The ones that resort to proxied ad injection do so because hotel IT is a thin-margin business. WiFi is considered a cost center but is tolerated because it is the number one amenity requested by guests. Operators will sometimes offer a discounted service fee to the hotel GM in exchange for mid-stream ads, although, in this case, it is just as likely that the hotel GM is unaware of this. It is almost absolutely certain that Marriott is unaware of this. Even if they were made aware, the power balance between the brand and the franchisee is not clearly defined with regards to WiFi.
As much as I dislike ad injection, it is important to note that public WiFi is never safe unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.
I sometimes reminisce about the things we did, but even if you refuse to race to the bottom, you get dragged down by a Linksys router and consumer grade internet connection even if the experiences for guests is markedly lower. I'm much happier to now be working in and industry where our customers, and our customers' customers, value the work that is done and pay accordingly.
WiFi is just as much part of the service a modern hotel provides as a clean bed, nice breakfast and whatever else they might advertise. Why isn't it treated like that? Why aren't they putting ads on my pillow?
The reason for the extortionate costs? Probably to make up for the lost revenue streams from people not using the in-room phones any more. I hope at that at least in this instance the guy wasn't paying for the internet access, that would be taking the p*ss!
For those of you in the UK then the show is here:
Why watch expensive in-room pr0n from Lodgenet (and have to explain the charge on your bill) when a browser will serve up similar at a lower cost?
At a recent resort stay, they provided a catalogue that allowed one to purchase the same linens and toiletries provided in the suite.
Thought exercise: If you took away the WiFi, you would still have a hotel. If you took away the bed, you would have ____.
By "fair price", I mean a similar cost per megabyte transferred to what I could reasonably expect to pay for home or business internet service in that area. They can meter it and add it to my bill. So I can go nuts on bittorrent, but at a fair price. If I don't go nuts on bittorrent, I'd expect that the total should be very cheap for a typical hotel visit, especially compared to the rest of the bill.
By "good network service" I mean comparable in bandwidth and latency to residential or business service offered by ISPs in the area (e.g. cable or DSL), with good wifi coverage, and no port blocking or any other kind of filtering or traffic shaping beyond what's necessary to fight spam and provide good service to all the guests using the network.
Also, please don't restrict the number of devices. I've had hotels insist on one device to a room, or demand unreasonable feeds for extra devices. If each person has a phone, a tablet and a laptop, that's pretty inconvenient. Please bill for total bytes transferred instead.
I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.
You get many details about the hospitality space dead wrong.
First, in direct réponse to "GMs are responsible for contracting their own networking services"...
GMs are managed across several MBOs, including occupancy and REVPAR (revenue per available room).
There are 3 major players in the hotel space:
1) People who own hotels, 2) People who manage hotels, and
People who brand hotels. Two or even three of these may be a single party. From this you quickly learn that "Hilton" is a brand, and that, while Hilton owns some of the hotels with it's brand on top, it also owns hotels without a Hilton brand, and manages hotels on behalf of 'ownership groups' with a mixed set of brands.
At the end of the day, it is the owner, not the GM, who decides which vendor gets a particular contract. Sometimes the owner will defer to the management team (which may, remember, be a separate entity).
Yes, WiFi (with Internet access) is the single-most requested amenity. I come from the bad old days, before the dot.com bust, when hotels were full, and the GM would look at me and explain, "My hotel is full, you should pay me to install this, and give a split of the revenue to me."
Ad injection is bullshit, pure and simple. It's XSS by another name.
> I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.
> You get many details about the hospitality space dead wrong.
Surely you meant to say "Wow it's interesting to see how different your experiences are from mine, working in that same industry".
Because, you know, I don't think either of you is making stuff up or is "dead wrong". And in such quite a large industry, with several different quality segments it's very possible that there's more than one way to do it.
Like you said, the GM, the owner, and the franchise group is a fuzzy designation at best. The contract is always with the owning entity, but management will most likely select the provider.
It's not a fuzzy designation, it's what happens when the backroom guys are literally playing Monopoly with real world objects.
I was with Wayport (now AT&T). Who are you with?
Some here are dismissing js-alternatives to their products (e.g. html only) with the rhetorical question "who surfs without js nowadays anyway?".
How do you take care of aforementioned problem?
But seriously, you're just as screwed if they inject HTML that changes the form submit URL for your password to an attacker-controlled site. The real answer to this problem is HTTPS, everywhere.
My point is, that this should be a concern for the developer of an application and not being pushed onto the "dumb user".
I'm sure that there are better answers than three letter acronyms.
It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.
In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.
How is this possible?
1. Alice enters "paypal.com" into her browser.
2. Alice's browser issues a request to http://paypal.com/
3. Mallory intercepts this request, and replays it.
4. http://paypal.com redirects to https://www.paypal.com/
5. Mallory's proxy fetches the Paypal content and returns it to Alice
6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
7. Alice enters her password.
8. Mallory steals all her money.
I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.
Thought, the network is open which is a danger within itself, the network asks you to accept an invalid security certificate(which means their MiTM everything from the get-go), and then they took the time to make your read/accept an agreement stating in bold that this is an insecure network, and that everything you do over it will be audited, and monitored(SsL-STRIPING). As a juror, you must then sign-in using your badge#.
It defeats the purpose of any of these post associated protections, if an attacker simple injected his own certificate, or java-script frame. Even creating a Honeypot-Rouge-AP using any number of wireless capable devices such as, smartphones, and mobile routers, even wristwatches &sunglasses.
Compromising a jury from an attackers stand-point would be too, sit in the cafeteria, and literally eat-cake.
Receiving spam ads is the least of your worries.
So how do you pay for it all? You're in a hotels.com price war with all your competitors, so you can't just raise room rates. Your customers will get pissed off if you tell them they have to pay extra for wifi. So eventually some genius comes along and gives you this brilliant idea that will make wifi pay for itself, and this is what you get.
Marriott is a franchise business. That is, they don't own the hotels. They license the brand to hotel owners or operating groups. Most hotel brands work this way. Some hotel brands require their owners to use a specific wifi provider or choose from a list of approved providers. Other brands let their owners do whatever they want.
In this case you can see that the owner opted for a presumably low-cost provider that hoped to recoup its costs by displaying ads this way.
Marriott owns hotels, but they don't own every hotel with a Marriott brand on top.
Hotel "brands" can NOT dictate providers AT ALL. To do so runs afoul of anti-trust law. They CAN issue a "brand standard" that you have to have WiFi, and it has to be at least "this good" (insert specification).
Now, where the hotels are OWNED (by any party) the OWNER can dictate whatever the hell she wants.
And Marriott most certainly does own a large percentage of the hotels that sport their brand.
It is icky for all sorts of reasons. I suppose an individual website could consider it theft of ad revenue, and an end-user could consider their privacy invaded.
no, they just need to intercept all the port 80 traffic.
They call it transparent because the client does not need to support using a proxy server or even be aware that it is happening.
Transparent proxies are common at corporations that filter web browsing. It is harder to circumvent than DNS blocking.
I suppose that it is no longer a transparent proxy once it starts modifying the requests or responses. But even transparent proxies generally serve an error message in some cases, like when a domain name doesn't exist or a server does not respond on port 80. So they are rarely, if ever, fully transparent.
I'm hoping we see a lot more SPDY (or plain https) rollouts in the near future.
It's enough that I'm going to try now to https-ify all of my web properties, including adding HTTP Strict Transport Security headers where they aren't.
(this is mostly because I'm too lazy to maintain separate site configurations for HTTPS and HTTP)
It's possible to MITM SSL, but it would throw all kinds of security warnings on the client and prevent this kind of tampering.
Note: I'd recommend SSH tunneling, or using a VPN, but there's quite a bit more work involved here, so for the install-and-forget crowd, SSL is already a huge improvement.
HTTPS Finder automatically detects and enforces valid HTTPS connections as you browse, as well as automating the rule creation process for HTTPS-Everywhere
Worked surprisingly well but I'm glad it never took off. I don't think I could have forgiven myself for being responsible for what would come of that.
Hotel chains usually have brand standards relating to internet access, so this particular install may be in violation. For example, I know the Hilton chain requires its (newer) hotels to use AT&T, so it's unlikely there's tampering from the ISP/provider standpoint (though MITM attacks are still possible so always use a VPN).
Even in higher-end hotels, you get a shoddy experience, and not just this ad injection.Weird login dialogs every few hours and restricting access to one device. Outrageous fees. Lack of transparency on bookings websites about availability and pricing. And once you're online, good luck trying to watch a video or getting any work done, the connection's often too slow to do anything but check a few emails.
I really hope AirBNB puts pressure on the hotels to get their act together. You stay in someone's house for $40 and you get a much better experience than a $200 hotel room. The whole situation is why I recently made the decision to use AirBNB instead of hotels whenever practical.
Being sneaky about it and hiding local ads in the banners of other websites is:
a) Rude, and
b) Unlikely to work, since I ignore those banner ads anyway. Even if I saw those ads, I'd be highly suspicious of it (in a "10 local girls are interested in talking to you!" sort of way).
Talk about an opportunity lost. Look at Starbucks' free wifi sign-on page. It's nice to look at. Do the same thing, and it's alright, put some ads on there. I don't mind.
Some of the comments on that article suggest running your own OpenVPN instance on Amazon EC2 or other VPS. If the EC2 suggestion works, it looks reasonably priced (at least as long as you don't use it all day every day).
If you are in the Bay Area you owe it to yourself to use Sonic.net, they really are one of the best ISPs (along with Web-Pass) in the US.
I have yet to seen any for a while, but i guess is more due to the lack of advertisers.