I noticed this behaviour last February with Kazakhtelecom (telecom.kz) internet provider. When I opened an http website in my browser and started clicking randomly on the parts of the page which are usually not clickable, sometimes such click would open a pop-up window with ads. Those pop-ups did also open sometimes, when I clicked on links of the page. It was unusual, because I used the same websites just a few days before that from Russia and nothing like that happened.
To figure out what's going on I opened the same webpage through proxy and compared it with localy opened one. Shell command for that was something like:
diff <(curl http://website) <(proxychains curl http://website)
I'll be back in Kazakhstan in 3-5 days, I'll try to reproduce this once again.
Legality is secondary when you are punching up in a 3rd world country. (I am from India)
2. Plese stop using the label "Third-world". You are your own "first-world". There's better labels to describe yourself, namely "developing".
> how this is legal even.
The government writes and enforces the laws. They'll never self incriminate.
And their defense claims US has SSN which is equivalent of Aadhaar why anyone can see ludicrous
And still Aadhar requirement is not removed for filing income tax return (which results in massive penalities)
Several ISPs (including some big national players, not smaller local/struggling/other ISPs) trialled that sort of thing in the UK in the mid/late 00s but there was a big enough ruckus about it that they stopped.
The really egregious thing about what some of them were doing is that they replaced existing ads so were basically trying to take money of the sites (they were at the same time also trying to get sites to pay or be considered "low priority" traffic so were trying to tripple-dip: get paid by their primary consumer, get paid by the sites, and take the sites' ad money).
It doesn't surprise me that it is actively happening in places there is less choice (so "voting with your feet" is not an option for telling ISPs what you think) or public outcry is less effective (or drowned out by more pressing issues the area might have).
I do wonder if Chrome will go to requiring CAs for this purpose be deployed via something more “enterprise” (e.g. custom extensions on Windows need to deployed via group policy now).
Regardless of where the cert store is, it came with some CA certs "in the box". Pinning applies to these CAs. Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.
For better or worse, bypassing of pinning is required in some enterprise scenarios to inspect traffic leaving the network. e.g. Is someone attaching all our customer data to a email in gmail? To know that, I need to MITM mail.google.com.
Sadly, this mechanism does get abused :(
But how would Chrome know if a root cert from Windows’ cert store was added by the user or not? They would all be located in the ”Trusted Root Certification Authorities” container.
"The" Trusted Root Certification Authorities store isn't a real thing, it's just a view onto a bunch of different stores that are actually separate, including a local machine store and per-user stores plus of course stores added by your membership of a domain or other grouping.
So Chrome gets to distinguish between certificates that Microsoft added and the ones added by Group Policy or whatever else to your system.
I had a similar experience with my ISP in Canada. Infact, I did a talk on how I worked out what was going on from a technology perspective: https://www.youtube.com/watch?v=_YeaYIPM-QI
If you want to conduct some testing, I'd be more than happy to help.
If I visit https://gmail.com, I expect all traffic to be encrypted because my browser checks that gmail is indeed using encrypted connection. How is this getting intruded upon?
More importantly, suppose I checkin to a hotel in USA as I usually do and use the hotel's wifi. Would they be able to intrude into my connection to https://gmail.com?
Could someone please give me some clarity on this.
The connection is still encrypted the whole purpose of certificates is to verify with WHO you are connected with. In the Kazakhstan case the government by installing a root certificate has the ability to impersonate gmail.
> More importantly, suppose I checkin to a hotel in USA as I usually do and use the hotel's wifi. Would they be able to intrude into my connection to https://gmail.com?
If the site you visit is over https you can be relatively certain that you are indeed establishing an encrypted connection with the domain owner. If it's plain http anyone sniffing in the same wifi can see and mess with your traffic