Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

Posted by timothy on from the it's-only-wafer-thin dept.

An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."

4 of 273 comments (clear)

  1. without the knowledge of the site visitor by xaosflux · · Score: 5, Informative

    Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

  2. Yep. So use HTTPS-Everywhere. by khasim · · Score: 5, Informative

    Well, if you use Firefox that is.

    If the connection between you and the website is encrypted, no one can add code to it.

    1. Re:Yep. So use HTTPS-Everywhere. by Skapare · · Score: 5, Informative

      More than just porn sites do this. Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone. But it's still a concern. I use separate browsers for every signed-in site I visit, so LinkedIn can't get to my Gmail account, for example. I was prompted by LinkedIn to enter my password for those sites (I'd never do that). I don't know if they would prompt if the same browser instance was already logged in (I'd never do that).

      Browsers should, and maybe FF now does, firewall JS code and data by hostname. Of course that would break using alternate servers for things like static images. But that's fixable by using the base name (remove the "www" part if that's on the name), and allowing access to hostnames that have name components added in front. So site slashdot.org could access images.slashdot.org. But tech.slashdot.org cannot access images.slashdot.org but can access images.tech.slashdot.org (so all sites just need to make their auxiliary servers named as child hostnames of the base hostname). The same wall should apply to Java and Flash, too (in addition to walls blocking access to the filesystem except as configured to be allowed into specific areas).

      I've not done any tests of such security in FF, Chrome, or any other browser. Have fun.

      --
      now we need to go OSS in diesel cars
  3. Let's just be clear about that. by khasim · · Score: 5, Informative

    And what if they own one of the large CAs?

    Just to be clear about that ...

    You're postulating a situation where:
    The ISP
    is owned by a certificate authority
    that is, by default, trusted by your browser vendor
    and that certificate authority
    is creating certificates for 3rd party websites
    without the 3rd party websites' permission
    in order to facilitate man-in-the-middle attacks
    so that the ISP can inject ads into your session.

    I would imagine the backlash would kill both the ISP and that certificate authority.