Vodafone Portugal absolutely does MITM your internet connection. I've seen it myself.
I was in Portugal last summer, and my family had a Vodafone 3G wifi hotspot. I noticed that on every single non-https webpage, Vodafone was inserting a banner with a huge load of JS, as part of their "Vodafone Secure Net" "feature"(https://securenet.vodafone.com/). They inserted their own code on every request to make sure that they could display a banner telling you whether or not a website was "trustworthy".
I managed to figure out the complicated steps to do on their systems to turn this "feature" off, but between that and some other bad experiences I've had with them I still don't trust them in the least.
By Kronopath 8 years ago
Injecting JavaScript into someone's pages for "security" sounds like one of the very worst ways to go about improving security. I'm surprised I haven't heard of that injection being hacked to do very bad things yet.
By Natsu 8 years ago
If you can MITM the connection, you can just do it server-side, which is far more insidious. This was done in the UK + Brazil a few years back -- some ISPs (including British Telecom) trialled it without even telling affected customers that they were being snooped on!
They charge something like 1.10 per month for this ‘security check’. So it seems mainly a revenue motivated thing. Very persistent as well; they tend to turn it on after every contract period.
By Gys 8 years ago
I have the same in the UK
By ptype 8 years ago
Same in Spain also.
By dazc 8 years ago
Time and again telecoms continue to pull these types of shenanigans. If you are building a website in 2018 using https with hsts enabled is a must.
By pg_bot 8 years ago
That, and there is little excuse not to set apache2 or nginx to only allow tls1.2 with the best choices in crypto options. The population of client browsers that are so old they don't do 1.2 is extremely tiny.
I was going to argue with you, but stats do indeed seem to back this up (I hadn't looked at them in at least a year or two). The gains for chrome are insane, and there is clearly a harsh decline for IE. I suppose this is probably why PCI-DSS felt it appropriate to push hard into deprecating TLS1.0 and TLS1.1 (without negatively affecting users too harshly).
By spydum 8 years ago
Yeah, pretty much any browser that was newly installed or updated from late 2012 onwards has tls1.2 support. The population of browsers older than that is <1% at present.
By walrus01 8 years ago
Just another normal day in the shitty telco industry.
By Rjevski 8 years ago
You care about some simple headers, because that's what you "see", but Vodafone is much worse
Vodafone needs to stop meddling with their clients' connection. Their ridiculous "safe browsing" scam costs you $5 a moth for the privilege of only being allowed to use port 80.
To top it all off they also block all SMS access to twitter and instagram. Hope someone takes them to court ASAP
By genericacct 8 years ago
It's a bit odd to set CSP headers but not TLS.
By vbernat 8 years ago
Vodafone is nudging the users to turn on https.
By kreetx 8 years ago
Is there any evidence for this (e.g. response headers from a site using cURL on and off Vodafone's network)?
By lol768 8 years ago
> Hello Jojo. Vodafone’s content control platform does not monitor or log your internet traffic, but as part of Vodafone’s commitment to ensuring your safety on the internet, we can monitor websites and domains that contain offensive content. [0]
Ignoring the corporate speak, they admit they do for censorship reasons.
"We don't monitor or log your internet traffic, except when we do", how can they say that with a straight face?
By p1necone 8 years ago
Probably because it technically isn't false. They say their "content control platform" can't monitor or log internet traffic but they don't say they don't have a system that does do the logging.
By jetti 8 years ago
And who is the arbiter of what is considered 'offensive' and what isn't? The government?
By stryk 8 years ago
The shareholders.
By TeMPOraL 8 years ago
How so?
By stryk 8 years ago
I would also like to know what script they're injecting from vodafone.pt
By jannes 8 years ago
Presumably some shit to either rewrite img tags to compress them, or to look to see if there's any "offensive" material on the visited page, or to display account-related notifications like running out of data etc.
By Rjevski 8 years ago
devil's advocate: what's the issue here? while it's obviously better if they didn't do any MITM at all, I don't see what they're doing is worse (in terms of security) than your run of the mill MITM. it only works for http sites, so presumably there's nothing (too) sensitive on those pages. however, even if there was sensitive stuff, it's whitelisting jquery and vodaphone, neither of which contains any exploitable code. if you're doing some sort of xss, you'd still need to get some sort of initial code execution.
By gruez 8 years ago
"Your run of the mill MITM" is no MITM at all, in my experience. When I connect to the internet at coffee shops and airports and even my employer with a Blue Coat MITM device and a root cert installed everywhere, HTTP is generally not tampered with at all, even though it easily could be tampered with. A small percentage of the time, some sites are blocked entirely; there's a static page with no JavaScript replacing the site. A few years ago my cell phone provider re-compressed images but made no semantic changes / introduced no attack surface from a third party. Tampering every page as standard behavior is definitely worse than what I expect. What is your expectation of "run of the mill MITM"?
Furthermore, MITM is either in exchange for something of value and therefore desired by the user (regulatory compliance at work, perhaps free wifi at coffee shops, perhaps better performance for older cellular networks), or it is an attack. The existence of MITM in general is not normal. Why should Vodafone be MITMing at all? Why is "as attacks go, I've seen worse" a defense?
By geofft 8 years ago
any tampering of content by ISP makes it more difficult to spot really hostile MitM / webinjects tampering.
then there's net neutrality.
By philprx 8 years ago
>any tampering of content by ISP makes it more difficult to spot really hostile MitM / webinjects tampering.
I wasn't arguing for MITM, I was arguing that it's not any worse than your run of the mill MITM
By gruez 8 years ago
MITM is generally considered to be a mode of compromise, so that's sort of like saying, well, it's not really any worse than being shot in the head. It might be true on some level, but it's hardly any consolation.
By Natsu 8 years ago
I don't think anyone is arguing this is particularly worse than any other MITM performed by ISPs against their users.
By Kronopath 8 years ago
By Natsu 8 years ago
By Torn 8 years ago
By Arnt 8 years ago
By Gys 8 years ago
By ptype 8 years ago
By dazc 8 years ago
By pg_bot 8 years ago
By walrus01 8 years ago
By spydum 8 years ago
By walrus01 8 years ago
By Rjevski 8 years ago
By akerro 8 years ago
By genericacct 8 years ago
By vbernat 8 years ago
By kreetx 8 years ago
By lol768 8 years ago
By shakna 8 years ago
By p1necone 8 years ago
By jetti 8 years ago
By stryk 8 years ago
By TeMPOraL 8 years ago
By stryk 8 years ago
By jannes 8 years ago
By Rjevski 8 years ago
By gruez 8 years ago
By geofft 8 years ago
By philprx 8 years ago
By gruez 8 years ago
By Natsu 8 years ago
By f2n 8 years ago