
On the modern web, ISPs are one of your threats (2015) - drvdevd
https://utcc.utoronto.ca/~cks/space/blog/web/ISPsAreThreats
======
cj
I look forward to a HTTPS-only world some day to prevent MITM issues like the
original article, but we have a ways to go.

I run a service that involves adding Javascript to a site (like you would with
Google Analytics). At one point we were serving 100% of scripts / APIs via
SSL, but ended up moving to matching the origin host's protocol because
customers were complaining of older version of IE that actually block HTTPS
requests that originate from HTTP pages.

So now we serve API calls matching the protocol of the domain the script is
loaded on.

It's been on our mind to go back and figure out exactly which browsers this
affects, implement browser detection logic, and then serve SSL APIs for
everyone else. Although it's a bit tricky when supporting customers who have
users (still) accessing them with obscure / old browsers.

More broadly, Let's Encrypt has been a great initiative. AWS WAF is also great
for generating certs easily (although only inside AWS unfortunately with
specific AWS services). Initiatives encouraging people using legacy browsers
upgrade to upgrade will also help companies like ours (and others) trying to
support 100+ browser versions on various OS's.

For us, China has also been a slight issue. The firewall tends to add extra
(unpredictable) latency for SSL requests, even when engaging with firms for
$xx,000 specializing in overcoming China networking related obstacles.

~~~
matt_wulfeck
Can you explain more? Does China capture ssl traffic or something similar?

~~~
derwiki
In Beijing currently. I set up a SOCKS proxy through an EC2 instance and it
seems to be throttled after 10 minutes of use -- to the point that Edge on my
smartphone is faster.

Unrelatedly: I was very surprised that the GFW lets through Amazon web
traffic.

~~~
grogenaut
how much bandwidth were you using?

~~~
derwiki
Not much? Trying to post photos to Facebook/Flickr.

------
jakasto
Can anyone think of other industries where this is the case? Imagine for a
moment if grocery stores injected small amounts of lead into the food, or if
gas stations injected water into the fuel (for bulking).

I know this kind of thing happens in China (think about toxic products added
to baby milk, for example, to cheat protein tests). But that's at the
"website" level, not the "ISP" level. I suppose healthcare (at least in the
US) is the most likely industry to see attacker behavior.

~~~
drvdevd
It's interesting to think of it this way. Clearly, the attackers (being ISPs
in this case) don't see it this way or don't want to see this sort of MITM
this way. Following one of the links in the article [1], you get some great
quotes:

> Comcast injects ads into unencrypted traffic, because "it's a courtesy, and
> it helps address some concerns that people might not be absolutely sure
> they're on a hotspot from Comcast".

So maybe someone out there actually feels this way when they find content has
been directly injected in their unencrypted browsing session. I sure don't.

[1] [https://konklone.com/post/were-deprecating-http-and-its-
goin...](https://konklone.com/post/were-deprecating-http-and-its-going-to-be-
okay)

~~~
literallycancer
I'd expect the PR/marketing people to laugh at "the plebs" as they make up
press releases like that :)

Maybe I'm just cynical, but I can't imagine anyone believing that ads are a
"courtesy".

------
paulmd
With the creation of Let's Encrypt, there is really no longer any justifiable
reason to bitch about the costs of a certificate. We all know the threat model
now and if you are going to be interacting with the general public you should
absolutely be held to minimum standards to ensure that nobody is tampering or
sniffing your traffic along the way.

If you are just doing DIY stuff then you probably don't need the advanced
features that are getting moved to HTTPS-only. If you do need those features,
you are advanced enough to take the five minutes and generate your own CA
certificate and install it onto your machines. Boom, now you can sign your own
HTTPS cert. Problem solved and you don't need to destroy the internet for
everyone else nor participate in even the minimum of public interaction. DIY
to your heart's content.

~~~
nothrabannosir
_If you are just doing DIY stuff then you probably don 't need the advanced
features that are getting moved to HTTPS-only._

Like getusermedia, or service workers, or webrtc?

Speak. For. Your. Self.

Precisely personal projects use these technologies. That's why they're
personal projects; because I'm trying out new stuff.

Testing this from a phone emulator the other day i had to resort to inordinate
hacks to access a web push test page on the host. How to
[https://10.0.2.2](https://10.0.2.2)? It's _not_ straightforward.

Im happy for it, it's worth it. but don't discount the effort it now takes.

Ps: _" bitch about the costs of a certificate."_ \--- I prefer to call it a
valid complaint about an extortion racket, but I guess opinions differ.

~~~
vog
_> ... personal projects ... How to [https://10.0.2.2](https://10.0.2.2)? It's
not straightforward._

Just issue a self-signed certificate. How is this not straight forward? All
you need is a single, well-known OpenSSL command:

    
    
      openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout test.key -out test.crt -subj /CN=10.0.2.2 -days 3650

~~~
sametmax
"Well known" is a bit of a stretch.

Most dev don't know nothing about setuping SSL. Nothing.

I'm not talking about new commers, students, interns, etc. No, no, no. I'ml
talking about what's constitute the majority of the work force of IT.

You are living in a bubble, ignoring most sites out there are not made by
experts, but by people that knows a bit of PHP, HTML and CSS.

As a Python dev on Linux that have to live in docker + lastJS fantasy
environments, I understand why you think that, it's so tempting to ignore the
reality when we are consedering that playing with new toys on HN FP is a way
to relax.

Except once a month I train professionals for as a side activity. People that
have 20 years on as dev in multinationals, research centers, administrations,
etc. And there is no way the command you list can be remotely considered "well
known" by them.

At the begining of the month, I just gave a Git training. 2 guys and a girl,
working for years for a huge bank on the official website. They were still
using CVS before arriving. I said CVS, not mercurial, bazaar, not even SVN.
CVS.

2 of them never used the terminal of course (tortoise anyone ?), one never
ever worked on a non windows machine in her life.

Let that sink in.

~~~
vog
_> "Well known" is a bit of a stretch._

With "well known" I meant that you can find it quickly on StackOverflow:

[http://stackoverflow.com/q/10175812](http://stackoverflow.com/q/10175812)

And yes, I do think that researching and using this command is not too much to
ask for - at least for people calling themselves "developers". Also, I'm
pretty sure that the concepts behind HTTP+TLS are easier to learn than version
control, or learning some new library or API you need for your next project.

With "straight forward" I meant that it is a single command that works on any
OS (given OpenSSL is installed), and not some complicated multi-step process
involving third-party services etc.

------
qwename
Communicating over the Internet is like relaying letters with the destination
and return address at the top. Anyone in the chain can choose to look at the
content, tamper with it, or refuse to pass it on.

A giant web that relies on trust. Is there a system where trust is not
necessary, but can still get things done? Although I can't think of a use-case
for this.

~~~
myowncrapulence

      Is there a system where trust is not necessary, but can still get things done?
    

Yes. Check out cjdns
([https://en.wikipedia.org/wiki/Cjdns](https://en.wikipedia.org/wiki/Cjdns))
and Hyperboria ([https://hyperboria.net](https://hyperboria.net))

An entirely encrypted network of relays where ip addresses themselves are
encrypted so no one can snoop traffic.

~~~
qwename
It seems like users are not anonymous, but this lead me to the concepts of
overlay networks[1], darknet[2], and mesh networks[3]. Thanks for that.

[1]
[https://en.wikipedia.org/wiki/Overlay_network](https://en.wikipedia.org/wiki/Overlay_network)

[2]
[https://en.wikipedia.org/wiki/Darknet](https://en.wikipedia.org/wiki/Darknet)

[3]
[https://en.wikipedia.org/wiki/Mesh_networking](https://en.wikipedia.org/wiki/Mesh_networking)

------
petrikapu
I was working for many years for major ISP in nordics and they implemented
wiretaps when requested by the officials.

~~~
JumpCrisscross
Are any of the Nordic countries better than the others when it comes to this?

------
coldcode
Will get worse next year in the US when ISPs can do as they please.

~~~
drvdevd
What new rule(s) are coming into effect in 2017?

~~~
perhonen
Donald Trump has stated his opposition to net neutrality [1], although it is
unclear to what extent he intends to pursue this issue. Trump's picks for his
FCC transition team are both supportive of permitting differential pricing
models [2].

[1]
[https://twitter.com/realdonaldtrump/status/53260835850816716...](https://twitter.com/realdonaldtrump/status/532608358508167168)

[2] [https://www.aei.org/wp-content/uploads/2012/10/-broadband-
co...](https://www.aei.org/wp-content/uploads/2012/10/-broadband-competition-
in-the-internet-ecosystem_164734199280.pdf)

------
jwatte
If TLS/HTTPS was easy to use from userspace C, HTTP could probably phase out
very soon. Node, Go, Python, and other web tech actually makes this easier,
because I don't have to call OpenSSL myself. So, even though I really love C,
it's not in the best place for the modern network.

~~~
aaronmdjones
ARM MbedTLS makes using TLS from C easy. Like, really easy. Really, _really_
easy.

As an aside, the last CVE (publicly known, logged vulnerability) for MbedTLS
that affected server-side code was from January _2015_.

------
tracker1
I've just a few days ago started using a seedbox/vps service to avoid any
possible incursions on comcast/xfinity's 6-strikes policy.

------
Demcox
Good short writeup.

