NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] [ PRIVACY ] Would You Know if Your ISP Tampered With Your Web Pages? 


   [ Some specific technical suggestions in response to the message below
     are already arriving -- I will forward them as appropriate to
     this list after receiving redistribution permission from their
     authors.
                  -- Lauren Weinstein
                     NNSquad Moderator ]



------- Forwarded Message


To: privacy-list@vortex.com
Date: Sun, 06 Jan 2008 17:47:29 -0800
From: privacy@vortex.com
Subject: [ PRIVACY Forum ] Would You Know if Your ISP Tampered With Your Web
	Pages?


          Would You Know if Your ISP Tampered With Your Web Pages?

                http://lauren.vortex.com/archive/000351.html


Greetings.  Would you even know if an ISP spied on or tampered with
your Web communications?

While encryption is the obvious and most reliable means available 
( http://lauren.vortex.com/archive/000338.html ) to avoid unwanted
surveillance or intrusions into the data streams between Web
services and their users, it's also clear that pervasive encryption
will not be achieved overnight.

In the meantime, we see ISPs apparently moving at full speed toward
various data inspection and content modification regimes, and laws
to protect Web services and their users from inappropriate or
unacceptable ISP actions are being fought tooth and nail by ISPs and
their corporate parents.

Some announced concepts, like AT&T's alarming plans to "monitor"
Internet communications to find "pirated" content, appear most akin
to wiretapping in the telephone realm (would people accept the
monitoring of all phone calls in search of any illegal activity?
Even given the current telcos/NSA controversies, I would tend to
doubt that this would be widely applauded).

Others, like Comcast's unacceptable disruption of P2P traffic,
appear to partly be extremely aggressive "traffic management" and
partly outright packet forgery in the furtherance of interfering
with communications.

And of course, we still have the ongoing Rogers saga 
( http://lauren.vortex.com/archive/000337.html ), where direct
modification of data streams to insert ISP-generated
messages or, as suggested by a related hardware vendor, advertising
( http://www.perftech.com ), is the order of the day.

Encryption is the only sure approach to deal with the potential for
ISP (or other) surveillance on Internet connections, and even
encryption will permit a significant degree of traffic analysis in
the absence of anonymized proxy architectures.

But in the case of ISP tampering with data streams, is there
anything we can do for now -- short of the goal of full-page
encryption -- to inform users that their Web communications are
being adulterated?  Can a Web service be sure that their users are
able to see the actual Web pages that are being transmitted --
unmodified by ISPs?  Can this be accomplished with the highly
desirable attribute of not requiring major server-side modifications
to the Web pages themselves?

There are a number of non-trivial issues to consider.  First, a Web
page, as we all know, is frequently composed of many disparate
elements, often hosted by a variety of completely different servers
under the control of multiple entities.  How can we define "a Web
page" in a way that takes all of these elements and data sources
into account, especially when each user may see not only differing
primary text and images, but totally different ads?

Would the amount of real-time data coordination necessary to create
and communicate such a single-user page "validation snapshot" be
practical, or useful in a relative sense given the amount of work
that would be required?

Assuming that we can create such a snapshot, a secure mechanism to
immediately transmit this validation data to the user's Web browser
would then be necessary, bringing back into the mix the probable
need for some encrypted data, albeit of a very small amount as
compared with fully encrypted Web pages. 

The last step in the validation process would be for the user's Web
browser (or a suitable plugin) to alert the viewer in the case of
suspected data tampering, along with providing necessary details
that would be useful in logging and/or reporting the incident.

I won't get into technical details here on approaches to the
nitty-gritty aspects of this concept.  I have some ideas on
implementation techniques, though I'd much rather see a rapid move
toward full encryption.

However, I would certainly be interested in your thoughts regarding
this concept of Web page validation and whether or not it might have
a useful role to play, particularly to help gather evidence that
might be useful in the ongoing network neutrality debates.  

Thanks as always.

--Lauren--
Lauren Weinstein
lauren@vortex.com or lauren@pfir.org 
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren 
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org 
Co-Founder, NNSquad 
   - Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com 
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com 


------- End of Forwarded Message