> What bugs me about their response is that the device required to do this type of on-the-fly JavaScript injection of HTML is both rare and expensive. It requires specialized hardware (like the RG Nets’ RXG-A8) starting at a cost of $10,000. In other words, this hardware was procured precisely for the purpose of perpetrating this kind of attack. If Courtyard/Marriott/Hotel Internet Services didn’t want that feature, then they probably could have requisitioned cheaper, less specialized, and more robust networking hardware.
It looks like the device is a router and gateway for institutional networks, with features like captive portal, registration integration, etc. It isn't a dedicated JS injection device. While you can do that stuff on the cheap, $10k isn't unreasonable for networking gear with more special use-cases. The contractor likely just flipped that option on just to make a few extra bucks.
In 2012 HTTPS was only common on websites that actually processed sensitive information like online shops and banks. Most websites/BBs (even with logins) didn't use HTTPS as it required you to buy a certificate. Lets Encrypt was not around back then
I am surprised the person was surprised. I was using a lot of coffee shop WiFi in 2010's and earlier, and random injection was fairly common. Sometimes generic ads, sometimes timers ("You get free wifi for 1 hour, you have 42 minutes remaining"), sometimes ads for the coffee shop itself.
1. On today's internet, the sender's mail server almost always talks directly to the receiver's mail server anyway, both so that random intermediate servers don't see the message and (mostly) as a spam mitigation measure.
2. That MX-to-MX connection will usually happen over TLS, which is encrypted.
3. Almost always, the clients will connect to their respective mail servers over an encrypted connection.
So in practice that kind of injection isn't really feasible.
I can't fathom this addiction for VPN for "security". Nowadays almost every website uses HTTPS and browsers block HTTP downgrades most of the times. Yes VPNs are still useful for the occasional HTTP website, however most people will use some form of free VPN that could totally do the same.
But yes, VPNs did solve this issue at the time of writing, and I even used one for quite long as my mobile carrier used to proxy all images through their own servers, as well as intercepting port 21. They stopped doing the former with the advent of HTTPS. To my knowledge they did not use this for nefarious purposes (they served downscaled images for lighter browsing at a time where 3G was frugal and websites not optimized yet for mobile).
I've long wondered if there was a place for a httpv mode. Where traffic is signed but not encrypted. This would allow local caching or torrent-like distributed fetching but not modification.
The obvious downside is that the page contents are not private.
Chrome implemented something sort of like this with https://developer.chrome.com/blog/signed-exchanges. However this is very limited. It requires the linking site to cooperate. For example Google Search can link to a signed exchange rather than the original site. But this just moves traffic from the site's CDN to Google's. It also packages full bundles so shared resources need to be duplicated. Also any navigation inside that site will go to the origin and can't be cached.
Overall it seems like it probably isn't worth it. But I find it an interesting idea.
> Surely we are past this bullshit now thanks to https being everywhere?
Plenty of hotels (and other places) misdirect your DNS queries so that your machine will connect to the hotel's captive portal where you need to accept the terms and conditions for using the wifi. This causes HTTPS connections to fail. Captive portals are a rather inelegant hack, but in most cases they achieve what they are designed to achieve.
Anyone else sick of having your 4G/5G ATT, T-Mobile or Verizon service blocked when inside a hotel, a concert venue to even a small town (National Harbor DC .. a lot of businesses block your service) all so the business and or businesses around you force you to use a their Wi-fi network; collect and make money off your data. How is that even legal??
My examples in The Flamingo Hotel in Vegas you have to connect to their wi-fi while inside the hotel. Forget about trying to work remotely there and use your 5G mobile hotspot.
At the Keseya Center in Miami ... at a recent concert there they had gates with ticket takers way out of from the front of the door. You walk up to them and they say get your ticket ready and you try but nope your ATT/TMobile/etc service is blocked you can only access getting your tickets via connecting to their wifi. My 5G worked fine until i got close to those non-ticket takers who prodded me to connected to the venue's wi-fi.
National Harbor (just outside of DC) .. inside the gaylord hotel and more so inside Burger Fi and others close by both my friend's Verizon and my ATT with full bars were blocked .. had to connect to their wifi.
Total B.S. and this stuff needs to be outlawed!!! I pay for service and if its readily available (full bars) I better have access or your paying me for time you are blocking me from using it.
Can you prove this claim? It's literally illegal, and I don't believe it actually happens. There's a difference between active jamming and "our building is made of metal".
Also why when walking right up to those gates at the Keseya center outside and still outside getting right up to the gate to speak to the attendant did my service with full bars suddenly not work?
It maybe illegal but what are the profits reaped vs the potential fines?
Im usually downvoted for things I say (im sure you dont care to read all my thoughts all over the years on HN) but a LOT of them come true ... most recently about how much i hated Cruise cause they were startup bros trying to do the whole fake it before you make it with technology that can kills..fortunately it didnt kill anyone just unfortunately mangled a pedestrian. Let's see in a year if places start getting fined for this B.S.!
[+] [-] kube-system|1 year ago|reply
It looks like the device is a router and gateway for institutional networks, with features like captive portal, registration integration, etc. It isn't a dedicated JS injection device. While you can do that stuff on the cheap, $10k isn't unreasonable for networking gear with more special use-cases. The contractor likely just flipped that option on just to make a few extra bucks.
[+] [-] gwbas1c|1 year ago|reply
I know this kind of stuff happens, and I don't want to waste time tracking it down and shaming people for doing it.
[+] [-] ctm92|1 year ago|reply
[+] [-] theamk|1 year ago|reply
[+] [-] spacebanana7|1 year ago|reply
Email supports HTML/CSS/JS and is sent over plaintext, so shouldn't the same kind of injection vulnerability exist?
[+] [-] labcomputer|1 year ago|reply
1. On today's internet, the sender's mail server almost always talks directly to the receiver's mail server anyway, both so that random intermediate servers don't see the message and (mostly) as a spam mitigation measure.
2. That MX-to-MX connection will usually happen over TLS, which is encrypted.
3. Almost always, the clients will connect to their respective mail servers over an encrypted connection.
So in practice that kind of injection isn't really feasible.
[+] [-] red_admiral|1 year ago|reply
[+] [-] vaylian|1 year ago|reply
No longer true.
[+] [-] darkhorn|1 year ago|reply
[+] [-] red_admiral|1 year ago|reply
Maybe even with some kind of certification authority scheme to prevent the RXG from spoofing the domain.
[+] [-] rmetzler|1 year ago|reply
They did some great work!
https://en.m.wikipedia.org/wiki/Let%27s_Encrypt
[+] [-] vzaliva|1 year ago|reply
P.S. I am always using a VPN on Hotel/Cafe WiFi.
[+] [-] sargun|1 year ago|reply
[+] [-] isaacfrond|1 year ago|reply
[+] [-] tuetuopay|1 year ago|reply
But yes, VPNs did solve this issue at the time of writing, and I even used one for quite long as my mobile carrier used to proxy all images through their own servers, as well as intercepting port 21. They stopped doing the former with the advent of HTTPS. To my knowledge they did not use this for nefarious purposes (they served downscaled images for lighter browsing at a time where 3G was frugal and websites not optimized yet for mobile).
[+] [-] the_snooze|1 year ago|reply
[+] [-] cortesoft|1 year ago|reply
[+] [-] jraph|1 year ago|reply
Also this is our reminder that yes, HTTPS is worth it even for "It's just my blog, I have nothing to hide, why should I encrypt?"
[+] [-] kevincox|1 year ago|reply
The obvious downside is that the page contents are not private.
Chrome implemented something sort of like this with https://developer.chrome.com/blog/signed-exchanges. However this is very limited. It requires the linking site to cooperate. For example Google Search can link to a signed exchange rather than the original site. But this just moves traffic from the site's CDN to Google's. It also packages full bundles so shared resources need to be duplicated. Also any navigation inside that site will go to the origin and can't be cached.
Overall it seems like it probably isn't worth it. But I find it an interesting idea.
[+] [-] ramon156|1 year ago|reply
[+] [-] dosinga|1 year ago|reply
[+] [-] vaylian|1 year ago|reply
Plenty of hotels (and other places) misdirect your DNS queries so that your machine will connect to the hotel's captive portal where you need to accept the terms and conditions for using the wifi. This causes HTTPS connections to fail. Captive portals are a rather inelegant hack, but in most cases they achieve what they are designed to achieve.
[+] [-] stuff4ben|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] paul7986|1 year ago|reply
My examples in The Flamingo Hotel in Vegas you have to connect to their wi-fi while inside the hotel. Forget about trying to work remotely there and use your 5G mobile hotspot.
At the Keseya Center in Miami ... at a recent concert there they had gates with ticket takers way out of from the front of the door. You walk up to them and they say get your ticket ready and you try but nope your ATT/TMobile/etc service is blocked you can only access getting your tickets via connecting to their wifi. My 5G worked fine until i got close to those non-ticket takers who prodded me to connected to the venue's wi-fi.
National Harbor (just outside of DC) .. inside the gaylord hotel and more so inside Burger Fi and others close by both my friend's Verizon and my ATT with full bars were blocked .. had to connect to their wifi.
Total B.S. and this stuff needs to be outlawed!!! I pay for service and if its readily available (full bars) I better have access or your paying me for time you are blocking me from using it.
[+] [-] LeoPanthera|1 year ago|reply
Can you prove this claim? It's literally illegal, and I don't believe it actually happens. There's a difference between active jamming and "our building is made of metal".
[+] [-] paul7986|1 year ago|reply
Also why when walking right up to those gates at the Keseya center outside and still outside getting right up to the gate to speak to the attendant did my service with full bars suddenly not work?
It maybe illegal but what are the profits reaped vs the potential fines?
Im usually downvoted for things I say (im sure you dont care to read all my thoughts all over the years on HN) but a LOT of them come true ... most recently about how much i hated Cruise cause they were startup bros trying to do the whole fake it before you make it with technology that can kills..fortunately it didnt kill anyone just unfortunately mangled a pedestrian. Let's see in a year if places start getting fined for this B.S.!
[+] [-] awad|1 year ago|reply
[+] [-] bongodongobob|1 year ago|reply