Slashdot Mirror


Major ISPs Injecting Ads, Vulnerabilities Into Web

Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."

3 of 116 comments (clear)

  1. Only mildly illegal. by davolfman · · Score: 5, Interesting

    I can see doing this for nonexistant domains, but doing it for sub-domains is treading on very thin ice. When someone registers a domain they've been entitled to control over all the sub-domains and serving ads on their domain like this could very easily be argued as a major break of trademark law. It was a seriously braindead decision as suddenly it's no longer a victimless crime, and the victims may have the money to afford lawyers in this case.

  2. fix? by pavera · · Score: 4, Interesting

    Couldn't a company "fix" this by setting up wild card dns so that any "mistyped" url will still get resolved by DNS, thus making this particular attack/injection by the ISPs impossible?

    Also, the company could display ads, or some other thing on THEIR DOMAIN, instead of letting the ISPs do this?

    Would this be horribly wrong if the companies themselves (ebay, paypal, etc) were displaying ad pages for subdomains?

  3. Hit it with the Copyright Stick by heretic108 · · Score: 4, Interesting
    This is one of those times when copyright has a profound moral benefit.

    Any site owners who don't want ads injected into their pages can place a copyright notice in small print at the bottom of each page, saying something like:

    Copyright is hereby granted to Internet Service Providers to deliver the content of this page verbatim as served by the HTTP server hosting this website. Any alteration to the content of this page is a breach of copyright which will incur legal action.

    It would take just a few site owners to add these notices and get injunctions served against any ISPs indulging in page-tampering, for ISPs to give up on the whole deal.

    --
    -- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...