Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."

without the knowledge of the site visitor

[xaosflux]

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

Yep. So use HTTPS-Everywhere.

[khasim]

Well, if you use Firefox that is.

If the connection between you and the website is encrypted, no one can add code to it.

Re:Yep. So use HTTPS-Everywhere.

[Skapare]

More than just porn sites do this. Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone. But it's still a concern. I use separate browsers for every signed-in site I visit, so LinkedIn can't get to my Gmail account, for example. I was prompted by LinkedIn to enter my password for those sites (I'd never do that). I don't know if they would prompt if the same browser instance was already logged in (I'd never do that).

Browsers should, and maybe FF now does, firewall JS code and data by hostname. Of course that would break using alternate servers for things like static images. But that's fixable by using the base name (remove the "www" part if that's on the name), and allowing access to hostnames that have name components added in front. So site slashdot.org could access images.slashdot.org. But tech.slashdot.org cannot access images.slashdot.org but can access images.tech.slashdot.org (so all sites just need to make their auxiliary servers named as child hostnames of the base hostname). The same wall should apply to Java and Flash, too (in addition to walls blocking access to the filesystem except as configured to be allowed into specific areas).

I've not done any tests of such security in FF, Chrome, or any other browser. Have fun.

Re:Yep. So use HTTPS-Everywhere.

[kermidge]

Interesting bug, didn't know of it.

I never use a browser to store passwords with or without master password; use your own (keepass, etc.) with local backups, or Lastpass or similar with local backups. After trying various password utilities I've used Lastpass since it came out and have been well pleased.

Just FYI, it's TANSTAAFL from Heinlein, "There Ain't No Such Thing As A Free Lunch."

I'm sure he agreed to this in the TOS.

[Vandil+X]

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

Re:Captive Portals Do That You Know?

[eht]

Hint, that is a word. From Merriam Webster

http://www.merriam-webster.com/dictionary/irregardless

"The most frequently repeated remark about it is that âoethere is no such word.â There is such a word, however."

Just because you choose to not recognize it, even though you understand perfectly what he meant by it, shows your ignorance. By the way, ain't is a word too, well a contraction at any rate.

Let's just be clear about that.

[khasim]

And what if they own one of the large CAs?

Just to be clear about that ...

You're postulating a situation where:
The ISP
is owned by a certificate authority
that is, by default, trusted by your browser vendor
and that certificate authority
is creating certificates for 3rd party websites
without the 3rd party websites' permission
in order to facilitate man-in-the-middle attacks
so that the ISP can inject ads into your session.

I would imagine the backlash would kill both the ISP and that certificate authority.

Re:HTTP Policies

[Restil]

While they couldn't insert code into an encrypted session, they COULD perform a man in the middle attack and accomplish the same thing, provided the user decided to override the certificate warning (which I'm guessing most people would). A more secure solution would be to do all the browsing over a ssh tunnel. That too could be intercepted, but it's less likely, and ssh will catch such an attempt provided the tunnel was first initiated over a trusted connection, so at least you'd be able to avoid using the service if you know it's going to be insecure.

What's ironic is the fact that the cheap hotels that are out in the middle of nowhere have great, highspeed, well covered wifi with mostly unrestricted or completely unrestricted hotspots (most of the time, all you have to do is agree to a clickthrough agreement, and you're good to go). But go to a big hotel in the city for a convention or something and they want to charge $15 a day for it. I'd just grown accustomed to tethering my cellphone in those instances since I got higher speeds from that than I did from the hotel wifi.

-Restil

Re:HTTP Policies

[Skapare]

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

The SSL layer already knows the hostname of where it wants to go. The signed certificate received from the connected server should have a cert for the Certificate Authority, identifying which public CA key to get from the collection the browser or SSL library has. The CA signature of the web site's cert is decrypted by that public CA key. If that works, it is then known the site cert is signed. If the site name also matches (maybe with wildcard enabled), and today's date is in the range valid for the signature, then the site cert is valid. Otherwise not, and you get that annoting security popup.

For the proxy to insert anything, it would have to act as the end point for the SSL stream. But that setup would fail unless the proxy has the web site's certificate signed by a valid CA. If you add a new CA the proxy server used (its own), then it could do that. Otherwise they would have to convince some CA to sign certs for ALL the major sites, for use in this proxy. A bad CA could do this. You can then defeat that by removing the bad CA cert from your browser. But the hotel could defeat you by convincing you to add their local CA cert to your browser (and then the proxy can dynamically generate a fake signed cert for any site you visit if they know the name in advance, which can be done with a name server injection). You can defeat that by not allowing any of their stuff into your computer.

If you have the means, a VPN to your own trusted network can help, though you then have slower responses. Test their network to see if you can access secured services you normally do have access to, like SSH, IMAPS, Submit/TLS. Also check to see if they have IPv6 and complain if not. Tell them "the FREE porn sites are on IPv6 only".

Re:That should fail.

[Nikker]

You should take a closer look at the CD media your ISP sends you to "setup" your Internet connection.

Re:"Web Engineer?"

[CohibaVancouver]

I fail to see the problem here

From http://en.wikipedia.org/wiki/Engineer

In the US and Canada, engineering is defined as a regulated profession whose practice and practitioners are licensed and governed by law.