Study Confirms ISPs Meddle With Web Traffic

Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld: "To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."

Re:Signed pages (pity it won't work) and SSL

[Craig+Ringer]

Because any signature not accompanied by protocol encryption can be stripped by the man in the middle (say, your ISP) without the client knowing it was ever there. Mechanisms to prevent that would also eliminate backward compatibility with older, signature-unaware, browsers, and would end up being essentially HTTPS anyway.

Re:Signed pages (pity it won't work) and SSL

[Craig+Ringer]

I probably spoke poorly by using the term "transparent". As you note, it's already pretty transparent to the user.

What it's not is transparent to the web developer, host, and server.

With STARTLS the restriction of one SSL host per IP address/port pair is lifted. That permits WAY more sites to use SSL, and allows its use without a redirect to a different host and/or port. The user won't see a different URL, there's no protocol string change, etc.

It also allows a client to control whether or not it wants to use TLS, rather than having the server and web designer make those decisions for the client. The server can force the issue, but can also leave the option open to the client where appropriate.

I really like the idea of being able to configure my machine to automatically prefer TLS encryption for HTTP when I'm using, say, a wireless hotspot. I like the idea of being able to set my tech-illiterate parents' laptops up the same way even more.

It'd be particularly nice if combined with a new CA that was fast, cheap and fuss free at the cost of providing poor checking and verification (not like the current ones... *ahem*). Joe Blogger could get his SSL cert for TLS upgrades, and browsers could use it to help ensure encryption and communication integrity without ever suggesting to the user that the presence of the cert and protocol encryption implied anything about the identity or trustworthiness of the site operator.

Currently your options are self-signed (resulting in most browsers screaming loudly to the user), expensive but still poorly verified certs from people like Verisign, or in-between options like openca that most browsers treat as no different from just another self signed cert.

Personally I think the way browsers equate SSL with site trust is fundamentally flawed, and I think they've finally started to realize it, as evidenced by EV certificates and so on.

Gah

[Moraelin]

Gah. Two wrongs don't make a right.

And using the law as just some excuse to jail someone you don't like, even via some convoluted fallacy, is not how the rule of the law was supposed to work. And not just from a moral right vs wrong point of view, but it also takes away quite a bit out of the deterrence factor of the law and police. After all, if you know that (A) whether you get convicted or not depends more on whims, friends, or being in the wrong time at the wrong place, and (B) whatever you did, chances are decent they'll find a scapegoat to make an example of, instead of finding you, just says you have more chances to get away with something genuinely criminal.

We tried using spectacular shows of making an example of some bystander, to scare the criminals. Heck, half of the medieval justice worked like that, and the communist block kept at it until the bitter end. It doesn't really work well.

And in this case it would also create the precedent that _any_ content you serve can get you in PMITA state prison. There's nothing to say that only ISP's inserted ads can be demonized and victimized in your setup. Any site, regardless of whether it's serving ads, or is a free forum like Slashdot, or sells stuff on the internet, or is some company's web presence on the net, etc, could be hacked to serve malware, adware, spam, phishing, redirects to other sites, etc. Some of which, yes, porn or to porn.

So what do you propose? That if your company's site can be hacked like that, the CEO goes to jail? Well then how about we take that to the logical end then and give some responsibility in it to the guys who programmed those vulnerabilities too? Or to the admins who didn't secure the servers right? To the security teams who didn't find some glaring vulnerabilities? To the PHB's and developers who had an "auugh, those security guys are just bullies, blowing stuff out of proportion to make me look bad!" attitude and pulled all sorts of strings to get the severity rating lowered? To the beancounters who got a bonus for slashing the budget for security? To the controlling guy who insisted on hiring only the cheapest burger-flippers who had a crash-course in Java, as a cost saving measure? To the level 1 support monkeys who advised someone to disable his firewall and/or disable his virus scanner, just to install a stupid game or access some vuln-laden site? To the idiot who wrote that canned list of answers? Etc.

I mean, if it counts as "endangering the children" if you have some vulnerability that _could_ be used against children, then, seriously, there are a _lot_ of people who had a hand in creating that vulnerability, not just the CEO. That's a lot of jails we'll need.

You'll also notice that it just doesn't say "stop tampering with the sites". It just says that if you can be hacked, you can go to jail. So if you're sure enough of your code and your admins to be on the internet at all, then you're sure enough to mangle the web pages too. E.g., if you're sure enough that your ad server is secure enough to use it on your web site, then you're sure enough to use it in other people's pages too. After all, if it were hacked to serve kiddie porn, it would serve it on your own site too.

No. If it has to be stopped, it has to be a clear law and applied uniformly. The idea isn't even new. Any country has laws against tampering with snail mail. Make it illegal to mess with someone's electronics communications, and apply it impartially and uniformly.

Re:Gah

[freedom_india]

You are right.
But you are also idealistic. And you belong in the Jefferson era.
Your approach would not work in today's times, where corporates rule the roost without even having a vote or responsibility.
Laws can be circumvented easily through stooges, loopholes, sympathetic judges, presidents-pardoning-criminals, etc.

At a time when might is right, it makes sense to apply the same rules to those twist the law and cheat. Take for instance Microsoft's recent troubles: Its EULA clearly state XP is NOT sold, but only licensed, to prevent us from tampering or reselling it. The same EULA was used by one US State to force Microsoft to pay taxes on such license fees. Microsoft tried to weasel out, but was caught by its own EULA. Now they can't avoid paying taxes because their EULA says its license fees, and they can't remove the EULA, because hackers would have a field day in selling legitimate copies of modified XP!

If large corporates can change the spirit of the law to suit themselves and perform unethical and clearly border-illegal acts like throttling, disconnecting without notice, then so can we.

After all US has the Super 501 laws which state that any country's laws which are discriminative against US products would have those same laws adopted by US against them!

If the government says its OK to have an eye-for-eye attitude, then it is OK for me too!

Call it "Tampering"

[theonetruekeebler]

We need to stop referring to these shenanigans with neutral or pragmatic names. We call these actions "modification" or "altering" or "injection" and it riles us, but you can bet your bottom dollar that the ISPs and Comcasts of the world are sitting around coming up with terms like "shaping" and "adapting" and "presentation opportunity."

Names are powerful.

If an ISP modifies a web page, they are tampering. Putting their own ads there is impersonation

If an ISP puts your IP at the top of a RST they generated, they are packet forging.

If an ISP examines the data portion of a packet they are reading your content.

If they change the header (other than decrementing TTL or doing NAT) they are packet tampering.

And if they say it's to enhance user experience they are lying

Re:common carrier?

[sjames]

It doesn't, but nevertheless, common carriers are not liable for the goods and data transported. That's why the USPS doesn't face trafficing charges every time someone mails illegal drugs and the phone company isn't charged as a co-conspiritor if someone uses the phone to plan a robbery.

Without the legal recognition of common carriers, there could not be phones, mail, or any sort of shipping. The criminal liabilities would be too great to even consider.