Hacker News new | past | comments | ask | show | jobs | submit login

What is interesting is that some local internet providers in Kazakhstan used to inject their own ads into http websites their users visit. I wonder if they will start doing the same with https now.

I noticed this behaviour last February with Kazakhtelecom (telecom.kz) internet provider. When I opened an http website in my browser and started clicking randomly on the parts of the page which are usually not clickable, sometimes such click would open a pop-up window with ads. Those pop-ups did also open sometimes, when I clicked on links of the page. It was unusual, because I used the same websites just a few days before that from Russia and nothing like that happened.

To figure out what's going on I opened the same webpage through proxy and compared it with localy opened one. Shell command for that was something like:

  diff <(curl http://website) <(proxychains curl http://website)
And the only difference was that directly downloaded webpage contained a reference to some suspicious script in a place, where the proxied one had a reference to a google analytics script. I reproduced this behaviour with multiple websites from two different homes, on two different laptops (Linux and Windows). So this is unlikely to be a malware in my router, and I'm pretty sure it's not in my laptop.

I'll be back in Kazakhstan in 3-5 days, I'll try to reproduce this once again.

This is so bad. I'm from India and at my parents place we have the government run internet provider. They MITM and inject advertisements all the time showing annoying popups whenever you open an http link. I don't know how this is legal even.

> I don't know how this is legal even.

Legality is secondary when you are punching up in a 3rd world country. (I am from India)

I'm in the US and I've caught my ISP doing MITM exploits over http (not https... so far). It's global and regular folks have absolutely no chance of knowing what is going on. Needs to be criminalized for any hope of resolution.

Comcast has even published an informational RFC describing how to inject crap into HTTP requests:


1. Please stop self-generalizing. This only leads to hopelessness, which is unwarrented since there's a huge amount of Internet-related activism in India, even more than the Western countries.

2. Plese stop using the label "Third-world". You are your own "first-world". There's better labels to describe yourself, namely "developing".

Well third world just means the country did not align with the US or USSR during the cold war. Though the concept has kinda changed meaning lately.

> government run

> how this is legal even.

The government writes and enforces the laws. They'll never self incriminate.

This is a false assumption. Governments (executive branch) can be prosecuted for illegal behavior.

Your statement only applies to the subset of countries where there is judicial independence.

Which is true in case of India

The present judiciary in India lacks spine, on one hand they say privacy is fundamental right on other hand they drag their feet to stop the project aadhaar which required collecting biometric dataset on whole population.

And their defense claims US has SSN which is equivalent of Aadhaar why anyone can see ludicrous

And still Aadhar requirement is not removed for filing income tax return (which results in massive penalities)

On paper

Use a VPN and they won't be able to MITM or inject advertisements.

Which provider is this? MTNL or BSNL?

Comcast used to do this to me about 6 or 7 years ago to tell me, or someone, about torrent use on the connection and something or other about copyright infringement. They'd inject their messages into the html of websites and you'd have to dismiss them to continue to use the site. Not their site. All sites.

Ok, I begin to understand the idea behind HTTPS everywhere..

I've noticed Airtel doing something similar in India but to inform of approaching bill dates.

> What is interesting is that some local internet providers in Kazakhstan used to inject their own ads into http websites their users visit.

Several ISPs (including some big national players, not smaller local/struggling/other ISPs) trialled that sort of thing in the UK in the mid/late 00s but there was a big enough ruckus about it that they stopped.

The really egregious thing about what some of them were doing is that they replaced existing ads so were basically trying to take money of the sites (they were at the same time also trying to get sites to pay or be considered "low priority" traffic so were trying to tripple-dip: get paid by their primary consumer, get paid by the sites, and take the sites' ad money).

It doesn't surprise me that it is actively happening in places there is less choice (so "voting with your feet" is not an option for telling ISPs what you think) or public outcry is less effective (or drowned out by more pressing issues the area might have).

I had ads injected by some European and UK ISPs on my own website. I pushed me to finally get LetsEncrypt implemented and switch everything over to https.

I wonder if they also proxy stuff like the Google endpoints where chrome does key pinning, or if they whitelist those. I imagine other large systems like those of facebook (when using the app) and Apple are actively remembering what the keys are supposed to look like. That would mean that even a custom CA wouldn't allow carte blanche MITM.

Chrome will disable key pinning for CAs that are user installed rather than system provided (to support companies/schools who want to MITM for slightly less draconian reasons).

I do wonder if Chrome will go to requiring CAs for this purpose be deployed via something more “enterprise” (e.g. custom extensions on Windows need to deployed via group policy now).

AFAIK, Chrome on Windows doesn’t manage root certificates, it just utilises Windows’ own cert store (certmgr).

I think you misunderstood the parent comment :)

Regardless of where the cert store is, it came with some CA certs "in the box". Pinning applies to these CAs. Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.

For better or worse, bypassing of pinning is required in some enterprise scenarios to inspect traffic leaving the network. e.g. Is someone attaching all our customer data to a email in gmail? To know that, I need to MITM mail.google.com.

Sadly, this mechanism does get abused :(

”Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.”

But how would Chrome know if a root cert from Windows’ cert store was added by the user or not? They would all be located in the ”Trusted Root Certification Authorities” container.

Yeah, no. This is Windows.

"The" Trusted Root Certification Authorities store isn't a real thing, it's just a view onto a bunch of different stores that are actually separate, including a local machine store and per-user stores plus of course stores added by your membership of a domain or other grouping.

So Chrome gets to distinguish between certificates that Microsoft added and the ones added by Group Policy or whatever else to your system.

Oh! I should’ve known it was all stored in the registry. As you say, this is Windows after all. Found some MS docs that look relevant: https://docs.microsoft.com/en-gb/windows/win32/seccrypto/sys...

Hey there!

I had a similar experience with my ISP in Canada. Infact, I did a talk on how I worked out what was going on from a technology perspective: https://www.youtube.com/watch?v=_YeaYIPM-QI

If you want to conduct some testing, I'd be more than happy to help.

Dumb question as I don't understand this well.

If I visit https://gmail.com, I expect all traffic to be encrypted because my browser checks that gmail is indeed using encrypted connection. How is this getting intruded upon?

More importantly, suppose I checkin to a hotel in USA as I usually do and use the hotel's wifi. Would they be able to intrude into my connection to https://gmail.com?

Could someone please give me some clarity on this.

> How is this getting intruded upon?

The connection is still encrypted the whole purpose of certificates is to verify with WHO you are connected with. In the Kazakhstan case the government by installing a root certificate has the ability to impersonate gmail.

> More importantly, suppose I checkin to a hotel in USA as I usually do and use the hotel's wifi. Would they be able to intrude into my connection to https://gmail.com?

If the site you visit is over https you can be relatively certain that you are indeed establishing an encrypted connection with the domain owner. If it's plain http anyone sniffing in the same wifi can see and mess with your traffic

Be careful.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact