Tool Detects "In-Flight" Webpage Alterations

TheWoozle writes "In a follow-up to a recent story about ISPs inserting ads into web pages, the University of Washington security and privacy research group has teamed with the International Computer Science Institute (ICSI) to develop an online tool to help you identify if your ISP is inserting ads or otherwise modifying the web pages you request."

Frames

[benhocking]

What if the ISP is simply putting the web-page in its own frame, and the advertisement in a second frame? Unless you add the ability for web-pages to dictate that they should not be in frames, this one can't really be trapped for like that. The ISP could create its own hash for the served web-page that holds the frames.

Re:What about the terms of service?

[Anonymous Coward]

Yeah, well, it's not you that has the beef - it's the creator of the web site who's had his work modified. Your ISP is making a derivative work of his site, and you can't give your ISP permission to do that, only he can. TOS between you and your ISP won't make a damn bit of difference in this case.

Re:A possible workaround

[Raistlin77]

I'll bet that his user agreement with that free host also clearly states that circumventing their added content in the manner that your script does is prohibited. If they discover your script, they'll likely disable his account.

Re:Should just block all ads, but...

[mdm-adph]

You're right! Why didn't we think of that before! Let me just cancel my Charter account and move to.... nothing. Charter's the only provider for my area.

Re:Should just block all ads, but...

[vux984]

All these ideas are neat, but ultimately losers.
MOVE TO ANOTHER PROVIDER TODAY.

Why should I do that if I don't know the ISP is modifying the web pages in flight? Maybe I need a tool that could somehow detect that? That would sure be useful. Oh wait...Isn't that what this discussion is about?

If it's happening near the client..

[Sloppy]

..why not just use SSL?

I can understand how this wouldn't help with hosting ISPs who insert ads into their own customers' pages, but if you're worried about your readers' ISPs modifying your pages, SSL seems like a no-brainer.

What's the downside? It can't still be CPU, can it? It's 2007 now, and processing power is ridiculously cheap/fast.

Re:Answers to questions in this thread

[Compholio]

ISPs can't distinguish between an AJAX request and a normal page request (i.e., they both look like normal HTTP requests), so they inject ads into both.

Under normal circumstances AJAX and "normal" requests are the same; however, AJAX has a "setRequestHeader" parameter that can be used to set additional headers. This is significant in that HTTP/1.1 states:

The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain.

You've already proved that the cache is violating the HTTP/1.1 RFC by ignoring the response header, I am curious as to whether it ignores the request header as well.

Re:Answers to questions in this thread

[EvanED]

Oh c'mon. You're looking at the uncommon case. Do you really want to suggest that even a sizable minority of the sites you visit on a daily basis use HTTPS?

I visit my banking site a couple times a week. I shop online a couple times a month. I read email online more commonly, but not *that* commonly from a web browser.

By contrast, I visit /. several times a day, I visit Fark a couple times a day, I visit a couple blogs a time or two a day, I visit CNN a couple times a day, I visit a couple other forums a couple times a day each, etc. NONE of these sites use SSL.