Study Confirms ISPs Meddle With Web Traffic

Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld: "To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."

common carrier?

[wannasleep]

I am wondering whether altering web pages by inserting ads changes the ISP status of common carrier (http://en.wikipedia.org/wiki/Common_carrier) thereby exposing it to liability for crimes and/or infringement perpetrated by its customers. Any takers?

Re:

[Anonymous Coward]

Where exactly on that wikipedia page does it say that common carriers are not liable for transporting illegal goods/data?

Re:common carrier?

[sjames]

It doesn't, but nevertheless, common carriers are not liable for the goods and data transported. That's why the USPS doesn't face trafficing charges every time someone mails illegal drugs and the phone company isn't charged as a co-conspiritor if someone uses the phone to plan a robbery.

Without the legal recognition of common carriers, there could not be phones, mail, or any sort of shipping. The criminal liabilities would be too great to even consider.

Re:common carrier?

[pegdhcp]

While IANAL, I used to manage our relations with Telecommunications Authority of Turkey, whose regulations are closely similar to other ITU member organizations. Here we are required to protect customer privacy during their telecommunication activities and only share pertaining data with legal authorities. Similarly we are required to modify some web content (in fact, we are poisoning DNS data) only under legal orders. However it is not clear if the traffic from public web sites are private traffic, while messing with a banking site's traffic and/or a transactional traffic carrying credit card info will certainly put you behind the bars.

Re:

[Anonymous Coward]

No.

This is because ISPs aren't common carriers in the first place.

Re:

[afidel]

You are incorrect. Under the safe harbor provision of the DMCA ISP's are in fact listed as being common carriers and stunts like this does in fact expose them to losing the protection of the safe harbor provision. The act may not read exactly as common carrier but the language is extremely similar and grants the same type of limited immunity as common carrier status.

Re:

[T-Bone-T]

We know that. The question is whether or not this will give ISPs common carrier status.

Re:common carrier?

[RobertM1968]

Good question... though I am sure that they can claim it is an automated, non-selective process which might put things in their favor in such regards.

On a similar note, there was a lawsuit a while back about some ISP doing this (and violating the page owner's copyright - which I think got squashed because it was part of the agreement for the free service)... I wonder how something like that would go through today in this type of circumstance - or if the ISPs are going to start changing their TOS's as needed to cover this.

Re:

[ronocdh]

that they can claim it is an automated, non-selective process which might put things in their favor in such regards.

If it's automated and non-selective, it doesn't make a very good ad system, does it? It would have to analyze the content and serve related ads. That's just the advertising paradigm we're operating in.

It would have to be especially good, too, otherwise it wouldn't remain under the radar. One too many way-out-of-context ads, and people would start wondering.

Re:

[IndustrialComplex]

It could be non-selective of the content you are viewing. However, that wouldn't prevent them from using the DNS history profile of the IP requesting the content.

Re:

[darkpixel2k]

It could be non-selective of the content you are viewing. However, that wouldn't prevent them from using the DNS history profile of the IP requesting the content.

I pitty the poor 8 year-old that connects and gets the IP of the dude who was just surfing for a ton of gay black midget hippo lesbian porn...

Re:

[IndustrialComplex]

That would be awkward, but the ISP is the one that assigns those IP addresses and it would probably be pretty trivial to go by a unique user ID rather than just a straight IP.

My point was that it could be done through analysis of the account holder, and not the content that person is currently accessing.

Of course, that would make any ads targeted for such tastes all the more awkward, because that would mean it wasn't just an IP, it was someone with access to your account.

MOM?!?

USA ISPs are NOT common carriers!

[The tECHIDNA]

When will this zombie...er, urban legend die (at least in the US?)

Cable Internet Service Not Common Carrier [slashdot.org] ... and that was a ruling by the US Supreme Court.
Corollary:
FCC Reclassifies DSL, Drops Common Carrier Rules [slashdot.org] ... so DSLs don't escape either.

I'm not rooting for this, but we need to try harder for an actual solution rather than seek the unicorn of a "solution" that didn't/no longer exists.

Re:

[TapeCutter]

I think it's also the reason why here in Oz the phone companies offer ISP services through a subsiduary company.

Unicorn - Where's BadAnalogyGuy when we need him?

Re:USA ISPs are NOT common carriers!

[Kjella]

No, in legal terms they're not but USC 17512 is "common-carrierish" enough that most people will call them that anyway. At any rate, 17512(a)(5) states "(5) the material is transmitted through the system or network without modification of its content." So, if your copyright is being infringed and shown on a page where these ISPs have injected ads, I would say this protection does not apply and you can sue the ISPs for damages. Plus I imagine this shoudl fall under all sorts of other laws, you can't just associate my page with your ad, it can be anything from defamation (ads that are offensive to the site's content) to fraud (thinking you support a page you don't). If you throw a big enough pile of shit at them for this, something will stick.

IMHO the titles are mistaken.

[Ungrounded Lightning]

When will this zombie...er, urban legend die (at least in the US?)

Cable Internet Service Not Common Carrier ... and that was a ruling by the US Supreme Court.
Corollary:
FCC Reclassifies DSL, Drops Common Carrier Rules ... so DSLs don't escape either.

IMHO the Slashdot titles are mistaken. The decision doesn't say they're not a common carrier. It just clarifies what type of common carrier they are.

So they don't have to provide wholesale access to their lines? Fine. Do/can they refuse to give their competi

Re:

[jhol13]

Lets put it this way: In Finland ISPs will not change the data.

"Disturbing telecommunications" is punishable up to two years in prison. And if you are what I think "common carrier" means the minimum penalty is four months jail time.

The law seems (IANAL) to be written so that ISPs are "common carriers" according to this law.

Re:

[malinha]

Here in Portugal is the same, jail time for everyone, but a simple way to piss them off is to send all the ad's ( jpeg's, flash's ) by email to support@isp.something, the subject: Here the trash you left behind ...

Is what i always do whem i receive pub by normal mail, pick the "free replay envelope" put all the trash they sent to me and there you go.

Re:

[TapeCutter]

"The law seems (IANAL) to be written so that ISPs are "common carriers" according to this law."

It normally means the companies who own/run the public part of the network. ISP's generally plug a private network into the public one through a PABX or similar. Phone companies who are also ISP's usually do it via a subsiduary.

Play Dirty game Re:common carrier?

[freedom_india]

Why can't we just convict the CEOs of child endagerment and send them to jail?
For instance someone delibrately hacks ISP pass-thru server, inserts child pr0n into it; streams it to the user; who when arrested by FBI proves in court it was the ISP who changed the pages; and gets the CEO to serve time with bubba!
Yes it does require coordinated well directed effort, but then many would like to play the false flag operations especially if its for a good cause.

I say we do it.

Make a couple of ISP's pay, in jail t

Gah

[Moraelin]

Gah. Two wrongs don't make a right.

And using the law as just some excuse to jail someone you don't like, even via some convoluted fallacy, is not how the rule of the law was supposed to work. And not just from a moral right vs wrong point of view, but it also takes away quite a bit out of the deterrence factor of the law and police. After all, if you know that (A) whether you get convicted or not depends more on whims, friends, or being in the wrong time at the wrong place, and (B) whatever you did, chances are decent they'll find a scapegoat to make an example of, instead of finding you, just says you have more chances to get away with something genuinely criminal.

We tried using spectacular shows of making an example of some bystander, to scare the criminals. Heck, half of the medieval justice worked like that, and the communist block kept at it until the bitter end. It doesn't really work well.

And in this case it would also create the precedent that _any_ content you serve can get you in PMITA state prison. There's nothing to say that only ISP's inserted ads can be demonized and victimized in your setup. Any site, regardless of whether it's serving ads, or is a free forum like Slashdot, or sells stuff on the internet, or is some company's web presence on the net, etc, could be hacked to serve malware, adware, spam, phishing, redirects to other sites, etc. Some of which, yes, porn or to porn.

So what do you propose? That if your company's site can be hacked like that, the CEO goes to jail? Well then how about we take that to the logical end then and give some responsibility in it to the guys who programmed those vulnerabilities too? Or to the admins who didn't secure the servers right? To the security teams who didn't find some glaring vulnerabilities? To the PHB's and developers who had an "auugh, those security guys are just bullies, blowing stuff out of proportion to make me look bad!" attitude and pulled all sorts of strings to get the severity rating lowered? To the beancounters who got a bonus for slashing the budget for security? To the controlling guy who insisted on hiring only the cheapest burger-flippers who had a crash-course in Java, as a cost saving measure? To the level 1 support monkeys who advised someone to disable his firewall and/or disable his virus scanner, just to install a stupid game or access some vuln-laden site? To the idiot who wrote that canned list of answers? Etc.

I mean, if it counts as "endangering the children" if you have some vulnerability that _could_ be used against children, then, seriously, there are a _lot_ of people who had a hand in creating that vulnerability, not just the CEO. That's a lot of jails we'll need.

You'll also notice that it just doesn't say "stop tampering with the sites". It just says that if you can be hacked, you can go to jail. So if you're sure enough of your code and your admins to be on the internet at all, then you're sure enough to mangle the web pages too. E.g., if you're sure enough that your ad server is secure enough to use it on your web site, then you're sure enough to use it in other people's pages too. After all, if it were hacked to serve kiddie porn, it would serve it on your own site too.

No. If it has to be stopped, it has to be a clear law and applied uniformly. The idea isn't even new. Any country has laws against tampering with snail mail. Make it illegal to mess with someone's electronics communications, and apply it impartially and uniformly.

Re:Gah

[freedom_india]

You are right.
But you are also idealistic. And you belong in the Jefferson era.
Your approach would not work in today's times, where corporates rule the roost without even having a vote or responsibility.
Laws can be circumvented easily through stooges, loopholes, sympathetic judges, presidents-pardoning-criminals, etc.

At a time when might is right, it makes sense to apply the same rules to those twist the law and cheat. Take for instance Microsoft's recent troubles: Its EULA clearly state XP is NOT sold, but only licensed, to prevent us from tampering or reselling it. The same EULA was used by one US State to force Microsoft to pay taxes on such license fees. Microsoft tried to weasel out, but was caught by its own EULA. Now they can't avoid paying taxes because their EULA says its license fees, and they can't remove the EULA, because hackers would have a field day in selling legitimate copies of modified XP!

If large corporates can change the spirit of the law to suit themselves and perform unethical and clearly border-illegal acts like throttling, disconnecting without notice, then so can we.

After all US has the Super 501 laws which state that any country's laws which are discriminative against US products would have those same laws adopted by US against them!

If the government says its OK to have an eye-for-eye attitude, then it is OK for me too!

Re:

[Raenex]

Your approach would not work in today's times, where corporates rule the roost without even having a vote or responsibility. Laws can be circumvented easily through stooges, loopholes, sympathetic judges, presidents-pardoning-criminals, etc.

There has always been corruption and injustice. Always. These times are not special, though lots of people in their own particular time seem to think they are going through issues that others haven't.

The fact that the world is largely connected through a free internet is special, and worth fighting for, but not at the point of corrupting the very principles we are fighting for. That's just lazy and dishonest, and frankly weakens the cause and demeans yourself.

Re:

[freedom_india]

free internet is special, and worth fighting for, but not at the point of corrupting the very principles we are fighting for

Probably if our founder fathers have thought along same lines, we would not be free even today or probably would be a commonwealth.
War is a dirty business.
Second World War is where you came close to clearly defining in black and white the good and bad guys.
Yet US and allies did fight a dirty war for the very causes they swore to defend.
As you said, there has always been corruption and injustice.

And if that corruption is useful for the larger good, then i say do it.

Give the ISPs a taste of their medicine, a

Re:

[Raenex]

And if that corruption is useful for the larger good, then i say do it.

That's what everybody thinks when they are being corrupt. They rationalize it. Eventually you get to a point where you are as evil as the "evil" you are fighting against, and you have lost the high ground. It's hard to cry "injustice!" when you are just as unjust.

There are times when you "the end justifies the means". You should just be very, very careful when crossing that line, and not cavalier.

After all they are soulless corporates led by CEOs who have 8 houses and a mistress while our only homes are being foreclosed.

Many workers make a lot more money than people scrounging around at minimum wage. People losing their job

Re:

[Shakrai]

The electoral system in most of continental Europe didn't degenerate into the two-party fuckup of the USA

No, it degenerates into a multi-party fuckup instead, where minor (in some cases single issue) parties hold ridiculous amounts of influence that bear no relation to their actual numbers (unless one party can actually attain a majority on it's own). It degenerates into unstable Governments that dissolve, call for elections, get elected, only to dissolve yet again after some minor party walks away from the governing coalition.

Don't get me wrong -- the system seems to work well enough for Europe. But I d

Re:

[FredFredrickson]

That's why we've got an idea... Open Lobbying [slashdot.org], (Read zappepcs post, and my reply).

Maybe you guys would like to get in on the cause? I am certain this would be ground breaking if we can get a following. email me: webmaster at fredrickville.com

It would probably just borrow some time

[Moraelin]

Possibly US could be there IF both parties are dissolved and all their leaders prohibited for life from politics, and laws are passed preventing corporate ownership of news media, and NO consolidation/monopoly media.

Actually, that would probably borrow some time for you, but still be the long and embarassing road back to square one.

Duverger's law [slashdot.org] basically says that no matter from where you start, a simple plurality voting system devolves into a two-party system, given enough time.

So pretty much unless you

Re:

[Alsee]

I am wondering whether altering web pages by inserting ads changes the ISP status of common carrier

No, their status does not change.

Internet service does not have common carrier status.
Internet service does not have common carrier status.
Internet service does not have common carrier status.

2005 Slashdot story on a US Supreme Court ruling:
Cable Internet Service Not Common Carrier [slashdot.org]

-

Re:

[sjames]

Further, I wonder if they're opening themselves to trademark violations and other liabilities for every site they inject ads into? After all, they're creating the appearance that the websites are responsable for the ads.

For example, given the random nature of ads, how long can it be until they inject an add for alcohol into an AA group's site, make it look like Intel is pushing AMD products (or worse, selling them actively!) or similar mashups that create brand confusion. Just imagine, someone goes to a m

In Canada...

[rrahimi]

Rogers has [dslreports.com] been [arstechnica.com] doing this for a while, which goes along very well with their expensive and not-really-high-speed service.

Re:

[Zanth_]

I use Rogers and am in Ottawa. Besides Bell, Rogers is it! Though I don't experience this ad injection bs (I don't use their browser) I must say they are hands down the fastest and most reliable ISP in this metro. Though pricey, one can now get 20D/1U speeds for their premium package at 100/month and I'm getting 12D/1U for their mid level. Standard is 10 for that price.

I suppose they aren't really high speed for the likes of Sweden or Japan, but in Canada, outside of business OC lines, I don't know of a

Re:

[FunFactor100]

Apparently they can inject ads without you using their browser. There are other ISPs in Ottawa btw, some just resell Bell's DSL though...which is now being throttled.

Thank goodness

[Dunbal]

Someone actually had the balls to NAME these ISPs, instead of referring to generic "providers". Of course it sucks to be you if you live in an area where they have exclusive coverage - but it's good to know who thinks they have the right to tamper with packets going between you and the destination of your choice.

Re:

[Grant_Watson]

This is what https should have prevented, had we not horribly broken SSL certificates. They never should have been tied to any sort of 'trust'...now look what happened.

If there were no sort of trust, the ISP would just perform a man-in-the-middle attack: pretend to be you, accept the web site's SSL certificate, then decrypt the data, insert the ads, and feed you the altered web page encrypted with their own certificate.

Re:

[TheRaven64]

The problem is that it's not tied to DNS. What should happen is that the root DNS entries are signed with a known private key. Every time you pass to a new authority, the SOA record should be signed with the parent's key. When you get to a A record, you get an associated TXT record containing the public key and all encrypted interactions with that host have to use the corresponding private key. That way to get secure communications with the host and guarantee that the host is controlled by the person wh

Please note the following...

[nweaver]

a: XO's spokesperson has publically stated (see the PCWorld article) that it was probably a reseller, not XO itself.

b: Most modifications, at least from the client viewpoint (and excluding the exploitable vulnerabilities which were discovered) are benign. 70% of the modifications were client-side proxies, such as personal firewalls, popup blockers, and add-removers.

Of the remaining, most other modifications where things like enterprise firewall services (which modify/insert Javascript checking code) and compression transformations (removing whitespace and/or routines for displaying downgraded images to save bandwidth).

Re:

[RobertM1968]

b: Most modifications, at least from the client viewpoint (and excluding the exploitable vulnerabilities which were discovered) are benign. 70% of the modifications were client-side proxies, such as personal firewalls, popup blockers, and add-removers.

Them inserting any ads on my web space would not be benign for a couple reasons: (1) I dont know of any bot or script that would do so without damaging the layout (and it took long enough to get some of them to work in the various flavors of IE, and Safari, Firefox and Opera). and since I have my own ads on there, and charge based off the fact that I control the rate, frequency and number of ads displayed at a time, it would also hurt me financially.

Of course, that doesn't apply to most people... and of

Re:

[RedWizzard]

a: XO's spokesperson has publically stated (see the PCWorld article) that it was probably a reseller, not XO itself.

Don't resellers normally only handle billing and other client facing services? Surely XO would be the ones providing the actual service - otherwise the reseller is not a reseller, they're an ISP in their own right.

Re:

[T-Bone-T]

a: XO's spokesperson has publically stated (see the PCWorld article) that it was probably a reseller, not XO itself.

Probably a reseller? They don't know for sure that it wasn't them or they just don't want to admit to inserting ads?

Re:

[Anonymous Coward]

A: Translation.. it WAS XO, if it wasn't they wouldn't have used a BS 'probably' word. They would have denied it.

Signed pages (pity it won't work) and SSL

[Craig Ringer]

Because of this issue and some related problems I've often wondered about extensions to HTTP to support cryptographically signed pages.

HTTPS is great, but involves a significant CPU cost per page and isn't friendly to web caches.

Signed pages, if static, could be signed once and stored. They'd also be cacheable with all the normal rules.

The main issue is key management. How do you get the signing key? Well, I'm pretty sure the HTTPS certificate key could be used to sign a page, though there might be risks to the integrity of the key. A better way would be to use a single HTTPS request to grab a signing key from the remote site.

Signatures could be just another HTTP header, so browsers without support would never even notice. An alternative would be a HTML comment after the close body tag. The HTTP header, though, would work for related resources like images as well, and for that reason would probably be much better.

Unfortunately, it's all useless because an ISP could trivially strip signatures from HTTP headers or pages if they wanted to mess with the page.

If this sort of thing keeps on happening sites will just have to start offering HTTPS for all communication. The dodgy ISPs will have lower cache hit rates and higher demand for external bandwidth, but they will have done it to themselves.

If only browsers would FINALLY include support for HTTP+TLS and for TLS upgrades, encryption could even be done transparently to the user.

Re:

[jd]

Don't see why it wouldn't work. You pull the site's public key from a public key server and validate against it. Or if caching is prohibited, use a key exchange algorithm to swap two random numbers - on the server, the server's number signs the page and the user's number countersigns it. It doesn't matter that it's weak, since you can use the HTTP headers to exchange new key pairs every page if you like and it's only intended to stop injection attacks.

Re:Signed pages (pity it won't work) and SSL

[Craig Ringer]

Because any signature not accompanied by protocol encryption can be stripped by the man in the middle (say, your ISP) without the client knowing it was ever there. Mechanisms to prevent that would also eliminate backward compatibility with older, signature-unaware, browsers, and would end up being essentially HTTPS anyway.

Re:

[jd]

Let's say that you stipulate that if the user/host component of the URI can be resolved into a public key, the page must be signed, then you eliminate the case of the signature being removed by a browser that makes that initial check (and therefore presumably makes the later ones) but do not impact browsers that do not make that check. The premise here is that there is some sort of trusted third party that cannot be trivially screened and that can tell the browser what to expect from the server. This would

Re:

[jd]

Ah, well if you shift the problem from whether it's even technically possible to whether it's remotely probable, then that's a different matter. Trusted third parties are arguably reasonable enough, but very large scale, economically viable trusted third parties are, whilst technically within the realms of possibility, not the least bit likely.

Re:

[scruffy]

I would think MITM attacks by your ISP would be too easy to detect for them to do this on a regular basis without getting bad PR.

Re:

[Craig Ringer]

Bad PR in the tech-savvy crowd, sure. All the bandwidth hogs will leave ;-) . If they used bandwidth tiered pricing (like everybody in Australia does) they might care, but in places like the US they'll probably be pleased.

They might lose a little bit of business due to lost recommendations, but let's face it ... most people have no clue about ISP choice, and will buy whatever advertises the cheapest service with the biggest "speed" number.

Here in Australia the biggest ISP by far is Telstra, who're also the

Re:

[houstonbofh]

Why is this so hard for ISPs to understand... Monitoring, filtering, or changing content will always result in obfuscation and encryption. Both solutions just make the ISP problems worse. Quite fighting your customer.

Re:

[profplump]

If only browsers would FINALLY include support for HTTP+TLS and for TLS upgrades, encryption could even be done transparently to the user.

I'm all for STARTTLS support, but it's not clear to me how it would be any more or less transparent from the user perspective than HTTPS. What am I missing?

Re:Signed pages (pity it won't work) and SSL

[Craig Ringer]

I probably spoke poorly by using the term "transparent". As you note, it's already pretty transparent to the user.

What it's not is transparent to the web developer, host, and server.

With STARTLS the restriction of one SSL host per IP address/port pair is lifted. That permits WAY more sites to use SSL, and allows its use without a redirect to a different host and/or port. The user won't see a different URL, there's no protocol string change, etc.

It also allows a client to control whether or not it wants to use TLS, rather than having the server and web designer make those decisions for the client. The server can force the issue, but can also leave the option open to the client where appropriate.

I really like the idea of being able to configure my machine to automatically prefer TLS encryption for HTTP when I'm using, say, a wireless hotspot. I like the idea of being able to set my tech-illiterate parents' laptops up the same way even more.

It'd be particularly nice if combined with a new CA that was fast, cheap and fuss free at the cost of providing poor checking and verification (not like the current ones... *ahem*). Joe Blogger could get his SSL cert for TLS upgrades, and browsers could use it to help ensure encryption and communication integrity without ever suggesting to the user that the presence of the cert and protocol encryption implied anything about the identity or trustworthiness of the site operator.

Currently your options are self-signed (resulting in most browsers screaming loudly to the user), expensive but still poorly verified certs from people like Verisign, or in-between options like openca that most browsers treat as no different from just another self signed cert.

Personally I think the way browsers equate SSL with site trust is fundamentally flawed, and I think they've finally started to realize it, as evidenced by EV certificates and so on.

Re:

[Shakrai]

HTTPS is great, but involves a significant CPU cost per page and isn't friendly to web caches.

Is being friendly to web caches still relevant in this day and age? How many organizations and/or ISPs actually still have to rely on caching because of a lack of edge bandwidth? Is this really still a concern?

In that same vain, is the extra CPU overhead of https really a concern in this day and age? Even for older computers, is the CPU really the bottleneck? I've always found that memory (esp with Firefox) and slower hard drives (esp with less memory when swapping comes into play) are the bigger is

Re:

[Craig Ringer]

Is being friendly to web caches still relevant in this day and age? How many organizations and/or ISPs actually still have to rely on caching because of a lack of edge bandwidth? Is this really still a concern?

Alas, yes, at least in some places. Australia, for example, where *all* ISPs meter bandwidth and many users are on plans that permit them as little as 500mb or 1GB per month. I have a 24MBit ADSL service with a very reasonable 40GB allowance, but that's on the top end of what you can get and it's pretty pricey.

In that same vain, is the extra CPU overhead of https really a concern in this day and age? .... snip .... Or are you thinking about the CPU overhead on the webserver instead of the client?

I referred to CPU cost on the web server. Crypto accelerator cards help a lot there, though.

Re:

[Kjella]

HTTPS is great, but involves a significant CPU cost per page and isn't friendly to web caches.

We were doing 128-bit HTTPS connections ten years ago. Now I don't know how heavy hardware they used or how big that penalty is, but I'd be surprised if a decent server can't handle it, my box does P2P with encrypted transfers without breaking much of a sweat. As for web caches, HTTP less video/audio streaming like youtube is about 20% of Internet traffic. That means 80% aren't in the web caches and less traffic to fill the cache plus more dynamic content that can't be cached I think we're even lower. The

Re:

[elgaard]

There is an expired RFC draft for cryptographically signed web-content:

http://www.watersprings.org/pub/id/draft-jbendtsen-writing-rfcs-00.txt [watersprings.org]
(I was Jons adviser on the project, creating the draft)

--
Niels

Cant see the story...

[Kenja]

All I see is "Local ISPs cure cancer. All hail SBC!"

There is NOTHING wrong with this.....

[zappepcs]

as long as the ISP is paying me to download their ads. If I'm on the connection for 5 hours per week average, and using an average of 22kbps for that 5 hours, and it costs me about 11 dollars per week for service.

22 x (5x60x60=18000) = 396000 kb

if they force me to download one 75kB ad per page, say once per min. that would be (5x60x75x8=180000 bits or 180kb)

180 kb / 396000 kb = 0.0454545% OR $0.50 per week.

That would mean lowering my bill by an estimated average of $2.00 per month.

For that to happen require

Re:

[Bill, Shooter of Bul]

Uhmm, pretending that I was your ISP, I would gladly give you a $5.00 discount on your bill for your continuing loyalty and use of our new web x.0b product finder service.

On a completely unrelated matter, we are experiencing some unexpected increases in the fees were paying due to the increased cost of oil coupled with the devaluation of the dollar against the euro ( I'm sure you must have read about it in the news) , So we are forced to increase rates with a $5.00 per month "Save the Future" fee. Take p

Re:

[spikedvodka]

Don't forget that because of our effort to become a "carbon-neutral" company, we are making a monthly investment in renewable energy, and are passing a small fraction of the cost on to you. You will see that as a $15 Carbon-Neutral charge on your monthl bill

duh

[the brown guy]

tell us something we don't know http://tech.slashdot.org/article.pl?sid=08/04/07/1457218 [slashdot.org] http://yro.slashdot.org/article.pl?sid=08/03/29/2217231 [slashdot.org] http://tech.slashdot.org/article.pl?sid=08/03/27/149253 [slashdot.org] http://yro.slashdot.org/article.pl?sid=08/03/25/035200 [slashdot.org]

Don't Give Virgin Media Ideas

[MrSteveSD]

Please!

I charge for ads

[BanjoBob]

My sites charges for advertising -- it is NOT free. If an ISP inserts ads into my pages, then I expect to be properly compensated for them.

If an ISP starts inserting ads of my competitors on any of my web sites, that would be totally unacceptable behavior.

Does this occur when a client's ISP passes traffic from my host to the customer's client? If so, I don't know how I could monitor that or even detect it unless the client user notified me.

I'd like to hear more on this subject.

Re:I charge for ads

[Compholio]

I don't know how I could monitor that or even detect it unless the client user notified me.

Have your server compute the MD5 sum of the page of your website and transmit it as an invalid HTML tag (or just a hidden one) at either the beginning or end of the document. In this document (or in a referenced "SCRIPT" page) also insert JavaScript that computes the MD5 sum of the client-received document (sans the added information) and transmits both the original MD5 sum and the computed sum back to your sever using AJAX. If these don't match then somewhere along the way someone tampered with your document.

Re:

[shabble]

insert JavaScript that computes the MD5 sum of the client-received document (sans the added information)

This won't work, because browsers typically change the HTML during parsing. Might work if you only compute the MD5 of only parts of it (like only the img src values.)

Re:

[ruin20]

See above. That would return different checksums for almost all pages given most ISP's use some form of compression/decompression that will parse the page. The MD5sums will almost always be different.

Encrypt

[MacDork]

If you aren't encrypted, it could occur at any hop along the way. The good news is end to end encryption solves all sorts of problems :-)

Re:

[Lost Engineer]

Thanks to that other dude for whining about your site; by which I mean convincing me to click on the link. I'm liking what I'm seeing so far.

They're not inserting ads into your pages

[Rix]

The content on your machine is not altered in any way. Once you pass it off, you really have no say in what's done with it.

How is this any different in principle from the ad stripping software we've always had?

It's Started

[hyades1]

All the huge communications/entertainment corporations and every government in the world have been trying for years to get control of the internet and make money off it/control it. It looks like the big push is on. The ISP's want to start throttling bandwidth and content, then raking in the cash from both ends. Governments have finally figured out that they can get what they want by bribery instead of just the threat of legislation, and so has the entertainment industry. They're all on the same page now, and all of us are squarely in their gun-sights.

It's time for those of us who value what we have here to wake up and start fighting back. The pressure is bound to get intense, and it's going to come from a lot of places. There's too much money to be made and too much power to be had in controlling the flow of information to a huge portion of the world's population.

I don't know whether the solution is technological, legal, some combination, or something completely different (like massive displays of civil disobedience, for example). But I'm utterly confident that if people don't start fighting back, we can all kiss access to unfiltered information goodbye.

And that will be a very, very dangerous thing.

Re:

[e9th]

Well said. Very well said.

Re:

[EasyTarget]

Amen,
And we need to evangalise this too. It's something people can easily grasp as being wrong and dangerous.

I found it very easy to explain to a colleague who's initial reaction was 'so what, it's just ads.' That once the advertisers are paying the ISP directly, they won't be paying the website operators. Out goes all the non-corporate content, ie. most of the good stuff..

They themselves then worked out that once changing ads becomes common, inserting extra ads will follow, and finally other content will b

Blocking content vs. modifying content

[Fulkkari]

We often complain about the efforts made by China and others in blocking Internet content. But how does this compare to modifying the content? With blocking you know it is blocked, but with modified content, can you tell? The ISP might say that it just puts ads on the pages, but would you trust it? Having a secret ISP framework for modifying content is a disaster waiting to happen. Personally, I think the web should go https.

Web Publishers Lobbyists

[FunFactor100]

The ISP's surely have lobbyists...perhaps it's time website owners band together and hire their own lobbyists. I own a medium sized site, I'd get on board assuming we could all agree on things.

Now we know why ISPs are so against Net Neutrality

[Newer Guy]

The reason they're so against it is because they're already VIOLATING it! If net neutrality laws/policies came to be the ISPs would have to change the way they conduct business now.

Toolkit for detecting changes to your own page

[csreis]

If you're interested in knowing if your own page is being modified in flight, we (the authors of the study) have an open source toolkit [washington.edu] for adding a "web tripwire" to your page. It's just a piece of JavaScript code that does an integrity check within the user's browser, and it can report any in-flight changes back to your server.

The toolkit requires you to run CGI scripts on your server to collect results, but we also have a web tripwire service that is easier to use (available on the same page above). Just add one line of JavaScript to your page, and our server will handle the integrity check and collect the results. We can then provide you with reports of the changes, much like Google Analytics.

We hope that by spreading web tripwires to other pages, we can at least deter ISPs from making further changes to web pages in-flight.

Kudos to the UW folks - one small problem...

[itsdapead]

Great study, kudos etc, but one small heads up:

On visiting vancouver.cs.washington.edu (which you are encouraging people to digg and blog) I'm told that I have taken part in an experiment, many thanks, fait accompli - I'm not told (or at least, can't discover without extensive reading) what data has been gathered, whether it will be anaonymous, whether I can opt to withdraw etc.

Do you see where I'm going here...?

I really don't think the UW guys are going to be abusing this data, and they're doing it to

Re:

[llamafirst]

Plus if you use a small amount of encryption in your web tripwire / digital signature code, any ISP attempt to subvert the tripwire would be a DMCA criminal act in USA.

Legal?

[Raul654]

Is injecting data into someone else's bitstream legal? IANAL, but I suspect this practice could very well run afoul of computer trespass and other anti-hacking laws.

Re:

[quaero_notitia]

Michigan law "FRAUDULENT ACCESS TO COMPUTERS, COMPUTER SYSTEMS, AND COMPUTER NETWORKS Act 53 of 1979" http://legislature.mi.gov/doc.aspx?mcl-Act-53-of-1979 [mi.gov]

Read 752.795 Prohibited conduct. Sec. 5. http://legislature.mi.gov/doc.aspx?mcl-752-795 [mi.gov]

Here's snip from Sec. 5: "(b) Insert or attach or knowingly create the opportunity for an unknowing and unwanted insertion or attachment of a set of instructions or a computer program into a computer program, computer, computer system, or computer network, that is

Googling for _popupControl ...

[argent]

The first hit is a thread on a BBS complaining about the web forum inserting _popupControl.

How many other problems caused by injection are being blamed on the wrong parties?

Others couldn't get away with this

[DKlineburg]

I think this is the same thing as if a paper boy were to take out ads, and or add ads to your paper on delivery. I don't think the newspaper would be very happy with this result. I don't see how this is any diffrent, and I don't think it should be tolarated as such.

Encrypt

[DeanFox]

Why on Earth are we allowing anybody to read this traffic?

All new programs really need point to point encryption built in by default. As in, I want to design a new {whatever}: In programming I first decide how to secure the connection and encrypt the data. Second, I decide what I'm going to transfer, then the interface.

Post cards eventually led to folded paper with a wax seal to the letter inside a sealed envelope. Where is the same standard of privacy in Internet Clients that I expect when I mail something as simple as a greeting card?

Once Point to Point Encryption becomes the standard in all package design if the government wants to intercept and read my communications they'll have to do what the law says they have to do... Get a warrant. The same goes for my ISP or anyone else for that matter.

There's a reason all Internet use should be considered public. We're all shouting at the top of our lungs. Right now all they have to do is stand close enough to eavesdrop on a public communication that's out in the open.

Most of us on SlashDot are in the industry designing these Clients. Rather than complain, when you write your next Client why not design it securely?

-[d]-

Re:

[qzulla]

Once Point to Point Encryption becomes the standard in all package design if the government wants to intercept and read my communications they'll have to do what the law says they have to do... Get a warrant. The same goes for my ISP or anyone else for that matter.

I could be wrong here but wouldn't they need a public key for this? How many even know what this is? Would it be automatic? Do I have to surrender my key so I can be monitored? If so then why would it be any better than the failed Clipper chip?

Call it "Tampering"

[theonetruekeebler]

We need to stop referring to these shenanigans with neutral or pragmatic names. We call these actions "modification" or "altering" or "injection" and it riles us, but you can bet your bottom dollar that the ISPs and Comcasts of the world are sitting around coming up with terms like "shaping" and "adapting" and "presentation opportunity."

Names are powerful.

If an ISP modifies a web page, they are tampering. Putting their own ads there is impersonation

If an ISP puts your IP at the top of a RST they generated, they are packet forging.

If an ISP examines the data portion of a packet they are reading your content.

If they change the header (other than decrementing TTL or doing NAT) they are packet tampering.

And if they say it's to enhance user experience they are lying

This is an oppertunity to make big bucks.

[anwyn]

This violates two laws. First the ECPA [wikipedia.org]. In order to modify a web page you have to intercept it. Ok, maybe the ISP can get out of this by getting you to wave this as part of your term of service agreement. Further, even if you could catch them in the act and get the government to prosecute, the fines would go to the government. There is no Gold here.

Second, it violate the copyright act! The right to create derived works [cornell.edu] is one of the exclusive rights of copyright holders!

we all knew this since the 90s

[hesaigo999ca]

Dude, 99, i was visiting sites that were full ads from the ISP hosting your website, what would be different now, that they do this dynamically on the way to the end point user, instead of static inline in your code???

Let's establish a copyright troll!

[anwyn]

This violates two laws. First the ECPA [wikipedia.org]. In order to modify a web page you have to intercept it. Ok, maybe the ISP can get out of this by getting you to wave this as part of your term of service agreement. Further, even if you could catch them in the act and get the government to prosecute, the fines would go to the government. There is no Gold here.

Second, it violate the copyright act! The
right to create derived works [cornell.edu]
is one of the exclusive rights of copyright holders! Secondly, the right to create derived

Use hash?

[sdhoigt]

I honestly don't know how easy this would be to implement, but how about we start using a new meta tag on our web sites that contains a (dynamically generated) hash of the HTTP content for each page being sent (probably easier said than done). The client browser would then check against the hash with the content it received and notify the user in some fashion if the two hashes differ.

I know this would increase the resources needed for each and every page sent/received, but maybe (client side anyway) you co

Obligatory

[david_thornley]

1. Create a web page.
2. Register the copyright with the copyright office.*
3. Watch to see who changes content on your page.
4. Sue them.
5. Profit!

*Copyright violation is illegal without this step, but you can sue for a whole lot more money if it's registered.

(The "ol" tag seems to be broken. Please imagine the numbers.)

Re:copyright issues

[RedWizzard]

more importantly, is this any form of copyright violation?

IANAL, but I think so. They are distributing a derived work (the modified webpage). They'd need permission from the owner of the copyright on the original work (the original webpage) or they'd be infringing.

Re:

[wkk2]

This practice will probably end about the time a major corporation sees an ad for a competitor inserted into a web page. Purchasing a crypto accelerator and going 100% https seems like the only solution.

Re:copyright issues

[EdIII]

I was thinking of the same thing. Trying to wrap my mind around it.

The best analogy I can come up with is a kid delivering newspapers. You THINK the kid is just delivering the newspaper to you, but he is instead cutting out the advertisements (or god knows what else) and inserting his own client's advertisements while being paid for it.

Now of course, unlike a newspaper, a website does not get paid for the advertisements up front. So I cannot see this as anything other then stealing. We can argue the technicalities to death here, but the EFFECT is that the website was denied revenue from their ads, while the ISP gained ad revenue for themselves. Your question of compensation is interesting, but how could one gauge what that potential compensation could have been? Assume the individual would have clicked all the replaced ads on the page and then multiply for punitive damages?

I don't know about copyright violation as a complaint from the newspaper being a viable method to protect themselves. Is there legal protection afforded to websites that states the entire website must not be altered in any form during transit? Like I said I dunno.

What I find more foreboding is that you can no longer trust the "messenger". These ISP's absolutely MUST lose their common carrier status, since I believe that any ISP must remain impartial to the data being transmitted across its networks to have that status. Injecting advertisements into web sessions could not possibly be considered impartial. They have a direct financial motive to do so.

In order to protect their advertisement revenue streams websites may have to resort to strong measures, like encapsulating ALL of their traffic with HTTPS. That is just ridiculous.

I am sure that the proponents of Net Neutrality are going to enjoy their nice new shiny bullet.

Re:

[Ichijo]

The best analogy I can come up with is a kid delivering newspapers. You THINK the kid is just delivering the newspaper to you, but he is instead cutting out the advertisements (or god knows what else) and inserting his own client's advertisements while being paid for it.

I'd say it's more like he's inserting flyers. TFA didn't mention anything about ISPs removing or replacing ads in web pages while in transit, just adding more.

Re:

[qwan]

No it is not flyers. Inserting flyers would be the ISP makes a window pop with ads.(it still needs to modify the page to add the javascript). So the ISP is indeed messing up the withe newspaper and the content. So the analgy is correct. In flyers the newspaper content is not touched.

Re:

[Tibeca]

Oh geez, first it is already in you terms of Service that you agreed to when you reqested the service. For example, I have Verizon DSL and theirs says, "Changes to Service or Features. Verizon reserves the right to change any of the features, Content or applications of the Service at any time with or without notice to you. etc." They state right there "content" and your most likely does too. Besides, you have the right to cancel, that's included in the TOS too. Second, it is not copyright infringement becau

Re:

[BitterOak]

The best analogy I can come up with is a kid delivering newspapers. You THINK the kid is just delivering the newspaper to you, but he is instead cutting out the advertisements (or god knows what else) and inserting his own client's advertisements while being paid for it.

Whoa! There's a big difference here. The paperboy is a paid employee of the newspaper, and he is handling the papers as part of his job. The ISP is not paid by the websites at all. They are, rather, paid by their customers. Their ability to inject ads may very well then depend on the terms of service contract they have with their customers. The websites are, in general, not their customers!

Re:Clearly it's the Commies!

[magicchex]

Commies as in Comcast?

Re:

[devnullkac]

Commies as in common carriers.

Re:

[Anonymous Coward]

Now that you mention it, I do remember an ad asking for my "bodily fluids"

Re:

[chubs730]

Just shut up already! Nobody gives a shit! If we wanted to use adblock we would!