
Vodafone.pt is rewriting CSP headers to whitelist Vodafone and jQuery - DyslexicAtheist
https://twitter.com/JackyHallyday/status/968263408003973121
======
Kronopath
Vodafone Portugal absolutely does MITM your internet connection. I've seen it
myself.

I was in Portugal last summer, and my family had a Vodafone 3G wifi hotspot. I
noticed that on every single non-https webpage, Vodafone was inserting a
banner with a huge load of JS, as part of their "Vodafone Secure Net"
"feature"([https://securenet.vodafone.com/](https://securenet.vodafone.com/)).
They inserted their own code on every request to make sure that they could
display a banner telling you whether or not a website was "trustworthy".

I managed to figure out the complicated steps to do on their systems to turn
this "feature" off, but between that and some other bad experiences I've had
with them I still don't trust them in the least.

~~~
Natsu
Injecting JavaScript into someone's pages for "security" sounds like one of
the very worst ways to go about improving security. I'm surprised I haven't
heard of that injection being hacked to do very bad things yet.

~~~
Torn
If you can MITM the connection, you can just do it server-side, which is far
more insidious. This was done in the UK + Brazil a few years back -- some ISPs
(including British Telecom) trialled it without even telling affected
customers that they were being snooped on!

[https://www.telegraph.co.uk/technology/news/8438461/BT-
and-P...](https://www.telegraph.co.uk/technology/news/8438461/BT-and-Phorm-
how-an-online-privacy-scandal-unfolded.html)

[https://phonecallsuk.co.uk/bt-webwise.html](https://phonecallsuk.co.uk/bt-
webwise.html)

------
pg_bot
Time and again telecoms continue to pull these types of shenanigans. If you
are building a website in 2018 using https with hsts enabled is a must.

~~~
walrus01
That, and there is little excuse not to set apache2 or nginx to only allow
tls1.2 with the best choices in crypto options. The population of client
browsers that are so old they don't do 1.2 is extremely tiny.

[https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html](https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html)

~~~
spydum
I was going to argue with you, but stats do indeed seem to back this up (I
hadn't looked at them in at least a year or two). The gains for chrome are
insane, and there is clearly a harsh decline for IE. I suppose this is
probably why PCI-DSS felt it appropriate to push hard into deprecating TLS1.0
and TLS1.1 (without negatively affecting users too harshly).

~~~
walrus01
Yeah, pretty much any browser that was newly installed or updated from late
2012 onwards has tls1.2 support. The population of browsers older than that is
<1% at present.

------
Rjevski
Just another normal day in the shitty telco industry.

------
akerro
You care about some simple headers, because that's what you "see", but
Vodafone is much worse

[https://electrospaces.blogspot.co.uk/2014/11/incenser-or-
how...](https://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-
gchq-are.html)

------
genericacct
Vodafone needs to stop meddling with their clients' connection. Their
ridiculous "safe browsing" scam costs you $5 a moth for the privilege of only
being allowed to use port 80.

To top it all off they also block all SMS access to twitter and instagram.
Hope someone takes them to court ASAP

------
vbernat
It's a bit odd to set CSP headers but not TLS.

------
kreetx
Vodafone is nudging the users to turn on https.

------
lol768
Is there any evidence for this (e.g. response headers from a site using cURL
on and off Vodafone's network)?

~~~
shakna
> Hello Jojo. Vodafone’s content control platform does not monitor or log your
> internet traffic, but as part of Vodafone’s commitment to ensuring your
> safety on the internet, we can monitor websites and domains that contain
> offensive content. [0]

Ignoring the corporate speak, they admit they do for censorship reasons.

[0]
[https://twitter.com/VodafonePT/status/968544082707603456](https://twitter.com/VodafonePT/status/968544082707603456)

~~~
p1necone
"We don't monitor or log your internet traffic, except when we do", how can
they say that with a straight face?

~~~
jetti
Probably because it technically isn't false. They say their "content control
platform" can't monitor or log internet traffic but they don't say they don't
have a system that does do the logging.

------
gruez
devil's advocate: what's the issue here? while it's obviously better if they
didn't do any MITM at all, I don't see what they're doing is worse (in terms
of security) than your run of the mill MITM. it only works for http sites, so
presumably there's nothing (too) sensitive on those pages. however, even if
there was sensitive stuff, it's whitelisting jquery and vodaphone, neither of
which contains any exploitable code. if you're doing some sort of xss, you'd
still need to get some sort of initial code execution.

~~~
philprx
any tampering of content by ISP makes it more difficult to spot really hostile
MitM / webinjects tampering.

then there's net neutrality.

~~~
gruez
>any tampering of content by ISP makes it more difficult to spot really
hostile MitM / webinjects tampering.

I wasn't arguing for MITM, I was arguing that it's not _any worse_ than your
run of the mill MITM

~~~
Natsu
MITM is generally considered to be a mode of compromise, so that's sort of
like saying, well, it's not really any worse than being shot in the head. It
might be true on some level, but it's hardly any consolation.

