Tool Detects "In-Flight" Webpage Alterations

TheWoozle writes "In a follow-up to a recent story about ISPs inserting ads into web pages, the University of Washington security and privacy research group has teamed with the International Computer Science Institute (ICSI) to develop an online tool to help you identify if your ISP is inserting ads or otherwise modifying the web pages you request."

Answers to questions in this thread

[nweaver]

We (the authors of the page) will be answering questions in this thread.

Please don't post negative results!

[maggard]

No need for thousands of "All good in Kalamazoo" & "Up to date in Kansas City" posts.

A possible workaround

[Spy der Mann]

A friend of mine had a similar problem with his webpages. They were on a free host (rolls eyes). I wrote a script for him to store special tags to denote the beginning and the end of his webpage content. After the webpage was loaded, a script erased everything and replaced all the html with his marked content. Ta-da, no ads!

If you want to be stricter, encode your webpage content with base64 to make sure the ads don't intrude your precious content.

Re:I've got a better method...

[brunascle]

they're not talking about the ISP hosting the web page, they're talkign about your ISP adding ads to random sites that you visit. client-side, not server-side.

Re:Huh?

[fullmetal55]

It's not the host ISP that's inserting the ads, It's the "Client" ISP, for example Joe Smith buys a computer and buys high speed internet from "ECI" the Evil Cable ISP. Joe Smith visits Bob's Website, Bob, who hates ads never put any on his webpage, and instead makes his money through online sales of his product. Now Joe loads up Bob's webpage to purchase a widget from Bob, and he sees Ads all over Bob's Website. Bob who has GHI (Good Highspeed ISP) visits his website and there's no ads. ECI is putting the Ads on Bob's website. and collecting all the revenue from those ads. Profiting off of Bob's Website.

Analyses

[nweaver]

We've seen a couple cases of NebuAdd, one other that looks interesting, and a fair amount of addblocking/firewall software (eg, ZoneAlarm does some modifications)

We are waiting for the Slashdot and DIGG deluges to pass, however, before we have a more detailed analysis.

Re:Answers to questions in this thread

[nweaver]

HTTPS, when certificates are properly used, is designed to prevent man in the middle viewing and modification.

Re:Next week on Slashdot

[nweaver]

We are specifically worried about this case. But we have some thoughts on how to make it more difficult for someone to do that, which will probably end up in a full paper later.

They WANT to be slashdotted

[ookabooka]

These guys actually want as much traffic as they can get to get a good idea of what isps are doing what. Go ahead, click online tool. [washington.edu] It's pretty nifty.

Re:A possible workaround

[Excors]

For sites like GeoCities that add

</object></layer></div></span></style></noscript>< /table></script></applet>(...adverts...)

to the bottom of your page to stop you trying to hide their adverts, it could be good to add <plaintext style="display: none"> to your page just before the point where they add their junk. plaintext is the unstoppable monster [htmlcodetutorial.com] of HTML – there is no closing tag, and the rest of the page will be treated as plain text instead of HTML. It's a slightly obscure feature, but it has better support between web browsers than many other parts of HTML and it can be fun to play with...

Re:Answers to questions in this thread

[nweaver]

One of the big reasons is the certificate model...

If you self-sign, everyone gets a nag panel everytime they visit your web page. If you have verisign or someone else provide you with a certificate, it costs real money.

Also, the HTTPS handshake is expensive, figure ~.1 CPU second per visitor to handle the public key exchange, and it starts to add up. There is a reason why GOOGLE doesn't use https for gmail by default (you have to manually type in https://mail.google.com/ [google.com] to get gmail through SSL), the key echange is expensive, even by Google's standards.

Re:Answers to questions in this thread

[nweaver]

Because people don't use SSL, and ISPs are actively inserting adds into web pages.

ANd click the link anyway, we want to have as many people try it as possible.

Re:Answers to questions in this thread

[csreis]

Actually, our test page happens to answer these questions, to some extent.

All of our test pages are marked with "Pragma: no-cache" and "Cache-control: no-cache" in the HTTP response headers, but we're observing changes to the pages anyway.

Our integrity checking mechanism uses AJAX requests (XmlHttpRequests) to fetch the test page. ISPs can't distinguish between an AJAX request and a normal page request (i.e., they both look like normal HTTP requests), so they inject ads into both. However, we're only asking for a normal HTML file with the AJAX request, so I can't comment on whether they would modify other types of XML data.

Charlie

Re:I've got a better method...

[spun]

Are you pretending to be mentally challenged in order to troll, or do you really not understand even after having it explained to you a little further up the page? It is not the developer's ISP, or the hosting ISP that is doing this! It is the ISP of the people looking at the page. So, you left out a step in your patented eyeball method: signing up for every ISP in existence and loading your page, to see if that particular ISP does it.

Re:Oh lord the confusion

[db32]

Not exactly. A book is just a book. Words on paper. A webpage is FAR more visual than text on page (unless you have been sleeping the last few dozen years). Inserting ads could easily be considered a derivitive work since you are altering the look of the site. What if I didn't want ads? What if my design is a nice soft brown and then you start inserting pink flashing ads? Or God forbid, these clowns insert one of those drive by installer ads, now your business reputation is completely screwed because some major ISP decided to make a buck without checking their sources and your website infected thousands of consumers. Good luck explaining to your customers how it was the ISP magically sneaking ads onto your website.