Slashdot Mirror
Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages
An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."
I don't think this is news. (Yes, I must be new here.....)
Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.
Well, if you use Firefox that is.
If the connection between you and the website is encrypted, no one can add code to it.
Thats right Captive Portal operators routinely inject advertisements either for their own operations or to suplement the donation button's found on the captive portal login at coffee shops, hotels and so on. Its a fairly common way to monetize what to a consumer might just be a temporary waystation to access the internet for free an hour or so. Often once some kind of payment has been tendered those 'ads' can be made to go away by the captive portal operator if they so choose. Sometimes CPO's even drop people into a walled garden featuring local businesses so you can freely web-shop the neighborhood once your free 2 hours is up. So you either pay or wait 24 hours when the captive portal resets. Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.
This strange comment at the bottom of the message is illogical.
Contrary to popular belief, a recent study has found that, 'First,' actually comes before second, and is generally regarded as something that should not be mistaken with second.
Remember, One comes before Two comes before 60 comes after 12 comes before Six Trillion comes after 504.
IANAL, and I don't play one on TV, but it seems pretty clearly a violation of a web site's copyright to do this. A web page
is a visual work, and at least for any country that is party to the Bern Convention (this includes the US and most or all of Europe),
a page is copyright even if it doesn't say so. So for the hotel or ISP to modify the page, especially when it is being paid to do so,
seems a clear violation. Some web site should make a big stink (lawsuit!) about this and put an end to the practice. I think it wouldn't
be a difficult case to win, particularly with all the other copyright enforcement actions going on (MPAA, etc.).
I wonder if a similar case can be made for organizations like health clubs that show TV programs at the wrong aspect ratio, making
people look as if they're 20% fatter (wider) than they actually are...
There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.
Please consider this account deleted, I just can't be bothered with the spam anymore.
Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...
I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.
cat
It isn't so much scraping as it is simply taking somebody's website content and copying it for their own profit.
Plain and simple copyright violation where the website owner is the victim.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Just to be clear about that ...
You're postulating a situation where:
The ISP
is owned by a certificate authority
that is, by default, trusted by your browser vendor
and that certificate authority
is creating certificates for 3rd party websites
without the 3rd party websites' permission
in order to facilitate man-in-the-middle attacks
so that the ISP can inject ads into your session.
I would imagine the backlash would kill both the ISP and that certificate authority.
Stop thinking like an engineer, and lower yourself to the thoughts of a typical computer user.
"A weird box just popped up! IT says something about certificates and signing, whatever that means. If I click 'accept' I'll get to see the website, so I'll do that."
There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.
Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.
#DeleteChrome
if you're connecting to an unsecured network, I doubt security is much of a priority.
Congratulations, you are an idiot!
The whole point of encryption is that it allows secure communications over insecure network.
Contrary to the popular belief, there indeed is no God.
You say that big-city hotels have higher costs, and that they charge more for wifi because of those higher costs (maybe not of bandwidth, but other stuff). You then criticize the GP for expecting prices to be higher based on costs? Hmm. . .
Without exception, in traveling to >30 hotels each year for the past [wayyy too many years], the higher the per-night rate for the hotel, the more the nickel-and-dime charges for what should be included as part of the accomodations.
< $100/night usually includes:
- FREE wifi, unspecified throughput, non-public IP
- FREE incoming phone calls
- FREE incoming faxes
- FREE outgoing phone calls up to 30 min
- FREE computer near lobby for guest use
- FREE document printing for reasonable # pages
- FREE microwave oven in the room
- FREE mini-fridge in the room
- FREE pillows & linens on the bed
- FREE pull-out drying line for laundry in the bathroom
- coin-op laundry for hotel guests
> $100/night often imposes charges for:
- WIFI: $12.95+tax per day
- public IP: additional $10+tax per day
- incoming faxes: $.50/page
- outgoing phone calls: AT&T Operator rates + 200% surcharge
- document printing: $.50/page
- fridge in room: $25 per night, special request
- microwave in room: $25 per night, special request
- linens: changed every 3 days at no charge, no discount for multi-day stay
- laundry: 24-48 hr turnaround; $5.00 per shirt, $10.00 per pants, don't even ask about other items!
In theory, practice and theory are the same. In practice, they rarely are.