Back in October, I started receiving notifications that said, “You've reached 50% of your Internet usage”. In the past these notifications would arrive by email or I could check my usage by logging into the Bell site, either of which is entirely acceptable. However, in October, these notifications began to appear embedded into web pages that I was browsing, specifically in web pages that don't belong to Bell and have nothing to do with Bell.
I don't care that they provide a way to disable this, or that somewhere in Bell’s terms and conditions I may have ostensibly agreed to this action. They shouldn't be doing this any more than the post office should be tearing open my letters to insert notices that they want me to see.
I wrote a complaint to Bell (and canceled my phone and Internet with them!) but they didn't reply. I also wrote to the CRTC and the Privacy Commissioner. The Privacy Commissioner said it's not in their jurisdiction. I'm still waiting to hear from the CRTC.
I assure you, complaining to the CRTC is the way to go. Each and every complaint is taken very seriously and will not be dropped. The CRTC takes their role very seriously. They function at the speed of molasses, but they do function
As it stands, they're basically the only supplier near us (sub-rural texas), so I just got a VPN.
Telus/Koodo wireless has a proxy that at one point back in 2012 was incompatible with Chrome's bandwidth saving features, at least back when I was testing in Canary. I was never able to follow up on said proxy after reporting the bug to Google, who got in touch with Telus, but ping times were at least 100ms higher in general than what Rogers Wireless was giving me for similar assets/signal strength.
I as a hobby web-dev and photographer like my images to be delivered in the exact quality, I put them on the server. So the Vodafones or O2s of this world mess with my intended design.
As a user I want to experience the web with best image quality, not censored (right now in terms of quality) crappy versions of these images.
This paternalism sadly is not felt by the majority of people out there and will never lead to 'uprising' (in loss for a better word). Be it done by cooperations or be it done by governments.
We will see more of that in the future and I have lost believe in being able to tell others, not that tech-savvy why this is not good. They nod their heads, but it does not register. Sadly so.
Add "Cache-Control: no-transform" to your headers to disable image compression for all your site's visitors.
The bmi.js injection may look a bit nasty, but it is there to save bandwidth for users who are on a bandwidth budget. Vodafone would profit from higher bandwidth usage.
- As a developer I looked for a way to disable this system - maybe something changed, but ~5 years ago I couldn't find any information about the 126.96.36.199 address and support told me it's not possible.
- Unless you're running a site that's professionally based on image distribution, you're unlikely to know no-transform exists.
- NoScript can block the bmi script specifically, not everything. Vodafone doing MITM shouldn't concern webdevs.
- The injection does not look nasty. It is nasty - you get no easy switch for it and cannot decide for yourself what behaviour you want. If you really want bandwidth saving, use opera mini - it's available for all phones now.
Sorry for being harsh, but I don't see how Vodafone's MITM can be defended in any way.
Sorry but this is a ridiculous statement, it's like saying websites should still be able to run on Gopher. (Which some people want)
It's cool if you want to run NoScript but if you think website should/would be made around that you have cognitive dissonance.
Other than that, informative comment.
> run on Gopher
Nonsense - CSS is very powerful, and all the functionality most websites need works fine with <form>s.
> cognitive dissonance
Err, no - leaving out progressive enhancement is just lazy. Why would you prefer to shows people a broken website as a first impression? Do you even know how many people see a broken website? (i.e. do you check server logs?)
Do you ever do advanced sites where multiple actions exist on one page that can't be easily encapsulated in HTML?
I ask because calling devs lazy for not backwards-checking their JS scripts is a bit much. So you want them to solve the problem they just solved, except this time, do it without some code assistance? That seems a bit unreasonable.
> vast majority of your users will never even consider turning it off.
I ask this every time someone makes that claim, and have never gotten a response.
> I ask this every time someone makes that claim, and have never gotten a response.
Well, i am glad to help out. Have a look at  which presents data of 509.314 visitors.
Isn't that great? Now you don't have to ask every time somebody makes that claim!
"You don't need a language other than __. __ is a Turing-complete language, thus is very powerful, so it should have all the functionality most developers need."
> Sorry but this is a ridiculous statement, it's like saying websites should still be able to run on Gopher.
Sorry, but your statement is ridiculous. Unless the website is an
application, that is, it does something useful, it's just bunch of text
and images. You should not expect people to give you full Turing capability
just because you're too full of your awesomeness that you can write a program.
I don't think that term "cognitive dissonance" means what you think it means.
Also please avoid ad hominem statements on Hacker News. It's not far away from saying "if you think that then you are stupid", and no more constructuive.
A very popular example of this is 100.64/10, but one can find little bits here and there. Plenty of providers don't just use that range but 1/8 is pretty safe to use.
There are even posts on networking mailinglists about tests for using the multicast ranges (multicast doesn't work* anyway and is now widely considered a "never gonna happen" design). Leave 188.8.131.52/24 alone and you can pretty much use the rest of 184.108.40.206/4. Also, most of broadcast is fine to use on most networking equipment.
* of course, locally within a network it does work for a very small number of multicast streams (certainly doesn't work for 2^28 multicast streams as designed, so in ipv6 they upped the number of available multicast channels to 2^120)
Ideally, I guess that would be true, but from a development cost perspective and user interface perspective that is just not possible in 2015.
What do you think my impression of your website is when all I see is a blank page or an endlessly spinning loading wheel?
Of course, there are ways around this, but I liken it to this scenario: If there are two similar houses on a block and only one has an alarm system, the cat burgler will choose the one without the alarm.
Secure should be the default with insecure being left for special cases that need it.
If by "HTTPS everywhere" you mean enabling HTTPS on all websites, I could not agree more.
In any case, I haven't heard of a single source fighting against this switch. Some sources please?
And it's generally random web developers who are against HTTPS on everything. Generally the reasons are:
* Cost (this one is going away hopefully)
* Performance (tls is too slow!)
* CPU/Memory overhead on the server
* What they are showing doesn't need to be secured anyway.
I don't really agree with any of those points, but that is what I hear when I bring it up.
I tried to contact support only to find out the company had been sold recently and the new owners saw fit to fire all the support staff and do away completely with telephone support for technical issues. Tried chat and after waiting, no joke, three hours for someone to show up in the chat was told that the problem was with my code. Even after telling the agent I could upload a blank page and the code would be injected into the page.
Long story short, I am now hosting on my own server. Now looking for a good host I can point my customers to, one that won't try to nickle and dime them like godaddy.
Isn't cheap, but this is the best shared host I used until I got a bunch of my own dedicated servers.
If you're going to use a shared host, you should use NFSN IMO.
Normally all port 80, and 8080 traffic are redirected to the system, and then rules are run to determine what happens to the traffic, and or code to be injected into the page.
The system is used to help reduce bandwidth, as well as including a better TCP algorithm for use over the radio links, to help cut down lag and retransmissions, because the radio links are notoriously bad, and the standard algorithm doesn't quite cut it.
The system will actively try to down sample both images and video to help reduce bandwidth usage. In the case of video, it also tries to limit the buffered video to no more than X seconds ahead.
And finally, it is also big cache, and it tries to keep the most requested content locally. One of the new features is the ability to 'guess' what video is being viewed inside a HTTPS stream and try to cache it too.
As mentioned above with regards to the Canada telcos inserting iframes or content regarding their data usage and caps, the system can inject any content into the HTML page if it is provided over HTTP. They do this because normally they have no way to contact customers that have tablets, or 3G modems / dongles, to alert them of limits or just to be able to contact them.
Even if you accept that the only way for them to contact their users is via their data connection (which, again, doesn't make sense,) there are far less intrusive methods than injecting content into existing pages. For instance, they could send the user to a separate notification page, perhaps with a helpful link to the resource that the user was intending to browse to. No need to mess with (or see) the contents of any pages.
However you have to understand how a lot of the cellular operators function. They don't build much of the systems in house, but buy from large companies like Ericsson, Huawei and so forth. Therefore all their functionality is controlled by those companies.
That being said, the cellular operators don't like to hand out contact information about their customers. All billing is normally done via a MSISDN to a single system that stores a customers credit, and records all billing information. It does not contain any customer details.
I have actually seen a different approach, wherein any messages going to a MSISDN that has been identified as a tablet or modem / dongle, will be redirected to another MSISDN as a SMS or an email address, depending on the customers preferences. All these details were stored in another database.
This is not only annoying but also manages to break everything using an internet connect. For example it overwrites bookmarks, reading list entries, applications fail to load.
Anyway injecting scripts is crazy. Are they still doing it?
The 301 (Moved Permanently) status code indicates that the target
resource has been assigned a new permanent URI and any future
references to this resource ought to use one of the enclosed URIs.
Clients with link-editing capabilities ought to automatically re-link
references to the effective request URI to one or more of the new
references sent by the server, where possible.
Then I looked for the sanctioned meaning of "ought to" and found https://www.ietf.org/rfc/rfc6919.txt
"The phrase "OUGHT TO" conveys an optimistic assertion of an implementation behavior that is clearly morally right, and thus does not require substantiation."
But it's dated 1st April 2013 so that's a dead end :-)
Still I think that "ought to" in RFC 7231 is close to what 6919 "prescribed" or they would have used MUST or SHALL. Furthermore there is the matter of history and URL autocompletion. I don't know if it should be OK to rewrite history. I'm fine with handling all of that manually.
But to understand why and how awful that is, you need to think of HTTP traffic as private letters. Unfortunately, because HTTP traffic is usually associated with access to public websites, a lot of laypeople think of it as _public_, instead of _private_ communication. Opening NYT website is more like browsing TV that having a correspondence with a trusted friend for them.
This is the real reason shit like this happens. Would you expect Vodafone to modify contents of your private facebook messages or emails, if they had the chance? Of course not; the same suits that authorized this system would scream about user's privacy and never greenlight it. However, _this_ system, to an average user, and average manager, doesn't seem the same.
If you imagine a high-level user story description for it, it won't read "new code is injected in private HTTP traffic", it likely was "make pictures download faster in 3G". Yes, they describe the same awful shit that shouldn't be happening — but the first description screams PRIVACY VIOLATION, while the second seems like a very good thing to do for the sake of the customers.
Never attribute to malice that which is adequately explained by stupidity. And if you want to fight this, don't fight it as you would fight malice. Fight as you would actually fight stupidity.
They even had a user tracking for advertisment. It constantly asked in StackOverflow (since most of the time I'm there) whether I want to join "track my online activities".
Well, here exist laws too, and they are in sction but it lacks a good philosophy. No wonder they (Turkey) are between Europe and Middle East, both phisicall and mentally.
Edit: I should note that TTnet's big part is now owned by Arabs. That's why they don't care much.
Here is a story about the expose published in Hindustan Times, http://goo.gl/FX31Of
If they would amend csp headers and inject stuff I would be worried but still there would be https for the rescue.
Do we actually want to fix the problem?
What's worse is that the script changes the content of the alt attribute for all images to something like (off the top of my head) "Press CTRL+A to load full-sized images".
They did respect no-transform though, so I made sure all my sites had that.
That is all.
Tried that. Can't get past the impossible Cloudflare captcha.