1. 19

There’s been discussions on lobste.rs in the past about whether https-everywhere is really necessary. While I’m sure not everyone will agree that apparently-widespread ad injection via http really changes anything, it’s a way an MITM can be intrusive that hasn’t gotten a lot of attention in the past, as far as I can recall.

  1.  

  2. 13

    AT&T now claims that what was blogged about was an experiment that has ended:

    “We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended,” AT&T told Re/code in a statement. “The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.”

    They did not elaborate on how XSS injection and proxying URLs that appear to be on a remote server to add advertising would improve safety, security, or speed.

    1. 3

      Obviously their ads come with included data-gathering and analysis mechanisms for the improvement of speed and virus checkers for the improvement of safety and security.

    2. 10

      Controversial viewpoint: content (ad) injection is the “worse” problem, not surveillance. At least for the majority of sites that are still http at this time.

      I don’t think the NSA cares which pages of ESPN I visit. I don’t care if the NSA does care. But ESPN probably cares that some asshat is polluting their page and damaging their reputation. I care as well, to the extent I may misjudge which sites I want to visit or not.

      1. 6

        I think part a big difference is when the costs are paid and recognized.

        With ad injection, we immediately have slower pages with distracting garbage on them. There’s also possible future security cost because now every page is dependent on the security of the injector and ad services.

        With surveillange, we generally have no idea it’s happening and nothing negative at all happens to us (assuming we do not live in a country targeted by the U.S. military). There’s a huge potential for future abuse on a scale and scope the Stasi and KGB could only dream of, but that’s a possible future cost.

        So even though both topics come up when we talk about upgrading protocol to use end-to-end encryption, we’ve really only experienced the cost of ad injection. The potential negatives of surveillance far outweigh it, but right now they’re still only potential. (Though maybe we’ll learn in a few decades that we’ve been paying the costs, and what they were.) It’s really easy to fall into arguing the merits of each without realizing the different stakes and its evaluation.

        1. 1

          I’ve been wondering for a bit if no privacy brinkmanship is the right way to go. People seem to accept the dystopian future Stasi as inevitable. And that’s why we need encrypted email, etc. but I’m not sure future Stasi are going to care if they can read your email or not. Somebody is going to want your parking spot, they’re going to report you, and away you go. “But my email was encrypted, there’s no way you could read it” will probably not save you.

          I think privacy advocates will discover too late that the problem with a privacy invading authoritarian state is not the “privacy invading”. Perhaps if we eliminate privacy, people will be more motivated to prevent the rise of the evil emperor. Just a thought.

          1. 1

            I’m not sure we actually have a lot of choice in either part of that - increasing authoritarianism, or apathy towards it.

            Um, I notice the self-reference there, though, and would love to be convinced otherwise.

        2. 3

          That’s reasonable. I mean, with regard to the privacy concern, I like to bring up the WebMD example, but it’s not the NSA that I’d be worried about; it’s family members. I’m hopeful that this doesn’t exist today, but I’m certainly also concerned about access-point providers capturing and reselling browsing history. Not even only for corporate purchasers; there are plenty of private parties who would pay to get the records of someone they dislike.

          Which problem is worse depends on your threat model. :) But ad injection is serious and bad, and I don’t mean to downplay it!

          1. 2

            Controversial viewpoint: content (ad) injection is the “worse” problem, not surveillance. At least for the majority of sites that are still http at this time.

            I don’t think the NSA cares which pages of ESPN I visit. I don’t care if the NSA does care. But ESPN probably cares that some asshat is polluting their page and damaging their reputation. I care as well, to the extent I may misjudge which sites I want to visit or not.

            By surveillance are you including the possibility of malicious content injection outside of just ads? Plain HTTP leaves you vulnerable to multiple 3rd parties, not just the big bad NSA (who also abuse it)

            1. 1

              Malware injection is a problem, but malware remains a problem with https. Watering hole attacks, etc.