51 comments

[ 0.22 ms ] story [ 83.1 ms ] thread
Wow that’s a great discovery. Telkom is a major service provider, and I use them! Any other way to prevent this?
Says right at the bottom

Pro-Tip: their injection can only work on HTTP and not HTTPS so there is some relief from this inconvenient and dangerous code injection. Installing the HTTPS Everywhere plugin will help mitigate the injection and is a recommended plugin to run regardless. Alternatively install the Tor browser.

Telkom has been injecting kak [0] into pages for _years_ [1], [2]. A former employee of theirs told me that at one stage they were replacing ad content with their own adverts - I would dismiss this as hearsay had I not seen it myself.

[0] South Africanism for 'shit'

[1] https://mybroadband.co.za/vb/showthread.php/704472-Telkom-In...

[2] https://www.sadev.co.za/content/telkom-using-man-middle-atta...

Telkom (and also Eskom) are beyond kak. We desperately need telecoms/electricity to be privatised.
A privatized monopoly, will try to extract profit, as we saw with the SBC management of Telkom from 1997-2007 when there was very little innovation and high prices here.
I meant privatised in order to remove the state ownership and encourage competition in the sector.
Off topic re: kak. I don't know where exactly it came from, but it's also a word in New Zealand English (and possibly other dialects). If I told someone I kacked my pants, they'd understand that I shat myself. It's not super common, but it's understood.

I wonder if maybe it's because there's a lot of South African expats in New Zealand.

Probably related to "caca" which usually means something related to fecal matter in Romance languages.
And Tamil which is not a Romance language.
Since Tamil has borrowed more Dutch words (and uses at least one from Tamil, being katamaran), I expect your kak to come from the dutch kak, as kak always rolls down hill.
Latin: cacare (to shit)

German: Kacke (the ck as usual indicates that this word may only be used with the voice raised beyond 85 dB and with at least 5 % spit by volume mixed into the air-stream).

'kak' means 'shit' in Dutch as well. South African is quite similar to Dutch for colonial reasons.
It had a brief moment in the limelight of UK student lexicon during the 1990s due to the TV sketch series "The Mary Whitehouse Experience".

20 years later when studying South African history I was able to subconsciously translate that one word. Die Mann praat kakk!

(comment deleted)
> A former employee of theirs told me that at one stage they were replacing ad content with their own adverts

This was afaik the main reason, why YouTube went HTTPS-only very early compared to the rest of the internet. Some ISPs exchanged the video ads of YouTube with their own and lowered the resolution of videos to save bandwidth. YouTube's customers were very dissatisfied because it constantly broke and the video quality was very bad and thus HTTPS came to the rescue.

Telkom is not just "an ISP", it's formerly The Telephone Company, the state-owned monopoly.

So more like "British Telecom" or "AT&T"

TL;DR Telkom does HTML injection on all unencrypted traffic of its customers, whereas the author of the linked blog uses #444444 text color on #000000 background (which gives contrast ratio 2.2 on http://leaverou.github.io/contrast-ratio/). I call it almost a draw ;)

Sorry I had to be that guy. Please improve contrast on your blog.

And those horizontal scanlines on all images really bother my eyes.
Don't be sorry - you're right. If you want people to read your stuff make it readable. I got more from your TL;DR than the horrible blog design which I didn't last more than a second on.
I had to go back and look at it with reader mode turned off. Since iOS 11, I’ve had reader mode turned on by default on my iPhone and iPad.
How did this get on the home page?

Bigger companies also do that, Vodafone was compressing all images that went through their 3G service, and a ton of ISP inject / redirect HTTP traffic to tell you to pay the bills

Time warner was doing something similar
What gets on the homepage is up to the community. Just because you know it does not mean everyone else does or is not interested in it.
It's been know for years that they run transparent proxies.

And while this isn't great this is a bit overplayed. They're more the kind of company that does something incompetently than one that does stuff maliciously.

When you're dealing with a person, you can apply the saying "never ascribe to malice that which can be explained by incompetence". However, when you're dealing with a large organization or other group of people, it doesn't matter whether the act was originally driven by malice or incompetence, someone in the organization is going to exploit it with malicious intent.
Comcast does this too for letting you know you’re connected to Comcast’s network and if you go over your data limit. Pretty terrible.
This is also the case in Namibia. Telecom Namibia is also running a transparent proxy. If you ever make an HTTP request followed by an invalid HTTP request over an un-encrypted connection the invalid request (Say GET / HTTP/NKD instead of GET / HTTP/1.1) will get filtered before reaching my server.

I have however as of yet not seen them injecting JS or other content into HTTP pages.

It's worth mentioning that MTC Namibia (A mobile provider) does not do this.
IMHO those who say "just use HTTPS/some other encryption" are missing the point --- I should be able to send whatever bytes I want through the network, and have them arrive at their destination verbatim. If it's a custom protocol that just happens to look like HTML, the injected data would break things. That's what an Internet connection used to mean, but sadly that seems to be an increasingly rare condition. In fact, I'm curious how many "pure ISPs" are around, not just in South Africa but anywhere else --- one of the workarounds is to use a VPN or other tunneling like TOR, but that relies on the exit node having a "pure" connection to the Internet.

At least make it an option.

(I don't know if it's just me, but I found the tone of the article a little alarmist, starting with "hacks" in the title. Then again, a lot of security researchers seem to write like that.)

I’ve thought about it and I think encryption/https is the best solution. When you send your data off, you unfortunately don’t know or control who is going to look at it. Encryption works though, no matter if you don’t even trust your ISP/government/whoever
> I should be able to send whatever bytes I want through the network, and have them arrive at their destination verbatim.

It's copyright violation to modify copyrighted content before delivery without permission, especially when it's commercial content (ads) that is being injected. Maybe lawsuits could stop it.

Other examples from the US:

https://www.infoworld.com/article/2925839/net-neutrality/cod...

https://techcrunch.com/2012/04/06/now-you-know-hotels-inject...

It's copyright violation to modify copyrighted content before delivery without permission, especially when it's commercial content (ads) that is being injected.

Ironically, a similar argument is being used against adblockers, the other "benevolent MITM" application for modifying content: https://news.ycombinator.com/item?id=14978228 https://news.ycombinator.com/item?id=14990137

In other words, if those lawsuits succeed, they could set an unfortunate precedent against even personal "modification of content".

Can't "user-consent" be a simple solution for this? I give consent to a HTTP-adblock-proxy to modify HTTP in transit.
An ad blocker does not modify copyrighted content before delivery. The legal precedent set by when Nintendo tried to sue Game Genie made it pretty clear that you can use tools to modify content you already have in your possession, particularly if those modifications are in memory only and never create a modified copy on disk. Meanwhile, those two links are to something entirely unrelated: an attempt to use the DMCA to remove someone's domain name from a file (which isn't even a copyright issue, and so I have not heard anyone think that was remotely legitimate).
An adblocker is more like taking a marker and crossing out the ads in your own personal copy of a magazine with the marker. Modification for personal use is not copyright violation.

If I publish a website -- telling the users that we do not bother them with ads -- and another company then injects ads into that page, it not only violates the copyright, but it causes damage to my website's reputation, because most users aren't knowledgeable enough about the Web to understand that the ads are not put there by the publisher. It's probably even worse for websites that allow members to pay to have ads removed.

Don’t trust the network. Don’t trust the network.

There are no guarantees on the internet that your packets will arrive intact and in order. That’s why we have tcp. What the ISP is doing may be sleazy, but it’s not violating some principle of computing.

There's a difference between accidental reordering/dropping/corruption of packets, and malicious interference by middleboxes. The TCP mechanisms can deal with the former, but the latter can fake all the necessary sequence numbers and checksums.