Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Confirms ISPs Meddle With Web Traffic

Posted by Soulskill on from the you-wouldn't-like-me-when-i'm-angry dept.

Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld: "To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."

14 of 131 comments (clear)

  1. common carrier? by wannasleep · · Score: 5, Interesting

    I am wondering whether altering web pages by inserting ads changes the ISP status of common carrier (http://en.wikipedia.org/wiki/Common_carrier) thereby exposing it to liability for crimes and/or infringement perpetrated by its customers. Any takers?

    1. Re:common carrier? by RobertM1968 · · Score: 4, Interesting

      Good question... though I am sure that they can claim it is an automated, non-selective process which might put things in their favor in such regards.

      On a similar note, there was a lawsuit a while back about some ISP doing this (and violating the page owner's copyright - which I think got squashed because it was part of the agreement for the free service)... I wonder how something like that would go through today in this type of circumstance - or if the ISPs are going to start changing their TOS's as needed to cover this.

      --
      StarTrekPhase2 - The Five Year Mission Continues!
  2. Thank goodness by Dunbal · · Score: 5, Interesting

    Someone actually had the balls to NAME these ISPs, instead of referring to generic "providers". Of course it sucks to be you if you live in an area where they have exclusive coverage - but it's good to know who thinks they have the right to tamper with packets going between you and the destination of your choice.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:Thank goodness by TheRaven64 · · Score: 2, Interesting

      The problem is that it's not tied to DNS. What should happen is that the root DNS entries are signed with a known private key. Every time you pass to a new authority, the SOA record should be signed with the parent's key. When you get to a A record, you get an associated TXT record containing the public key and all encrypted interactions with that host have to use the corresponding private key. That way to get secure communications with the host and guarantee that the host is controlled by the person who set up the DNS. The problem is that they try to make the SSL certificate guarantee that you are interacting with some named entity, rather than just whoever owns the domain.

      --
      I am TheRaven on Soylent News
  3. Please note the following... by nweaver · · Score: 4, Interesting

    a: XO's spokesperson has publically stated (see the PCWorld article) that it was probably a reseller, not XO itself.

    b: Most modifications, at least from the client viewpoint (and excluding the exploitable vulnerabilities which were discovered) are benign. 70% of the modifications were client-side proxies, such as personal firewalls, popup blockers, and add-removers.

    Of the remaining, most other modifications where things like enterprise firewall services (which modify/insert Javascript checking code) and compression transformations (removing whitespace and/or routines for displaying downgraded images to save bandwidth).

    --
    Test your net with Netalyzr
  4. Signed pages (pity it won't work) and SSL by Craig+Ringer · · Score: 5, Interesting

    Because of this issue and some related problems I've often wondered about extensions to HTTP to support cryptographically signed pages.

    HTTPS is great, but involves a significant CPU cost per page and isn't friendly to web caches.

    Signed pages, if static, could be signed once and stored. They'd also be cacheable with all the normal rules.

    The main issue is key management. How do you get the signing key? Well, I'm pretty sure the HTTPS certificate key could be used to sign a page, though there might be risks to the integrity of the key. A better way would be to use a single HTTPS request to grab a signing key from the remote site.

    Signatures could be just another HTTP header, so browsers without support would never even notice. An alternative would be a HTML comment after the close body tag. The HTTP header, though, would work for related resources like images as well, and for that reason would probably be much better.

    Unfortunately, it's all useless because an ISP could trivially strip signatures from HTTP headers or pages if they wanted to mess with the page.

    If this sort of thing keeps on happening sites will just have to start offering HTTPS for all communication. The dodgy ISPs will have lower cache hit rates and higher demand for external bandwidth, but they will have done it to themselves.

    If only browsers would FINALLY include support for HTTP+TLS and for TLS upgrades, encryption could even be done transparently to the user.

    1. Re:Signed pages (pity it won't work) and SSL by Kjella · · Score: 2, Interesting

      HTTPS is great, but involves a significant CPU cost per page and isn't friendly to web caches. We were doing 128-bit HTTPS connections ten years ago. Now I don't know how heavy hardware they used or how big that penalty is, but I'd be surprised if a decent server can't handle it, my box does P2P with encrypted transfers without breaking much of a sweat. As for web caches, HTTP less video/audio streaming like youtube is about 20% of Internet traffic. That means 80% aren't in the web caches and less traffic to fill the cache plus more dynamic content that can't be cached I think we're even lower. The tubes wouldn't clog and the servers wouldn't croak if we moved to HTTPS, though I'm sure it'd hit the margins of the cheapest hosting solutions.

      The main issue is key management. How do you get the signing key? Uh... you request it over plain HTTP? This is public-private key cryptography remember, the point is that you must verify the authenticity of the public key but beyond that it's like sending a PGP signed message.

      Unfortunately, it's all useless because an ISP could trivially strip signatures from HTTP headers or pages if they wanted to mess with the page. You lack imagination. Create a new "httpv" protocol, which is just like the http protocol except the browser will complain if requests aren't verified. Then you can start replacing http links with httpv links as sites catch on, and all legacy browsers have to do is treat it as http. Hell, you can probably get a dummy httpv handler to launch it as http if people insist on using browsers that don't work with this.

      If only browsers would FINALLY include support for HTTP+TLS and for TLS upgrades, encryption could even be done transparently to the user. Now that is necessary... Firefox, Opera and Safari can you do this so it'll be in IE in some years? What do they use for encryption anyway, openssl? If so it shouldn't be a big deal...
      --
      Live today, because you never know what tomorrow brings
  5. Re:copyright issues by RedWizzard · · Score: 4, Interesting

    more importantly, is this any form of copyright violation? IANAL, but I think so. They are distributing a derived work (the modified webpage). They'd need permission from the owner of the copyright on the original work (the original webpage) or they'd be infringing.
  6. Re:copyright issues by EdIII · · Score: 4, Interesting

    I was thinking of the same thing. Trying to wrap my mind around it.

    The best analogy I can come up with is a kid delivering newspapers. You THINK the kid is just delivering the newspaper to you, but he is instead cutting out the advertisements (or god knows what else) and inserting his own client's advertisements while being paid for it.

    Now of course, unlike a newspaper, a website does not get paid for the advertisements up front. So I cannot see this as anything other then stealing. We can argue the technicalities to death here, but the EFFECT is that the website was denied revenue from their ads, while the ISP gained ad revenue for themselves. Your question of compensation is interesting, but how could one gauge what that potential compensation could have been? Assume the individual would have clicked all the replaced ads on the page and then multiply for punitive damages?

    I don't know about copyright violation as a complaint from the newspaper being a viable method to protect themselves. Is there legal protection afforded to websites that states the entire website must not be altered in any form during transit? Like I said I dunno.

    What I find more foreboding is that you can no longer trust the "messenger". These ISP's absolutely MUST lose their common carrier status, since I believe that any ISP must remain impartial to the data being transmitted across its networks to have that status. Injecting advertisements into web sessions could not possibly be considered impartial. They have a direct financial motive to do so.

    In order to protect their advertisement revenue streams websites may have to resort to strong measures, like encapsulating ALL of their traffic with HTTPS. That is just ridiculous.

    I am sure that the proponents of Net Neutrality are going to enjoy their nice new shiny bullet.

  7. I charge for ads by BanjoBob · · Score: 4, Interesting

    My sites charges for advertising -- it is NOT free. If an ISP inserts ads into my pages, then I expect to be properly compensated for them.

    If an ISP starts inserting ads of my competitors on any of my web sites, that would be totally unacceptable behavior.

    Does this occur when a client's ISP passes traffic from my host to the customer's client? If so, I don't know how I could monitor that or even detect it unless the client user notified me.

    I'd like to hear more on this subject.

    --
    Banjo - The more I know about Windoze, the more I love *nix
  8. It's Started by hyades1 · · Score: 3, Interesting

    All the huge communications/entertainment corporations and every government in the world have been trying for years to get control of the internet and make money off it/control it. It looks like the big push is on. The ISP's want to start throttling bandwidth and content, then raking in the cash from both ends. Governments have finally figured out that they can get what they want by bribery instead of just the threat of legislation, and so has the entertainment industry. They're all on the same page now, and all of us are squarely in their gun-sights.

    It's time for those of us who value what we have here to wake up and start fighting back. The pressure is bound to get intense, and it's going to come from a lot of places. There's too much money to be made and too much power to be had in controlling the flow of information to a huge portion of the world's population.

    I don't know whether the solution is technological, legal, some combination, or something completely different (like massive displays of civil disobedience, for example). But I'm utterly confident that if people don't start fighting back, we can all kiss access to unfiltered information goodbye.

    And that will be a very, very dangerous thing.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  9. Now we know why ISPs are so against Net Neutrality by Newer+Guy · · Score: 2, Interesting

    The reason they're so against it is because they're already VIOLATING it! If net neutrality laws/policies came to be the ISPs would have to change the way they conduct business now.

  10. Encrypt by DeanFox · · Score: 2, Interesting


    Why on Earth are we allowing anybody to read this traffic?

    All new programs really need point to point encryption built in by default. As in, I want to design a new {whatever}: In programming I first decide how to secure the connection and encrypt the data. Second, I decide what I'm going to transfer, then the interface.

    Post cards eventually led to folded paper with a wax seal to the letter inside a sealed envelope. Where is the same standard of privacy in Internet Clients that I expect when I mail something as simple as a greeting card?

    Once Point to Point Encryption becomes the standard in all package design if the government wants to intercept and read my communications they'll have to do what the law says they have to do... Get a warrant. The same goes for my ISP or anyone else for that matter.

    There's a reason all Internet use should be considered public. We're all shouting at the top of our lungs. Right now all they have to do is stand close enough to eavesdrop on a public communication that's out in the open.

    Most of us on SlashDot are in the industry designing these Clients. Rather than complain, when you write your next Client why not design it securely?

    -[d]-

  11. Re:Toolkit for detecting changes to your own page by llamafirst · · Score: 2, Interesting

    Plus if you use a small amount of encryption in your web tripwire / digital signature code, any ISP attempt to subvert the tripwire would be a DMCA criminal act in USA.