."
Where exactly on that wikipedia page does it say that common carriers are not liable for transporting illegal goods/data?
A: Translation.. it WAS XO, if it wasn't they wouldn't have used a BS 'probably' word. They would have denied it.
Because any signature not accompanied by protocol encryption can be stripped by the man in the middle (say, your ISP) without the client knowing it was ever there. Mechanisms to prevent that would also eliminate backward compatibility with older, signature-unaware, browsers, and would end up being essentially HTTPS anyway.
I probably spoke poorly by using the term "transparent". As you note, it's already pretty transparent to the user.
What it's not is transparent to the web developer, host, and server.
With STARTLS the restriction of one SSL host per IP address/port pair is lifted. That permits WAY more sites to use SSL, and allows its use without a redirect to a different host and/or port. The user won't see a different URL, there's no protocol string change, etc.
It also allows a client to control whether or not it wants to use TLS, rather than having the server and web designer make those decisions for the client. The server can force the issue, but can also leave the option open to the client where appropriate.
I really like the idea of being able to configure my machine to automatically prefer TLS encryption for HTTP when I'm using, say, a wireless hotspot. I like the idea of being able to set my tech-illiterate parents' laptops up the same way even more.
It'd be particularly nice if combined with a new CA that was fast, cheap and fuss free at the cost of providing poor checking and verification (not like the current ones... *ahem*). Joe Blogger could get his SSL cert for TLS upgrades, and browsers could use it to help ensure encryption and communication integrity without ever suggesting to the user that the presence of the cert and protocol encryption implied anything about the identity or trustworthiness of the site operator.
Currently your options are self-signed (resulting in most browsers screaming loudly to the user), expensive but still poorly verified certs from people like Verisign, or in-between options like openca that most browsers treat as no different from just another self signed cert.
Personally I think the way browsers equate SSL with site trust is fundamentally flawed, and I think they've finally started to realize it, as evidenced by EV certificates and so on.
We often complain about the efforts made by China and others in blocking Internet content. But how does this compare to modifying the content? With blocking you know it is blocked, but with modified content, can you tell? The ISP might say that it just puts ads on the pages, but would you trust it? Having a secret ISP framework for modifying content is a disaster waiting to happen. Personally, I think the web should go https.
I demand the Cone of Silence!
I use Rogers and am in Ottawa. Besides Bell, Rogers is it! Though I don't experience this ad injection bs (I don't use their browser) I must say they are hands down the fastest and most reliable ISP in this metro. Though pricey, one can now get 20D/1U speeds for their premium package at 100/month and I'm getting 12D/1U for their mid level. Standard is 10 for that price.
I suppose they aren't really high speed for the likes of Sweden or Japan, but in Canada, outside of business OC lines, I don't know of anyone faster.
I am wondering whether altering web pages by inserting ads changes the ISP status of common carrier
No, their status does not change.
Internet service does not have common carrier status.
Internet service does not have common carrier status.
Internet service does not have common carrier status.
2005 Slashdot story on a US Supreme Court ruling:
Cable Internet Service Not Common Carrier
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Gah. Two wrongs don't make a right.
And using the law as just some excuse to jail someone you don't like, even via some convoluted fallacy, is not how the rule of the law was supposed to work. And not just from a moral right vs wrong point of view, but it also takes away quite a bit out of the deterrence factor of the law and police. After all, if you know that (A) whether you get convicted or not depends more on whims, friends, or being in the wrong time at the wrong place, and (B) whatever you did, chances are decent they'll find a scapegoat to make an example of, instead of finding you, just says you have more chances to get away with something genuinely criminal.
We tried using spectacular shows of making an example of some bystander, to scare the criminals. Heck, half of the medieval justice worked like that, and the communist block kept at it until the bitter end. It doesn't really work well.
And in this case it would also create the precedent that _any_ content you serve can get you in PMITA state prison. There's nothing to say that only ISP's inserted ads can be demonized and victimized in your setup. Any site, regardless of whether it's serving ads, or is a free forum like Slashdot, or sells stuff on the internet, or is some company's web presence on the net, etc, could be hacked to serve malware, adware, spam, phishing, redirects to other sites, etc. Some of which, yes, porn or to porn.
So what do you propose? That if your company's site can be hacked like that, the CEO goes to jail? Well then how about we take that to the logical end then and give some responsibility in it to the guys who programmed those vulnerabilities too? Or to the admins who didn't secure the servers right? To the security teams who didn't find some glaring vulnerabilities? To the PHB's and developers who had an "auugh, those security guys are just bullies, blowing stuff out of proportion to make me look bad!" attitude and pulled all sorts of strings to get the severity rating lowered? To the beancounters who got a bonus for slashing the budget for security? To the controlling guy who insisted on hiring only the cheapest burger-flippers who had a crash-course in Java, as a cost saving measure? To the level 1 support monkeys who advised someone to disable his firewall and/or disable his virus scanner, just to install a stupid game or access some vuln-laden site? To the idiot who wrote that canned list of answers? Etc.
I mean, if it counts as "endangering the children" if you have some vulnerability that _could_ be used against children, then, seriously, there are a _lot_ of people who had a hand in creating that vulnerability, not just the CEO. That's a lot of jails we'll need.
You'll also notice that it just doesn't say "stop tampering with the sites". It just says that if you can be hacked, you can go to jail. So if you're sure enough of your code and your admins to be on the internet at all, then you're sure enough to mangle the web pages too. E.g., if you're sure enough that your ad server is secure enough to use it on your web site, then you're sure enough to use it in other people's pages too. After all, if it were hacked to serve kiddie porn, it would serve it on your own site too.
No. If it has to be stopped, it has to be a clear law and applied uniformly. The idea isn't even new. Any country has laws against tampering with snail mail. Make it illegal to mess with someone's electronics communications, and apply it impartially and uniformly.
A polar bear is a cartesian bear after a coordinate transform.
Great study, kudos etc, but one small heads up:
On visiting vancouver.cs.washington.edu (which you are encouraging people to digg and blog) I'm told that I have taken part in an experiment, many thanks, fait accompli - I'm not told (or at least, can't discover without extensive reading) what data has been gathered, whether it will be anaonymous, whether I can opt to withdraw etc.
Do you see where I'm going here...?
I really don't think the UW guys are going to be abusing this data, and they're doing it to protect us - I'm not feeling particularly violated and, hell, I love the smell of irony in the morning - but what is sauce for the goose is sauce for the gander/if you're standing on the moral high ground it helps to be wearing appropriate footwear/people who throw stones shouldn't build glass houses (er, that's enough aphorisms...) - this sort of thing could be picked up by the bad guys to smear the research.
The page really should link to a front page explaining what they're doing with a large, friendly "yes - I want to participate" button.
(Speaking as someone who's just had to submit a long, silly ethical clearance form for a completely innocuous research project, presumably on the grounds that anybody planning to seriously abuse their experimental subjects would be honest enough to point this out on the form...)
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Names are powerful.
If an ISP modifies a web page, they are tampering. Putting their own ads there is impersonation
If an ISP puts your IP at the top of a RST they generated, they are packet forging.
If an ISP examines the data portion of a packet they are reading your content.
If they change the header (other than decrementing TTL or doing NAT) they are packet tampering.
And if they say it's to enhance user experience they are lying
This is not my sandwich.
It doesn't, but nevertheless, common carriers are not liable for the goods and data transported. That's why the USPS doesn't face trafficing charges every time someone mails illegal drugs and the phone company isn't charged as a co-conspiritor if someone uses the phone to plan a robbery.
Without the legal recognition of common carriers, there could not be phones, mail, or any sort of shipping. The criminal liabilities would be too great to even consider.