Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."

Hasn't this been going on for a while?

[readandburn]

I don't think this is news. (Yes, I must be new here.....)

without the knowledge of the site visitor

[xaosflux]

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

Re:without the knowledge of the site visitor

[GamerGirlie]

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

And that is easily bypassed by the ISP. For example when I try to login to slashdot and it changes from http to https, my ISP serves me their self-signed cert instead of Slashdot's real one. This way they are capable to intercept secure communications too.

Re:without the knowledge of the site visitor

[mwvdlee]

Hmmmm, no... intercepting and changing internet packages is evil.

Yep. So use HTTPS-Everywhere.

[khasim]

Well, if you use Firefox that is.

If the connection between you and the website is encrypted, no one can add code to it.

Re:Yep. So use HTTPS-Everywhere.

[Skapare]

More than just porn sites do this. Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone. But it's still a concern. I use separate browsers for every signed-in site I visit, so LinkedIn can't get to my Gmail account, for example. I was prompted by LinkedIn to enter my password for those sites (I'd never do that). I don't know if they would prompt if the same browser instance was already logged in (I'd never do that).

Browsers should, and maybe FF now does, firewall JS code and data by hostname. Of course that would break using alternate servers for things like static images. But that's fixable by using the base name (remove the "www" part if that's on the name), and allowing access to hostnames that have name components added in front. So site slashdot.org could access images.slashdot.org. But tech.slashdot.org cannot access images.slashdot.org but can access images.tech.slashdot.org (so all sites just need to make their auxiliary servers named as child hostnames of the base hostname). The same wall should apply to Java and Flash, too (in addition to walls blocking access to the filesystem except as configured to be allowed into specific areas).

I've not done any tests of such security in FF, Chrome, or any other browser. Have fun.

Re:Yay a New Arms Race!

[History's+Coming+To]

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Re:HTTP Policies

[bbecker23]

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.

Re:HTTP Policies

[mwvdlee]

It isn't so much scraping as it is simply taking somebody's website content and copying it for their own profit.
Plain and simple copyright violation where the website owner is the victim.

Let's just be clear about that.

[khasim]

And what if they own one of the large CAs?

Just to be clear about that ...

You're postulating a situation where:
The ISP
is owned by a certificate authority
that is, by default, trusted by your browser vendor
and that certificate authority
is creating certificates for 3rd party websites
without the 3rd party websites' permission
in order to facilitate man-in-the-middle attacks
so that the ISP can inject ads into your session.

I would imagine the backlash would kill both the ISP and that certificate authority.

Re:Yay a New Arms Race!

[93+Escort+Wagon]

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.

Re:HTTP Policies

[edb]

Without exception, in traveling to >30 hotels each year for the past [wayyy too many years], the higher the per-night rate for the hotel, the more the nickel-and-dime charges for what should be included as part of the accomodations.

< $100/night usually includes:
    - FREE wifi, unspecified throughput, non-public IP
    - FREE incoming phone calls
    - FREE incoming faxes
    - FREE outgoing phone calls up to 30 min
    - FREE computer near lobby for guest use
    - FREE document printing for reasonable # pages
    - FREE microwave oven in the room
    - FREE mini-fridge in the room
    - FREE pillows & linens on the bed
    - FREE pull-out drying line for laundry in the bathroom
    - coin-op laundry for hotel guests

> $100/night often imposes charges for:
    - WIFI: $12.95+tax per day
    - public IP: additional $10+tax per day
    - incoming faxes: $.50/page
    - outgoing phone calls: AT&T Operator rates + 200% surcharge
    - document printing: $.50/page
    - fridge in room: $25 per night, special request
    - microwave in room: $25 per night, special request
    - linens: changed every 3 days at no charge, no discount for multi-day stay
    - laundry: 24-48 hr turnaround; $5.00 per shirt, $10.00 per pants, don't even ask about other items!