By Cory Doctorow at 11:11 pm Sun, Apr 7, 2013
Did I read this wrong? Says ‘only when not being served over HTTPS’.
‘Silvie had a similar reaction. He used the traffic inspection tool Fiddler to examine his packets and “saw that the ads were coming from r66t.com only when the website was not being served over [the encrypted] HTTPS,” he told me. But who or what was R66T?’
You are correct. Boingboing got this one very wrong. What they described is something that would require the skills of the NSA or at least some talented Russian hackers, but what the original article describes is something that could be set up by a community college student capable of modifying the source code to Squid.
I used to do stuff like this all the time. Years ago I was administering a sendmail server and piped all the mails through a perl script to check for iframes and such and decided to, every once in a while, rewrite mails to my boss to replace the string “^Regards,” with “I love you,”. Pretty funny for a stuffy British company.
Of course that wouldn’t be possible now, since everything is SSL these days.
This is fun, you should give it a try: http://mitmproxy.org/
They are making a derivative work. This is not allowed. Make em inject on your own page and then sue them, or DMCA them. Worse yet :) License your webpage and JS under the Affero GPL3 and make them inject their code in there. Then ask them for a list of patents that they have cover this behaviour ;)
It wouldn’t surprise me if the ISP had been injecting code into https connections. They can proxy the whole internet if they want, supply their own certificates and break any crypto which does not involve transmitting keys on channels which they don’t control.
They will somehow need to convince your browser that their certs are legit (i.e. have an unbroken authority chain to one of the browser’s trusted certificates), which is no small feat. SSL is specifically designed to prevent man-in-the-middle vulnerabilities like this one.
But say you do that with firefox, and you downloaded firefox through the same ISP? They potentially control the firefox binary and all of its built in certs.
It’s not how many customers they can fool, it’s how many then _can’t_. Even without tampering with secure connections, they’re now facing a nasty PR shitstorm, just because _two_ of their customers discovered their scheme, and both cases wouldn’t have been fooled by tampering with browser downloads.
There are ways to avoid detection, though, by customizing the user-agent on your binary when the user is connected to your ISP, so you can detect your defective browser and perform the MITM attack, but not perform it when the browser isn’t defective.
Given that Microsoft, Apple, and most Linux distributions have binary signing systems in place(MS and Apple voluntary but widely adopted for 3rd party software, distributions generally mandatory for anything in their own repositories, figure it out yourself outside of them), merely breaking the download is easy; but spoofing it is rather harder, since all those systems start with keys baked into the OS.
SSL MiTM is relatively trivial if you own the endpoints(as in corporate IT) or if you are/have access to an entity that is trusted as a certificate authority(far too many people; alas); but otherwise would require some distinctly black-hat scheming to get changes made to other people’s clients…
Like BoingBoing, you didn’t read the article. He got the ads on his phone when he used the home wifi, they went away when he used his 3/4G connection.
SSL is somewhat weak with regards to MITM attacks; all you have to do is get some trusted peer in the trust network /somewhere/ (like turktrust, or diginotar, or some (other) lazy CA) to believe you’re FaceBook.com / google.com / msn.com / mozilla.com (which is how several dissidents in the middle east were recently spied on) and you can have signed Certs with a chain of validation that someone’s browser is going to trust.
Just one CA.
Or they may have installed the ISP’s “helper” application on one machine on the network, which went through and set the same machine on the network as the DNS server, which then also installed Wtfeverzomg.org as a trusted CA in the browser’s chain … … etcetera. This method Doesn’t exactly cover this specific example, but illustrates:
Once you’re inside the perimeter, there’s little or no security.
This is why the world needs technologies like SovereignKeys, BitDNS, Moxie Marlinspike’s Convergence, and complete end-to-end encryption.
Exactly, I wish they had been messing with HTTPS. This issue needs publicity and fixing.
Since when has * worked in hosts?
Also, they can just change to IPs to completely shortcircuit that.
But then they’ll lose their l33t name.
I have an executable on my Mac called “adedit” that does the following:
sudo pico /etc/hosts;dscacheutil -flushcache
I added 0.0.0.0 r66t.com to the file this morning. I don’t think I’ve ever seen these ads before, and I have no interest in giving them a chance.
You’re on a unix box, you should set up a local authoritative name server returning NXDOMAIN on the things you filter. That’ll hit a lot more than hosts will.
Does doing something like this risk common carrier status?
Do they have it in the first place?
Steve Gibson (Host of the “Security Now” Netcast and founder of Gibson Research Corp.) has created a page that lets you know if your ISP or company is intercepting your SSL connections. Check it out at https://www.grc.com/fingerprints.htm
Thanks. Much appreciated.
A couple of points for anyone who wants to get into security paranoia:
I)This is based on trusting someone you’ve probably never heard of to act as a sort of manual Certificate Authority: Gibson’s site could be part of the set-up or may have been compromised.
II)You shouldn’t use the connection you suspect of being tampered with to visit Gibson’s site because if your ISP can inject stuff into SSL connections they can also make grc.com tell you everything’s OK.
Gibson’s site could be part of the set-up
Yeah like, who actually operates Tor?
I’d be more worried about who runs the exit nodes, than about the network itself.
Running an exit node is kind of a thankless job(it’s your IP that everybody sees when a Tor user does something tactless and/or illegal) and it isn’t free(bandwidth costs money, as does running the node). However, it’s pretty cheap compared to fielding even a basic beat cop(Tor itself is pretty lightweight, so a dinky VPS is fine, and $10 or $20K/year buys a decent slice of colo bandwidth) and having the ‘This is An Official Investigation’ stamp probably helps deal with any unsavory traffic pointing back to you.
Given how many people think that Tor is the Magic All Purpose Privacy(when, in fact, it strengthens anonymity in some respects; but is, by design, an MiTM attack carried out on your behalf by the exit node for things like SSL secured site logins, which you’d be nuts to use over Tor), he who runs the exit node is pretty much assured to net some amusing, possibly even juicy, stuff; and he who runs the fast, reliable, exit node is assured the same but in greater quantity.
I defer to the cryptoanalysts on how hard it would be to crack the Tor network itself, and what percentage of hosts on an onion-routing network you would need to control to break anonymity that way; but I’d bet money that any party with enough cash(and motivation) to set up a bunch of fast, reliable, exit nodes in the names of anodyne shell corporations at a selection of different hosting services would scoop some tasty stuff…
Tor encrypts traffic between the user’s OS and the network and between nodes inside the network. It does not intercept SSL traffic, and doesn’t even operate at that layer of the network model. It’s not a MITM model — it is a variably-routed, limited-knowledge VPN, and doesn’t deal with your browser’s CAs.
I know it’s a minor thing in this whole issue, but I really, truly, utterly hate how they bandy about the word “enhanced”.
It’s like getting a hearty “YOU’RE WELCOME” when, in the street, you’ve just been given a digital rectal exam you’ve never asked for.
It’s ‘enhanced’ as in ‘enhanced interrogation’, rather than ‘enhanced’ as in ‘improved’.
enhance: heighten, increase; especially : to increase or improve in value, quality, desirability, or attractiveness
“This greatly enhances each user’s online activity by providing an
enhanced Internet services experience with advertisement overlays”
So, I’m guessing in the way waterboarding enhances your spa experience…
formal dress for man – http://http://www.royalmendress.com
So there’s an ISP using a filtering proxy to inject scripts into pages their users requested? Sounds like an ISP I wouldn’t ever use. If they filtered HTTPS connections, it would be a man in the middle attack of a secured connection and therefore very probably illegal.
So, ‘CMA Communications’, the ISP in question, is a subsidiary of ‘Etan Industries Inc.’ which does business as ‘Credit Protection Association’, a collections agency…
An ISP run by a Collections Agency. Is such an entity even capable of non-sleazy conduct? Is there some way that we could add credit cards and check-cashing services to this business model?
They don’t need their own credit card if they already know yours.
One wonders how much consumers are saving every month by using the service that inserts ads to make the ISP more money.
Post needs an update, should read “into *insecure* Web-sessions”. Either that or just remove the phrase secure entirely.
As others have mentioned, running a MITM attack to inject content into secure sessions is much more involved that simply proxying clear connections through squid with a content script. It requires either having a trusted CA in the user’s browser so you can serve fake certs for the destination domains, or for the user’s browser to be modified in some other way to circumvent the trust chain.
Oh, that is gutsy. The sleazy ad-injecting scumbags are kind enough to “grants you a nonexclusive, nontransferable, limited right to access the Services and the copyrighted materials (including but not limited to photographs, graphics, and logos)” in order to allow you to view those precious copyrighted ads they are injecting.
I feel so blessed!
For what it’s worth, this sort of thing — along with the more obnoxious overlay, animated, noisemaking, and mouse-over ads — is part of why I run NoScript in my browser.
I don’t actually object to seeing some ads; I understand that it’s the tradeoff folks make to fund their websites and services. But when the ads actively get in the way, they’ve gotta go. And third-party scripts are a really bad practice in general, though I understand why they appeal to advertisers.
In fact I do wind up authorizing a fair number of third-party scripts, partly because folks are clever/obnoxious/sloppy about creating pages that don’t function at all unless I do so. (At the moment, 15 of the 19 scripts on this page are being allowed.) But at least NoScript makes me aware of what’s coming from where and permits me to make an active decision about whether I trust the source or not.
Anyone on CMA, please contact me at nweaver at icsi.berkeley.edu
I’m one of the authors of the UW Web Tripwires study and one of the primary Netalyzr developers, and our current version of Netalyzr has some techniques which might detect this.
Isn’t this a DMCA violation?
The current version of the terms & conditions came into effect on on 4 April 2013.
Now it’s perfectly reasonable to suppose that the ISP’s clients have only themselves to blame for not reading the updated terms when they received them, right?
Reasonable, but, apparently, quite wrong:
Why yes, it does actually say that it’s up to you to spend all your time refreshing the terms and conditions page to see if anything has changed, and when that does happen it’s already too late to object because you’ve already said yes by using their service to read the terms and conditions.
If Arthur Dent had an ISP, it would be these guys.
He points out in the article that the ads DONT appear over https, so BB is wrong.
“even on reddit he could only find three other people who had noticed the ad issue ”
Slow news day much?
Granted the lack of an https exploit makes it rather less interesting, but there’s still some sharp practice here and judging the story’s merit based on how many people independently noticed and complained about the issue isn’t very meaningful: by that benchmark, Watergate was an even smaller story.
Those scumbags have lost their right to be in front of my eyes.
ads Business privacy security short
Submit a tip
The rules you agree to by using this website.
Who will be eaten first?
Jason Weisberger, Publisher
Ken Snider, Sysadmin