Stop ad injections with HTTPS connections or a VPN

You already knew that secure web connections prevent snooping by criminals and others on points between you and a server. But they also keep networks from injecting advertising.

thinkstockphotos airport wifi
Credit: Thinkstock/Maria Dubova

AT&T got caught with its hands in the proverbial cookie jar. It was testing injecting advertising at one of its airport Wi-Fi hotspot locations, and one of the nation’s leading privacy advocates with expert technical proficiency was passing through. Jonathan Mayer wrote up his experience on Tuesday; AT&T said on Wednesday it was an “experiment” it’s already discontinued.

Mayer’s curiosity was piqued when sites that feature no advertising (academic and government) and that already had some advertising sported more, including a banner stretched across the bottom, and pop-up ads that couldn’t be dismissed before a period of time had passed.

AT&T was injecting JavaScript into webpages, intercepting them and rewriting them on the fly, using a third-party ad network’s code to deliver the overlaid ads. In a statement provided by a spokesperson, AT&T said:

Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.

It should never have begun.

Tinkering with what we see

There are all sorts of things wrong with what AT&T did.

  • Disclosure. From what I can tell, there was no overt disclosure or opt-in process to accept that using free Wi-Fi would allow them to intercept your pages. AT&T doesn’t mention it in their statement, and it wasn’t in the privacy disclosure.

  • Risk. Injecting JavaScript into a webpage dramatically enhances the risk of responsible users being the victims of either a hacked third-party server about which they know nothing or criminals who manage to get their malware ads inserted into ad networks and distributed. Yahoo’s ad network was subverted to this end just a few weeks ago.

  • Trust. A multi-billion-dollar company shouldn’t be engaged in pushing privacy and integrity envelopes around the edges in the interests of collecting a few dollars. Even with millions of annual users of Wi-Fi networks, these kinds of ads can’t produce much revenue on the scale of the cost of operating them and the benefit AT&T accrues from its branding.

  • Content disruption. The sites over which ads were placed might have a basis on which to lodge civil or even criminal complaints, or report the behavior to federal agencies, as the ads appear to be served by the sites in question, rather than by a third-party network. Not being able to control what appears on a site is a significant breach in responsibility, liability or otherwise. (Mayer’s post gets into details there with a number of links to read more, as well.)

This just helps push users into safer surfing habits, an outcome I support. To inject advertising into a webpage as it loads, that page has to be unencrypted, and the network has to be allowed to load on a given device. AT&T isn’t the only company to ever test this; others regularly engage in lighter-weight versions, or simply scan what you’re doing to market at you more effectively.

Secure browsing

In a post-Snowden era, a phrase I often have to write, the world is shifting to always-encrypted connections in almost every medium. Email was a natural, and while it took too long, it’s nearly impossible to set up an email connection on a modern mobile device or in a modern desktop OS email client and not engage encryption for sending and receiving.

The web has lagged, because a larger percentage of users visit a more diverse set of sites than email users relative to email hosts. Many web hosting sites have treated https encryption, which uses the SSL/TLS protocols, as an upgrade at an extra fee. It involves slightly more overhead, but vastly less than a few years ago. That will change, too.

https everywhere

HTTPS Everywhere provides Chrome, Firefox, and Opera users with controls to ensure a secure connection whenever possible.

Efforts by the Electronic Frontier Foundation (EFF) have lead to the HTTPS Everywhere plugin (co-developed by the Tor Project), which can be used with Firefox, Chrome, and Opera with desktop browsers, and Firefox for Android. The extension preferentially connects to the encrypted version of any site it’s aware of. I’ve used it for years.

At a more fundamental level of the web, server administrators can configure their systems to only feed out over https, or to signal that they have an https version of the site available. (It’s called HSTS, and all browsers currently in wide use support it.) Browsers are rapidly moving to pick those secured versions first. Many sites are shifting to https-only, and the EFF has another project that will assist in reducing complexity and cost for smaller sites, called Let’s Encrypt.

You can also opt to use a virtual private network (VPN) connection, which puts an encrypted wrapper around all your traffic. It’s generally advisable as a way to prevent any local network sniffing, whether at a café or airport, and it prevents code injection for advertising or for malware. I wrote up a couple of VPN services with Mac and iOS clients recently; there are dozens available.

And when iOS 9 rolls out with Content Blocking Filter Extensions, which El Capitan will include as well, blocking ad networks that are designed for injection will be a breeze: you will probably install and permanently leave switched on any content blocker designed strictly for privacy and reducing intrusion, even if you don’t block all ad networks.

One could look at AT&T’s misstep as the last effective time such an injection of code by an ostensible “white hat” firm is possible. Between the increasing, default amount of secure web connections and the rise of privacy-enhancing, ad-blocking technology, only a sliver of users in the near future would be able to have their sessions hijacked and rewritten in such a way.

(Disclosure: I hold a very tiny number of shares from employment at JiWire, which no longer operates under that name, which at one time ran an advertising network that in part delivered opt-in ads to airport customers in exchange for granting them free Wi-Fi access.)


Subscribe to the Best of Macworld Newsletter