[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of Gopher and TLS?

On Wed, Oct 26, 2022 at 12:35 PM Mateusz Viste <mateusz@viste.fr> wrote:
> On 26/10/2022 18:26, Sean Conner wrote:
> >   A benefit of TLS is that it prevents an ISP from modifying the document as
> > it's being delivered.  There are ISPs out there that will modify HTML pages,
> > usually to insert their own advertising, on pages served over http:.
> I find it hard to believe that such thing actually happen on any
> significant scale. Aren't you rather thinking of hosters in lieu of
> ISPs? Hosters (esp. the free ones) do have the tendency to include ads
> in user content, but TLS is irrelevant here since they simply modify the
> files that are stored on their own disks. No need for any protocol-level
> interaction.

Believe it or not, it does happen. I've personally encountered it on Greyhound
buses (as of a few years ago), and also an airport though I forget which one.
I've also seen evidence of this in error logs for my sites (though it can be
hard to distinguish from toolbars/extensions that fiddle with the page in-
browser). It seems to usually manifest as a <script> tag appended to the HTML
response which tries to display a popup ad, usually stuck to the bottom edge of
the window. I've also heard that Comcast does or did something along these
lines to display usage alerts, shoving them into random webpages as you browse.

> But even assuming that what you say is true: TLS would be of no big
> help, because it would be fairly easy for such ISP to set up a TLS proxy
> to perform any kind of MITM business (yes, with a different CA having
> signed the x509 cert being presented - but who looks at that?).

This would require the ISP to either:
- Have a trusted root cert and use it to misissue certificates, which would
  be a pretty big breach of the CA/B requirements and get the cert yanked
  quite quickly,
- Get the users to add a custom cert to their root trust store, which is not
  uncommon in managed environments but would be a non-starter when dealing
  with random users for purely practical reasons (your helpdesk would be
  flooded with people who struggle with finding "the internet icon", much less
  dealing with certificate stores), or
- Display a big warning message whenever the user tries to do just about
  anything, and completely break apps that do certificate pinning.

That is: trying to do TLS interception would make an ISP appear obviously
broken, as opposed to the merely subtle breakage that they cause when
intercepting cleartext protocols.

Though, as Sean says, I'm not sure how important this is for Gopher: it's a
small hobbyist effort, fairly unlikely to be an interesting target, and
hopefully nobody is doing anything *that* important over it. (But it's the
reason I set up HTTPS for all of my websites, no matter how uninteresting:
I put hard work into that HTML, and I don't want it mucked about with by some
bigwig at an ISP who gets a couple of extra cents and doesn't care how much
the ads they inject annoy my readers in the process.)

Reply to: