Canadian ISP Eastlink Injects Piracy Notifications into HTML

Submitted by co60ca on Wed, 06/29/2016 - 14:19

HTTPS is important for a lot of reasons, first of all it prevents snooping in on your browsing allowing for privacy between you and the destination. Another thing it prevents is the potential for people to modify content before it gets to you. The biggest case for this was seen with the recent attack on github.com by The great firewall of china. The aforementioned link was a serious problem that could have been mitigated by the use of HTTPS.

This evening I was having some issues with internet connectivity with my ISP, and after restarting my set of routers (dd-wrt.com), I managed to rule out that the problem lied with any of my hardware I attempted to take my frustration on twitter to @Eastlink. While looking at their page, mostly to see if anyone else was having problems I noticed the twitter user @kevindwood posted a screenshot of an advisory that he received in his browser that he had been engaged in piracy with bittorrent. I will not debate piracy in this post as I have debated for both sides and know of the many arguments for both sides.

Image removed.

The only way they could have gotten this into his browser is through injecting content directly into the html. As you can see, the user believes that Eastlink has in fact hacked him, which while not necessarily the normal understanding of hacking, actually does check some of the boxes for what hacking is: using a computer to gain unauthorized access to data in a system. I would actually say that it violates the Canadian Criminal Code Section 430.1.1.a

Mischief in relation to computer data (1.1) Everyone commits mischief who wilfully (a) destroys or alters computer data;

This only speaks to that HTTPS is extremely important due to it's prevention from external spying and modification. You will never get such a message from any ISP on this site because we have modern encryption methods in place. In order for an ISP to inject content into my HTML they would have to be able to decrypt the symmetric key used to encrypt the content before the request timed out. Which is impossible if not extremely difficult. Some other method of MiTM or impersonation could also allow them to alter content and spy on transmission. Surely however you may get the message next time you go to a non HTTPS site. However on a HTTPS enabled site, due to the means of HTTPS transmission you can be assured that the content arrives as it was sent from the servers.

Many ISP's in the USA have been known to insert ads in their customers browsers. Examples can be seen here: How banner ad for H&R Block appeared on apple.com. Currently the two best ways to resolve this issue is for all major websites to enable TLS on their servers allowing for HTTPS transmission. Then redirect anyone from the http site to the https site. Or use a VPN, which will only prevent your ISP from spying on you, not the VPN, or anyone routing from the VPN.

What I can see happening in the future is Eastlink starting to the same thing with their ads considering they can inject notices in other sites. Snooping in on your customers transmissions is NOT ETHICAL. A more ethical way for them to report piracy infractions (as they mentioned is required by Canadian law, image below) would be to send the customer and email, call them or use regular mail, which has been the defacto standard way of doing these things for years.

Image removed.

Additionally if you haven't done so yet, and are using either Chrome/Chromium or Firefox please check out the HTTPS Everywhere project by the EFF. It uses a whitelist of HTTPS enabled websites to always direct you the HTTPS site if possible. It isn't needed on co60.ca since all HTTP requests are redirected to the HTTPS version. You can view more information about HTTPS Everywhere here:https://www.eff.org/https-everywhere

As a final note, the situation unfortunately would not be able to be resolved by using HTTPS on that site as the site does not support HTTPS. I have however, attempted to reach out to the owner of the site with this story and maybe they will rethink their position.