Tool Detects "In-Flight" Webpage Alterations 197
TheWoozle writes "In a follow-up to a recent story about ISPs inserting ads into web pages, the University of Washington security and privacy research group has teamed with the International Computer Science Institute (ICSI) to develop an online tool to help you identify if your ISP is inserting ads or otherwise modifying the web pages you request."
Answers to questions in this thread (Score:5, Informative)
Please don't post negative results! (Score:5, Informative)
No need for thousands of "All good in Kalamazoo" & "Up to date in Kansas City" posts.
A possible workaround (Score:5, Informative)
If you want to be stricter, encode your webpage content with base64 to make sure the ads don't intrude your precious content.
Re:I've got a better method... (Score:3, Informative)
Re:Huh? (Score:3, Informative)
Analyses (Score:3, Informative)
We are waiting for the Slashdot and DIGG deluges to pass, however, before we have a more detailed analysis.
Re:Answers to questions in this thread (Score:3, Informative)
Re:Next week on Slashdot (Score:5, Informative)
They WANT to be slashdotted (Score:3, Informative)
Re:A possible workaround (Score:4, Informative)
Re:Answers to questions in this thread (Score:3, Informative)
If you self-sign, everyone gets a nag panel everytime they visit your web page. If you have verisign or someone else provide you with a certificate, it costs real money.
Also, the HTTPS handshake is expensive, figure ~.1 CPU second per visitor to handle the public key exchange, and it starts to add up. There is a reason why GOOGLE doesn't use https for gmail by default (you have to manually type in https://mail.google.com/ [google.com] to get gmail through SSL), the key echange is expensive, even by Google's standards.
Re:Answers to questions in this thread (Score:3, Informative)
ANd click the link anyway, we want to have as many people try it as possible.
Re:Answers to questions in this thread (Score:3, Informative)
Actually, our test page happens to answer these questions, to some extent.
All of our test pages are marked with "Pragma: no-cache" and "Cache-control: no-cache" in the HTTP response headers, but we're observing changes to the pages anyway.
Our integrity checking mechanism uses AJAX requests (XmlHttpRequests) to fetch the test page. ISPs can't distinguish between an AJAX request and a normal page request (i.e., they both look like normal HTTP requests), so they inject ads into both. However, we're only asking for a normal HTML file with the AJAX request, so I can't comment on whether they would modify other types of XML data.
Charlie
Re:I've got a better method... (Score:4, Informative)
Re:Oh lord the confusion (Score:4, Informative)