Hacker News new | past | comments | ask | show | jobs | submit login
Am I hacked? Oh, it's just Vodafone (sphaero.org)
301 points by cramforce on Dec 26, 2015 | hide | past | web | favorite | 85 comments

As of 2 months ago Bell Canada has begun intercepting and modifying web traffic as well.

Back in October, I started receiving notifications that said, “You've reached 50% of your Internet usage”. In the past these notifications would arrive by email or I could check my usage by logging into the Bell site, either of which is entirely acceptable. However, in October, these notifications began to appear embedded into web pages that I was browsing, specifically in web pages that don't belong to Bell and have nothing to do with Bell.

I don't care that they provide a way to disable this, or that somewhere in Bell’s terms and conditions I may have ostensibly agreed to this action. They shouldn't be doing this any more than the post office should be tearing open my letters to insert notices that they want me to see.

I wrote a complaint to Bell (and canceled my phone and Internet with them!) but they didn't reply. I also wrote to the CRTC and the Privacy Commissioner. The Privacy Commissioner said it's not in their jurisdiction. I'm still waiting to hear from the CRTC.

I recently quit working for a very-related telco in Canada after 4 years, and I was working on very-related systems to what you mention above.

I assure you, complaining to the CRTC is the way to go. Each and every complaint is taken very seriously and will not be dropped. The CRTC takes their role very seriously. They function at the speed of molasses, but they do function

Suddenlink does the same thing-ish. Sometimes I get a popup that says "service outage incoming at XXX" at the top of the page- I ended up figuring out there was a checkbox for that sorta stuff in the account options tab. Similarly, it redirects non-websites to their own search engine that never seems to go away. (ex: igrj.43 redirects to http://search.suddenlink.net/index.php?origURL=http%3A//igrj...) Again, not terrible, but really invasive to my mind.

As it stands, they're basically the only supplier near us (sub-rural texas), so I just got a VPN.

It's not unheard of for ISPs that typosquat the whole Internet like that to provide a second set of DNS servers that perform correctly for those who know how to use them. Mine does.

Who's your ISP?


Rogers does (did?) this too, though most people are now on their new "unlimited" plans so it hasn't been a concern recently. (Funny how unlimited plans also avoid zero-rating net neutrality concerns for first-party or partnered services...)

Telus/Koodo wireless has a proxy that at one point back in 2012 was incompatible with Chrome's bandwidth saving features, at least back when I was testing in Canary. I was never able to follow up on said proxy after reporting the bug to Google, who got in touch with Telus, but ping times were at least 100ms higher in general than what Rogers Wireless was giving me for similar assets/signal strength.

How can this even be legal. How can a ISP decide on the content quality, I would like to receive. Do they next deem words like 'anti-government', 'Democrats' or sites critical of the government too traffic-heavy to deliver but instead show a "cleaner" version of the world?

I as a hobby web-dev and photographer like my images to be delivered in the exact quality, I put them on the server. So the Vodafones or O2s of this world mess with my intended design.

As a user I want to experience the web with best image quality, not censored (right now in terms of quality) crappy versions of these images.

This paternalism sadly is not felt by the majority of people out there and will never lead to 'uprising' (in loss for a better word). Be it done by cooperations or be it done by governments.

We will see more of that in the future and I have lost believe in being able to tell others, not that tech-savvy why this is not good. They nod their heads, but it does not register. Sadly so.

Visit to disable this image compression for your device.

Add "Cache-Control: no-transform" to your headers to disable image compression for all your site's visitors.

Web devs should make sites that work without javascript, so that turning on NoScript is also a solution.

The bmi.js injection may look a bit nasty, but it is there to save bandwidth for users who are on a bandwidth budget. Vodafone would profit from higher bandwidth usage.

What you say is technically true, but for a user it's complete BS:

- As a developer I looked for a way to disable this system - maybe something changed, but ~5 years ago I couldn't find any information about the address and support told me it's not possible.

- Unless you're running a site that's professionally based on image distribution, you're unlikely to know no-transform exists.

- NoScript can block the bmi script specifically, not everything. Vodafone doing MITM shouldn't concern webdevs.

- The injection does not look nasty. It is nasty - you get no easy switch for it and cannot decide for yourself what behaviour you want. If you really want bandwidth saving, use opera mini - it's available for all phones now.

Sorry for being harsh, but I don't see how Vodafone's MITM can be defended in any way.

Use https.

> Web devs should make sites that work without javascript, so that turning on NoScript is also a solution.

Sorry but this is a ridiculous statement, it's like saying websites should still be able to run on Gopher. (Which some people want)

It's cool if you want to run NoScript but if you think website should/would be made around that you have cognitive dissonance.

Other than that, informative comment.

Progressive enhancement is easy. Your framework or development tools should do most of the work for you. Maybe try different tools?

> run on Gopher

Nonsense - CSS is very powerful, and all the functionality most websites need works fine with <form>s.

Part of the problem may be the difference between nice features with necessary features. Nobody would expect fancier features such as custom buttons/widgets or fancy client-side form verification to work without Javascript. You have to do all the checking on the server anyway.

> cognitive dissonance

Err, no - leaving out progressive enhancement is just lazy. Why would you prefer to shows people a broken website as a first impression? Do you even know how many people see a broken website? (i.e. do you check server logs?)

Do you do web development professionally every day? If so, how long would you estimate you spend on making sure HTML-only pages render correctly?

Do you ever do advanced sites where multiple actions exist on one page that can't be easily encapsulated in HTML?

I ask because calling devs lazy for not backwards-checking their JS scripts is a bit much. So you want them to solve the problem they just solved, except this time, do it without some code assistance? That seems a bit unreasonable.

For many sites these days it is acceptable and justifiable to run Javascript. That was not true in the early 2000's, but we are a long way from there.

Agreed. Neither Facebook nor YouTube run without JS enabled, which means that the vast majority of your users will never even consider turning it off.

Facebook and YouTube, as highly interactive applications, are not "most websites".

Practically ever single blog, news site, store, business page, and the like have zero need for Javascript, and requiring it only makes your site look broken. The maybe better with Javascript, of course.

While I haven't worked on websites in the last year or so, I have made websites professionally in the past for many years. Making a progressively enhanced store that works without Javascript in Rails 2/3 was really easy.

> vast majority of your users will never even consider turning it off.

How do you know this? Are you guessing? Are you relying on Javascript-based analytics and are therefore blind to people that disable Javascript? Do you have server logs that show how many people disable Javascript? Is you site broken without Javascript so this claim becomes a self-fulfilling prophecy?

I ask this every time someone makes that claim, and have never gotten a response.

> How do you know this? Are you guessing?

> I ask this every time someone makes that claim, and have never gotten a response.

Well, i am glad to help out. Have a look at [1] which presents data of 509.314 visitors.

Isn't that great? Now you don't have to ask every time somebody makes that claim!

[1] https://gds.blog.gov.uk/2013/10/21/how-many-people-are-missi...

This is honestly just out of touch with most modern Web development. Even if its "easy" to develop (which is debatable), if its not a priority with product managers it will simply not happen in today's "more with less" technology industry. Consider also that users who block JavaScript also block most analytics packages (by design)--from a data-driven product management standpoint, users who block JavaScript literally don't exist. Web QA is hard enough across multiple browsers and OSes; adding to that a second version of the site for users whose presence can't even be quantified is not going to be popular.

> Nonsense - CSS is very powerful, and all the functionality most websites need works fine with <form>s.

"You don't need a language other than __. __ is a Turing-complete language, thus is very powerful, so it should have all the functionality most developers need."

> a Turing-complete language

Most websites don't even need a Turing-complete language. Which is kind of the point - Javascript is a security risk and a privacy risk precisely because it is Turing-complete.

Css is also turing complete. Seriously.

No need to apologize for giving your opinion. I have strong feelings on accessibility and security, perhaps a bit too strong. Others may rank design or "a fast development pipeline" higher than me.

I expect content websites to function without requiring JavaScript. I'll settle for a much poorer experience, as long as I can access the content.

Put more strongly: Nothing is gained (from a user perspective) by requiring JavaScript, but security is lost (Tor disabled NoScript because too much of the web would break, leading to disclosure of user data [1])

[1] http://www.wired.com/2014/08/operation_torpedo/

"Sorry but this is a ridiculous statement, it's like saying websites should still be able to run on Gopher."

Web devs should indeed make sites that work without javascript. They don't have to be fancy, or do every little advanced thing, but they should work.

>> Web devs should make sites that work without javascript, so that turning on NoScript is also a solution.

> Sorry but this is a ridiculous statement, it's like saying websites should still be able to run on Gopher.

Sorry, but your statement is ridiculous. Unless the website is an application, that is, it does something useful, it's just bunch of text and images. You should not expect people to give you full Turing capability just because you're too full of your awesomeness that you can write a program.

> It's cool if you want to run NoScript but if you think website should/would be made around that you have cognitive dissonance.

I don't think that term "cognitive dissonance" means what you think it means.

Also please avoid ad hominem statements on Hacker News. It's not far away from saying "if you think that then you are stupid", and no more constructuive. is within the "APNIC Debogon Project" range. I don't understand using these kinds of ranges as internal IPs - Vodafone controls the DNS servers for these devices so just make it optout.voda and resolve that somewhere that you actually own.

Well it's pretty much the addresses you start using when you've run out of IPv4 addresses everywhere else.

A very popular example of this is 100.64/10, but one can find little bits here and there. Plenty of providers don't just use that range but 1/8 is pretty safe to use.

There are even posts on networking mailinglists about tests for using the multicast ranges (multicast doesn't work* anyway and is now widely considered a "never gonna happen" design). Leave alone and you can pretty much use the rest of Also, most of broadcast is fine to use on most networking equipment.

* of course, locally within a network it does work for a very small number of multicast streams (certainly doesn't work for 2^28 multicast streams as designed, so in ipv6 they upped the number of available multicast channels to 2^120)

1/8 is absolutely not safe to use. There are many real IP addresses assigned in that range; for instance, 1.5/16 is assigned to a Japanese ISP.

> Web devs should make sites that work without javascript, so that turning on NoScript is also a solution.

Ideally, I guess that would be true, but from a development cost perspective and user interface perspective that is just not possible in 2015.

For complex platforms I may see your point. But what about personal pages or blogs (including hosted like Wordpress)? Why do webdevs even remotely consider publishing an empty webpage in case the client does not run javascript?

What do you think my impression of your website is when all I see is a blank page or an endlessly spinning loading wheel?

Yes, I agree. For static content pages, the content should largely render and its content should be largely digestible whether or not the client's javascript engine is running.

That being said, an easy defense against webscrapers and content re-purposers is to make sure the client is running javascript.

Of course, there are ways around this, but I liken it to this scenario: If there are two similar houses on a block and only one has an alarm system, the cat burgler will choose the one without the alarm.

and HTTPS :)

Should have [2012] somewhere in the title. This is older than dirt, in Internet years.

I noticed this as far back as 2009 on Vodafone Germany

And people still fight "HTTPS everywhere"...

Secure should be the default with insecure being left for special cases that need it.

If by "HTTPS everywhere" you mean the browser extension, that isn't very helpful since a huge chunk of websites that have properly implemented HTTPS turn it on by default.

If by "HTTPS everywhere" you mean enabling HTTPS on all websites, I could not agree more.

In any case, I haven't heard of a single source fighting against this switch. Some sources please?

I mean the latter.

And it's generally random web developers who are against HTTPS on everything. Generally the reasons are:

* Cost (this one is going away hopefully)

* Performance (tls is too slow!)

* CPU/Memory overhead on the server

* What they are showing doesn't need to be secured anyway.

I don't really agree with any of those points, but that is what I hear when I bring it up.

Yes this is why I left Vodafone. They aggressively recompress images so that they look noticably awful, including in phone apps where resources are loaded on demand, and there's nothing you can do about it bar using a VPN. O2 are exactly the same and all the virtual network operators using either network are the same.

I'm not sure this is still the case. I can recall it happening a long time ago but have not noticed it recently, at least since I started using their 4g service.

T-Mobile is known in Germany for having done the exact same.

They also remove comments from your markup. That removes the possibility of progressive enhancements with, say, knockout.js which would most easily rely on comments (unless you're using https, which you should).

Using comments for programming is very bad practice. I don't know knockout but that just sounds bad.

Just left my host for a similar issue, Arvixe shared Linux server. One of the shared users apparently installed some utility called siteapps, which some how effected my side of the server, not certain what it all does but it started showing 'badges' on all my pages saying 'this site has been optimized by siteapps'. I found a way to turn that off in cpanel but the siteapps was still injecting JavaScript code into all of my pages. I could not see any visual changes to the pages but found this unacceptable.

I tried to contact support only to find out the company had been sold recently and the new owners saw fit to fire all the support staff and do away completely with telephone support for technical issues. Tried chat and after waiting, no joke, three hours for someone to show up in the chat was told that the problem was with my code. Even after telling the agent I could upload a blank page and the code would be injected into the page.

Long story short, I am now hosting on my own server. Now looking for a good host I can point my customers to, one that won't try to nickle and dime them like godaddy.

For $5/month, you can get a pretty great VPS at digital ocean; 512MB RAM, 20GB SSD, 1Gbit/s bandwidth with 1TB/month trabsfer, giving you root access to your own server. You also get your own IP address, instead of sharing IPs and using virtualhost hacks like those web hosts do. Been using them for a while now, works really well.

I had great experience with Hurricane Electric. SSH access, servers without I/O bottlenecks. There's no cPanel or other crap pre-installed, so it turns away beginners and inexperienced developers who would write crappy unoptimized code that would take too much system resources. And their backbone connectivity is amazing.


Isn't cheap, but this is the best shared host I used until I got a bunch of my own dedicated servers.

I've used NearlyFreeSpeech.NET for quite a few years now. It's not a cPanel host, but it's actually very easy for beginners to get started with. It's also very flexible and they have some really cool features.

If you're going to use a shared host, you should use NFSN IMO.

The system in question is developed by a company called Byte Mobile, which was bought by Citrix.

Normally all port 80, and 8080 traffic are redirected to the system, and then rules are run to determine what happens to the traffic, and or code to be injected into the page.

So let me add some more detail.

The system is used to help reduce bandwidth, as well as including a better TCP algorithm for use over the radio links, to help cut down lag and retransmissions, because the radio links are notoriously bad, and the standard algorithm doesn't quite cut it.

The system will actively try to down sample both images and video to help reduce bandwidth usage. In the case of video, it also tries to limit the buffered video to no more than X seconds ahead.

And finally, it is also big cache, and it tries to keep the most requested content locally. One of the new features is the ability to 'guess' what video is being viewed inside a HTTPS stream and try to cache it too.

As mentioned above with regards to the Canada telcos inserting iframes or content regarding their data usage and caps, the system can inject any content into the HTML page if it is provided over HTTP. They do this because normally they have no way to contact customers that have tablets, or 3G modems / dongles, to alert them of limits or just to be able to contact them.

How could they not have any way to contact their customers? You need to provide contact information when you sign up for a data plan, don't you?

Even if you accept that the only way for them to contact their users is via their data connection (which, again, doesn't make sense,) there are far less intrusive methods than injecting content into existing pages. For instance, they could send the user to a separate notification page, perhaps with a helpful link to the resource that the user was intending to browse to. No need to mess with (or see) the contents of any pages.

They very possibly can do all of the above.

However you have to understand how a lot of the cellular operators function. They don't build much of the systems in house, but buy from large companies like Ericsson, Huawei and so forth. Therefore all their functionality is controlled by those companies.

That being said, the cellular operators don't like to hand out contact information about their customers. All billing is normally done via a MSISDN to a single system that stores a customers credit, and records all billing information. It does not contain any customer details.

I have actually seen a different approach, wherein any messages going to a MSISDN that has been identified as a tablet or modem / dongle, will be redirected to another MSISDN as a SMS or an email address, depending on the customers preferences. All these details were stored in another database.

The company I work for had problems with users who couldn't install our ClickOnce-deployed application. It turned out that they were using a 3G dongle which modified one of the JPEG files in-flight such that it didn't match the hash in the application manifest. We moved to HTTPS anyway so thankfully this stuff is more or less history.

I use H3G on a tablet: every time I reconnect (after the connection drops, when I reboot or switch from wifi to cellular network) the first http request is somehow redirected to a shitty H3G website full of ads.

This is not only annoying but also manages to break everything using an internet connect. For example it overwrites bookmarks, reading list entries, applications fail to load.

Anyway injecting scripts is crazy. Are they still doing it?

How does it overwrite bookmarks?

If a user has a bookmark for http://a.com/, and the ISP redirects with a 301 Permanent Redirect to http://isp.net/, the browser will rewrite a.com to isp.net.

Huh, interesting - what browser is that?

Like, all of them?

Mmm, that's a browser that attempts to be smart at bookmarks management. I have a tablet with a SIM of that company. I'm using Dolphin on that tablet and I get redirected. However Dolphin doesn't rewrite my bookmarks. Maybe it's not a 301 redirect or maybe Dolphin is (luckily) not so smart.

Not browsers being smart as much as this is being explicitly mentioned in the RFC - updating bookmarks and other references is kind of the point of 301 Moved Permanently. To quote from RFC 7231:

   The 301 (Moved Permanently) status code indicates that the target
   resource has been assigned a new permanent URI and any future
   references to this resource ought to use one of the enclosed URIs.
   Clients with link-editing capabilities ought to automatically re-link
   references to the effective request URI to one or more of the new
   references sent by the server, where possible.

I didn't know about that, thanks.

Then I looked for the sanctioned meaning of "ought to" and found https://www.ietf.org/rfc/rfc6919.txt

"The phrase "OUGHT TO" conveys an optimistic assertion of an implementation behavior that is clearly morally right, and thus does not require substantiation."

But it's dated 1st April 2013 so that's a dead end :-)

Still I think that "ought to" in RFC 7231 is close to what 6919 "prescribed" or they would have used MUST or SHALL. Furthermore there is the matter of history and URL autocompletion. I don't know if it should be OK to rewrite history. I'm fine with handling all of that manually.

This is awful.

But to understand why and how awful that is, you need to think of HTTP traffic as private letters. Unfortunately, because HTTP traffic is usually associated with access to public websites, a lot of laypeople think of it as _public_, instead of _private_ communication. Opening NYT website is more like browsing TV that having a correspondence with a trusted friend for them.

This is the real reason shit like this happens. Would you expect Vodafone to modify contents of your private facebook messages or emails, if they had the chance? Of course not; the same suits that authorized this system would scream about user's privacy and never greenlight it. However, _this_ system, to an average user, and average manager, doesn't seem the same.

If you imagine a high-level user story description for it, it won't read "new code is injected in private HTTP traffic", it likely was "make pictures download faster in 3G". Yes, they describe the same awful shit that shouldn't be happening — but the first description screams PRIVACY VIOLATION, while the second seems like a very good thing to do for the sake of the customers.

Never attribute to malice that which is adequately explained by stupidity. And if you want to fight this, don't fight it as you would fight malice. Fight as you would actually fight stupidity.

Deep packet inspection is forbidden in the Netherlands as far as I know. Is there anyone who can confirm both this and if Vodafone is doing this in the Netherlands regardless of this, alleged, legal restriction?

As rdancer pointed out this article is older than the internet and I, and probably some others, hadn't noticed. Still interesting, but not very.

4 years ago is hardly 'older than the internet'.

Since it's an article about the internet, I'm guessing parent realizes that and was exaggerating for emphasis.

I think that's accurate. I just get tired of the culture of newness. Knowledge who's age could best be described in months gets derided for be old and irrelevant.

Last time I've saw this behaviour (using Vodafone Turkey network) was not more than 6 months ago. Haven't checked since, they could still be doing this. So it's not "older than the internet".

Vodafone's also actively pushing for "network management" (read, MITM) for HTTP/2. Previous discussion here: https://news.ycombinator.com/item?id=9422311

More reasons to encrypt everything and start HSs.

When you reach your download quote TTnet, biggest in Turkey, shows a notification in your first HTTP visit. It completely removes the original content. So you lost your POST for example.

They even had a user tracking for advertisment. It constantly asked in StackOverflow (since most of the time I'm there) whether I want to join "track my online activities".

Well, here exist laws too, and they are in sction but it lacks a good philosophy. No wonder they (Turkey) are between Europe and Middle East, both phisicall and mentally.

Edit: I should note that TTnet's big part is now owned by Arabs. That's why they don't care much.

I remember 'Airtel' doing something similar in India, in May-June.

Here is a story about the expose published in Hindustan Times, http://goo.gl/FX31Of

So https and content security policy should be enough to mitigate this kind of stuff or am I wrong?

If they would amend csp headers and inject stuff I would be worried but still there would be https for the rescue.

Yep, ISPs can't do stuff like this to HTTPS traffic. This is one reason some people are advocating HTTPS for all sites, not just sites containing sensitive data.

Great, the blog post is not served over https.

Do we actually want to fix the problem?

Vodafone Fiji used to do this over their 3G network, but that changed when they started serving over 4G 2 years or so ago.

What's worse is that the script changes the content of the alt attribute for all images to something like (off the top of my head) "Press CTRL+A to load full-sized images".

They did respect no-transform though, so I made sure all my sites had that.

I wonder what country this is? France, Germany?

Based on the other content: Netherlands.

Someone recently noticed it on UFone (Pakistan) too: https://www.i.com.pk/ufone-3g-is-injecting-popup-ads-into-yo...

Sprint shows very compressed images on mobile as well. I had assumed they compress the images on the wire rather than injecting JavaScript but I didn't check. Maybe I should.

This is why I switched carriers, too. I had the same "Am I hacked?" moment a while back. Thanks for posting details!

O2 does the same thing – with almost the same messaging ("Shift+R improves the quality of this image").

Aren't they violating CFAA? Committing wire fraud by substituting the traffic?


That is all.

> In a little while we'll all be on TOR.

Tried that. Can't get past the impossible Cloudflare captcha.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact