
How a banner ad for H&R Block appeared on Apple.com without Apple’s OK - ben336
http://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-for-hs-ok/
======
nkurz
_Facebook eventually addressed the issue by making the site accessible over
HTTPS—though, as the authors of the 2008 paper note, HTTPS can be a "rigid and
costly" solution._

This same excuse has existed for about as long as HTTPS, which dates to
Netscape Navigator 1. Is it still that "rigid and costly"? Is there a
technical reason that this is an unsolvable problem?

Considering the increase in computer and network speed over the last decade
and a half, it seems strange that this would still be the case. Perhaps it's
just that without pressure from competitors there is no pressure on the sites
to solve it?

~~~
jes5199
an annoying thing about HTTPS is that it requires you to serve each domain
name from a separate IP address, and that can be somewhat costly.

~~~
theatrus2
If you ignore IE+Windows XP, you can safely use SNI.

~~~
pilif
It's any browser on XP which uses the Windows Crypto API, most notably
probably the second most used browser, Chrome. As long as XP is around, we're
going to need One IP address per domain if we want to do SSL.

~~~
pmh
Chrome 6+ appears to support SNI on XP

[1] <https://code.google.com/p/chromium/issues/detail?id=43142>

[2]
[http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers...](http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B6.5D)

------
mmahemoff
TLDR: ISP injected script tag ads.

I heard on the latest This Week In Security that Comcast was apparently not
just injecting JS, but injecting _bad_ JS. Meaning that closures weren't used,
so name collisions could occur with the actual sites users were visiting.

For this reason, I can see HTTPS becoming standard, even for public, non-
logged in users. I'm in the process of updating my site to be all-HTTPS and
recently got confirmation (as much as one could ever expect) from Google
there's no SEO penalty (<http://goo.gl/sbtxq>).

~~~
stephen_g
If your site has a login page _anywhere on your domain_ , I think that really
_every page_ should be served over HTTPS, and it should use HSTS to make sure
the browser knows it should always be accessed that way.

Even if your login page posts to https, if there's a man in the middle
somewhere between your server and user and your login page is HTTP, they can
alter the login page to post somewhere else. If your login page is HTTPS, then
they can change links to that page to something different.

Only with HTTPS for the entire site is it safe from those attacks. It is still
vulnerable if there is a MITM the very first time the browser has ever visited
the site, but it's a whole lot better than always being vulnerable!

------
yk
Thinking about ad injection, it is actually quite scary what a ISP can do. Not
only is it easy to display ads (or possibly even malware), but even worse my
ISP is installed as a default CA by Firefox. So that they can even inject into
SSL connections, with the only "warning" that the certificate was signed by
the ISP...

~~~
cheald
Who is your ISP, and what CA cert do they have installed?

The thought of an ISP having CA certs that are a part of default installs is
unnerving.

~~~
yk
Telekom ( actually T-Online, the German ISP branch). The certificate is
identified as T-Systems (and I just found another one, Deutsche Telekom AG).
Additionally looking through the certificates I found at least Swisscom who
appear to have both a CA and an ISP, and AOL. But this is certainly not an
exhaustive list but just the ones that caught my eye scrolling through the
list of CAs.

[EDIT]And for the added 'told you so,' the German parliament uses precisely
this certificate <https://www.bundestag.de/>

~~~
cheald
Here's where it was introduced:
<https://bugzilla.mozilla.org/show_bug.cgi?id=378882>

Interesting comment on that thread:

> This CA was singled out as a CA that signed an excessive number of
> intermediate authorities (252) which together only have issued 4164
> certificates in EFFs talk at C3. This is, by far, the highest number, the
> next contender is GTE Cybertrust with 93.

~~~
yk
The bugzilla thread is an interesting read. And to be fair, the issue with the
thousands of certificates is explained in it. It appears that the certificate
is used to sign DFN, which in turn signs certificates for most German
universities.

Btw, Video of the 27C3 talk in question:
<https://www.youtube.com/watch?v=DRjNV4YMvHI>

------
degenerate
Original (and better imo) article here:
<https://news.ycombinator.com/item?id=5486006>

------
Uchikoma
My problem with HTTPS is Google: They push it on every front, but - for
various reasons - consider HTTPS and HTTP different pages, meaning you do not
get link juice from any HTTP links if you're site is HTTPS only.

(1. don't listen to people telling you otherwise, it's an expensive experiment
2. redirects do not transfer all the juice, they count as links themselves,
from my experience it's like not having external links to your site at all 3.
If you do not depend on Google b/c you're SaaS, go for HTTPS only)

~~~
rocky1138
Where are you getting the data that you don't get Google juice for HTTP-to-
HTTPS links?

~~~
Uchikoma
From first hand experience. Then lately there was a discussion on /r/seo I
currently can't find with a link to Matt Cutts who said redirects are handled
the way links transfer juice.

[edit] People extrapolate that 301 are different because Google tells them to
use 301 when moving pages.

------
nfm
I remember reading about someone with neighbours that were stealing their
wifi. You can do much more interesting things with a proxy server than just
inject ads: <http://www.ex-parrot.com/pete/upside-down-ternet.html>

------
niggler
Is Ars just ripping sites now? Although now changed,
<https://news.ycombinator.com/item?id=5505890> pointed to an Ars article from
yesterday (that reached the front page) that was basically a copy-paste of an
SE question

~~~
signed0
Ars has been featuring Stack Exchange questions, with their permission for
quite some time. I think it's some sort of partnership.
<http://arstechnica.com/author/stack-exchange/>

~~~
eropple
It's one of the worst features that they run. I've gotten good enough at
guessing which is "Ask Stack" from the headline that I don't click them
anymore, though.

------
deepblueocean
This is probably the best counter-argument to the best counter-argument that
gets leveled at the people promoting HTTPS-everywhere. People like to say that
HTTPS everywhere would break transparent cacheing by ISPs. After all, HTTP is
designed to allow caching proxies to exist inline and still supports dynamic
content gracefully (er, somewhat, anyway).

But in fact the same features that make transparent caching easy make this
kind of shenanigans easy. There are tons of companies in this space now. Not
just people like NebuAd and R66T, but lots of "subscriber messaging systems"
like FrontPorch (which I've heard sells messaging data for behavioral
advertising) and PerfTech (which has assured me that they do no such thing).

This should be an easy way to push back one of the last "real" arguments
against using HTTPS everywhere. There's no excuse not to be running your site
on HTTPS all the time - it protects you and your users from all sorts of
mischief for a minimal overhead.

~~~
RossM
It's getting to the stage now where I think domains should be sold with an SSL
certificate as standard (minimal vetting, no warranty) - just enough to
provide encryption, rather than treating it as an optional extra.

~~~
deepblueocean
One could argue that DNSSEC is a variant of this - put your SSL certificate in
a TXT record in your DNSSEC-signed domain and you no longer need a certificate
authority system to sign the certs. Now you can self-sign the cert and get it
for free!

------
_conehead
Holy cow. It seems this has had a direct effect: they're no longer injecting
javascript into webpages. I just tried Amazon, eBay, and a few others where
the script injection used to be present, and it's no longer there.

I absolutely can not understate just how happy I am about this.

~~~
ben336
you mean overstate? :)

~~~
_conehead
Absolutely; thanks for the correction. It seems I was just a tad too excited
to post, haha.

------
bonaldi
HTTPS will not prevent this: the ISP can issue their own CA to their users and
then decrypt/encrypt https as it passes through them. (Many corporations
already do this). What will prevent this is legislation and/or competition.

It amazes me that US Internet access has very little of either. All the
drawbacks of monopoly Internet, with all the drawbacks of unregulated
Internet.

~~~
laggyluke
I believe ISPs can not have a transparent HTTPS proxy without the "invalid
certificate" browser warning. ISP users would have to manually trust their
ISP's CA.

~~~
bonaldi
Or have it added to their chain beforehand. An ISP could trivially include
this as part of their "welcome pack" installer CD or the like.

Would that silently affect people like us? No. Could they do it to all their
non-technical customers? Absolutely.

~~~
jamespo
Not going to help if their non-technical customers are using ipads or similar
though, which non-technical users tend to like

~~~
bonaldi
IOS gives you a friendly and official-looking "accept this certificate?"
dialog when you connect to a router that offers one. Non-technical users will
accept and proceed without blinking.

------
sigzero
It should be made illegal if it isn't already. Since "any site" did not
consent, doesn't this injection really "change" their site?

~~~
jeffdavis
Maybe they should lose their "common carrier" status if they mess with the
content? Then they would be responsible for whatever is said on the internet,
which would probably dissuade them from doing it.

~~~
jauer
Most ISPs in the US don't operate under common carrier regulations. Even the
ILECs (essentially the only common carrier data networks) sell their internet
services via subsidiaries to avoid it.

~~~
jeffdavis
Oh, interesting. What protects them from libel suits and the like, then?

~~~
jauer
Libel for? Cases like this where they are making Apple look bad? I think that
would be a stretch. Typically ISP terms of use say they can do pretty much
whatever they want (see the Computer Fraud and Abuse Act/The Whole Aaron
Swartz Thing). In theory if you don't like it you can take your business
elsewhere.

This "take your business elsewhere" competitive environment is supposed to
foster innovation blah blah. Many would say this is BS and more regulation is
needed because of a duopoly. As a competitive ISP I have to disagree, but it
is true that the duopoly providers spend more on advertising so most people
aren't aware of alternatives.

One could argue that rewriting pages to insert JS makes a derivative work or
something and that gives Apple grounds to sue because of copyright, but that's
tough as ISPs are supposed to be finding ways to inflict the Emergency
Broadcast System on users and JS insertion is generally less obtrusive than
hijacking all HTTP/HTTPS until the alert clears.

My perception is that most ISPs avoid this kind of thing because we don't want
to give the FCC any more excuses to mandate things like "Net Neutrality" with
poorly understood policy consequences.

On the other hand inflicting one of those DNS-hijacking special offers systems
can increase revenue from the typical residential user that wouldn't care by a
few percent so there's always a bit of business pressure.

------
cstrat
I have always wondered how long it would take for this sort of behaviour to
kick off.

This is to the internet what global warming is to the earth... well that might
be too far, but this is high tech pollution at its worst.

------
8ig8
zmhenkel's Reddit comments if anyone wants first person accounts:

<http://www.reddit.com/user/zmhenkel>

------
kevinburke
Wouldn't you know it, the CMA Communications (the ISP mentioned in the post)
website is not accessible via HTTPS. "View My Bill" and similar link you off
to a third party domain.

------
prodigal_erik
Yet another reason blindly running javascript from unknown parties is a bad
idea. Whitelists for progressive enhancement I _want_ should always have been
the default.

~~~
danielweber
If the ISP is injecting Javascript, they can just inject it as coming from the
same domain.

I don't like "force HTTPS everywhere" but these jerks are forcing it. It
sucks, but it sucks less than this.

~~~
codesuela
@begurken you've been hellbanned since this post
<https://news.ycombinator.com/item?id=5466310>, no idea why

<https://en.wikipedia.org/wiki/Hellbanning>

~~~
danielweber
> The idea has a great number of pros, and almost no cons.

1\. Certificate problems with embedded devices.

2\. Much harder to control what's going on with your network.

------
oracuk
We have had a similar case publicly exposed here in the UK a little while ago
with Phorm and British Telecom:

<http://www.bbc.co.uk/news/technology-13015194>

There is a good chance that such practices may be found to be illegal in a UK
court (Regulation of Investigatory Powers Act primarily with some discussion
about applying the Data Protection Act or Computer Misuse Act) but they
haven't been tested yet. Both companies very quickly stepped back from the
'trial' they were conducting when it became clear there might be public
support for a test case.

------
SpikeDad
An interesting article but was overly verbose. Could have said the same thing
in half the space.

However, a big FU to Arstechnica for prostituting the name of Apple to get
more visits to the article. The headline did not need to imply that Apple.com
was hacked or that Apple was somehow unaware of what's happening at their
site.

It's sleazy journalism and beneath the usual ethics of Arstechnica

------
girlvinyl
Does anyone know the CFAA implications here? My system is a "protected"
system, this would clearly be unauthorized access.

------
_conehead
As exciting as this is to be posted on a high-volume website, I honestly doubt
CMA is going to change their practices on this issue.

If anything, the Acceptable Use Policy change on the 4th was a sign that
they'd be reluctant to change their stance on this issue at all. They honestly
don't care.

~~~
crgt
They might change their tune if they get a letter from a lawyer or two. Can't
imagine Apple, for example, likes the idea of third-party ads overlayed on
their site.

~~~
seanalltogether
I could see google bringing a hammer down on them if its true that they are
overwriting ad space on certain websites.

------
ck2
I'm terrified to let them tamper with it but Congress really needs to make
laws that regulate ISP behavior in the USA. They will never do it on their
own.

The problem with such a bill is it will have a dozen riders for very horrible
things.

------
AJ007
The "root" of the problem -- on what marketplace are these display ads being
sold?

~~~
dangrossman
Any of the hundreds of different advertising services that feed into the
exchanges that are carried by the major networks. There's likely no direct
connection between who sold the ad and who made the deal with this ISP to let
them serve that network. H&R Block probably had no idea their ad ever appeared
on Apple's site.

[http://blog.inuvi.com/wp-content/uploads/2011/01/LUMA-
Landsc...](http://blog.inuvi.com/wp-content/uploads/2011/01/LUMA-
Landscape2010-12-12.jpg)

~~~
AJ007
Yeah, but somewhere H&R Block purchased the inventory. You don't just
generically purchase a 300x280 banner ad without regard to where or how it
runs. It has to be connected with some sort of property or impression.

It could be a re marketing add, or a demographically targeted ad, but in that
case the buyer still purchased it somewhere and some company or company is
responsible.

~~~
dangrossman
Ex: ISP signs a contract with "Google Ads for Publishers" to carry their
display ads. H&R block buys a retargeting campaign through AdRoll. AdRoll runs
this campaign by bidding on the matching cookies through AppNexus. AppNexus
feeds into DoubleClick which serves Google's ads. H&R block shows up on the
Apple website. H&R is 3 companies separated from their buy and where the ad is
shown, and never signified any intent to advertise with an ISP or with Apple.
Tracking back the ad to where it was sold gives you AdRoll, which wasn't
complicit in the scheme either. Google is the "root" problem in the fictional
example.

------
rgbrgb
Did anyone else have trouble hitting the back button after that article? I
find that equally skeezy.

Edit: It seems they've mapped command-back-arrow to a non-default action. Not
cool.

------
kgosser
Anyone else find it interesting that R66T is vaguely read as "ROOT" -- this is
some kind of cruel joke, right?

------
greglindahl
Very interesting that r66t.com doesn't appear in the 2 most popular adblock+
block lists!

------
fauigerzigerk
So an internet provider inserted ads into web pages and two bloggers blogged
about it.

I hate this ultra-low signal to noise style of writing anyway, but using it
for a tech piece is more than ridiculous. This isn't a 1970s western movie,
nor does it appear in the NYT arts & culture section.

------
anoncow
Did he complain to the FTC?

------
olalonde
This is quite common in China. Even the largest ISPs do it.

------
mbloom1915
why wouldn't all ISPs do this for the economic incentive? Is advertising going
in this direction?

~~~
crgt
If my ISP did this I would switch instantly.

~~~
Jach
And when they all do it, or no other ISP will service your area?

~~~
irahul
`ssh -D 8080 micro-ec2` and proxy through localhost:8080 till it's sorted out.

~~~
Jach
Exactly! No need to switch ISPs after all. (Though personally I add the -N
flag so that the tunnel is clearly separated from the remote shell.)

------
IheartApplesDix
It's a brave new world out there. Well, I knew this would happen eventually,
and I got a lot out of the internet while it lasted. Shit, the last 15 years
of my life have been grand thanks to the net, but now it's time to kiss it
goodbye.

I, for one, welcome our new corporate master feudal lords.

