Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Indonesian ISP injecting javascript to my browser
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Indonesian ISP injecting javascript to my browser

thsigitthsigit Member
edited December 2014 in Help

As I write this post, when I look at the source of this page (or any other pages that are not using SSL), by the end of the page I will find this code:

http://prntscr.com/5hsif7 (screenshot)

This script is inserted by my ISP provider (TelkomSpeedy) each time they find tag on the page.

A solution would be to use SSL (#1), but I have a number of sites that I built for me and my clients and this won't be cost-effective. Another solution would be using Universal SSL from CloudFlare, which is free (#2). A hackish solution would be to put <!-- before the </body> tag (#3).

I was going to send a ticket to my hosting provider, asking if they know what to do about this, and later decided that I won't take up resources on their ticketing system.

Some notes:

  1. Put 127.0.01 into my computer's /etc/hosts to suspected FQDN did not work. Also I would need something server side, because my local clients might not be able to reproduce this trick on their own computers.

  2. Ad Block Plus doesn't help

  3. Block the IPs of my ISP proxy from my web server doesn't help --or probably I didn't find the correct one, yet.

  4. Yes, I am moving away from this ISP (TelkomSpeedy from Indonesia) by the end of this month, but this won't help my local customer as well. I fear that they will find the websites that I build will take more time to load or the layout is broken (the injecting script uses visibility:hidden in CSS before, now they put display:none so it doesn't mess with layout)

So I am asking the experts in this forum, does anyone happen to know any work around for this? Also, are there any Indonesian TelkomSpeedy users here experiencing the same?

Thanks.

«1

Comments

  • rm_rm_ IPv6 Advocate, Veteran

    said: does anyone happen to know any work around for this?

    Buy a small VPS abroad (Singapore should work well for you), set up some VPN such as OpenVPN or Tinc, install Squid proxy on the VPS, then do all your browsing via the proxy.

    Thanked by 1ehab
  • haha , so do we in CHINA

  • Hmm, I wonder why do they do it?

  • rm_rm_ IPv6 Advocate, Veteran
    edited December 2014

    c1bl said: I wonder why do they do it?

    Did you check the picture? Did you notice "push ad" in an URL in the inserted code? Do you still wonder? :D

  • Why not mail/ring them and ask them why they are doing it?

    I would go with what @_rm said, at least until my new ISP is live.

  • @rm_ said:
    Did you check the picture? Did you notice "push ad" in an URL in the inserted code? Do you still wonder? :D

    Yes, I still wonder why do they do it....

    IMO it's so stupid action, customers will move away from them.

  • tommytommy Member
    edited December 2014

    use dnscrypt and all of these crap will gone forever.

    c1bl said: Yes, I still wonder why do they do it....

    IMO it's so stupid action, customers will move away from them.

    if you search something that nonexist or blocked by their crappy dns system, they will redirect you to website full of ads and generate more money for their piggy pocket. Customer won't move, because we don't have many ISP here.

  • Yeahh, there is f*ckin provider in Indonesia just like sapidi :(

    If you're using windows, the solution is by adding this

    127.0.0.1 cfs.u-ad.info

    to

    C:\WINDOWS\system32\drivers\etc\hosts then reload your browser, it should be removed soon :D

  • Install DNSCrypt from opendns.com.

  • @arest said:
    Yeahh, there is f*ckin provider in Indonesia just like sapidi :(

    If you're using windows, the solution is by adding this

    127.0.0.1 cfs.u-ad.info

    to

    C:\WINDOWS\system32\drivers\etc\hosts then reload your browser, it should be removed soon :D

    it's works for me.. you save my live. thx

  • Sapidi is going to die, no?

    Thanked by 1ehab
  • @arest nice find. I'll save it in case I need to use ;)

  • You can get unlimited free SSL from startssl.

    Thanked by 1thsigit
  • I use Sapidi unlimited 3 mbps (yes, 3 mbps, thats the fastest bandwidth that I can obtain for now) and never got this kind of adverts injection. :)

  • @linuxthefish said:
    You can get unlimited free SSL from startssl.

    Then send them to administrators of non-SSL websites you're going to visit ;)

  • thsigitthsigit Member
    edited December 2014

    @rm_ :Nope, VPN is not a solution, because my customers won't bother to see their websites through it.

    @arest: been there, tried that.

    I had put these lines earlier before into /etc/hosts on my Ubuntu machine, but no joy:

    127.0.0.1 a02.u-ad.info
    127.0.0.1 cfs.u-ad.info

    Haven't tried that on my Windows 7, though, but isn't it the same?

    @vRozenSch00n: Soon.

    @linuxthefish: Thanks! Forgot that one!

    @fazar: don't worry, it will come soon to your area. I learned about this since yesterday, but searching online I found 2 other blogs mentioning this from Dec 5 and Dec 15 (I have it since Dec 16)

    ===
    From a reader on my blog I ended up using a small javascript as a replacement for </body> tag, works a treat!

    <script type="text/javascript" src="data:text/javascript;base64,PC9ib2R5Pg=="></script>

    Looking at the source, it will show as it is, but using inspector on Firefox or Chrome, this mini script renders as </body> tag.

    Anyway, thanks for all your concern.

  • @thsigit I applied on my win7, but never used it in linux

    Thanked by 1thsigit
  • @thesigit thanks for the info. On the campaign linked there is only one result?

    Thanked by 1thsigit
  • JanevskiJanevski Member
    edited December 2014

    @thsigit Buy a VPS in a nearby datacenter which respects net neutrality, look for the lowest ping, then make a SSH tunnel or use OpenVPN for personal usage.
    https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html
    Now You most likely can tunnel all the data through Your VPS, bypassing the ISP transparent proxy.

    The best solution is just not to use an ISP which doesn't respect user's privacy, plus to add insult to injury tampers the data. If people don't use them they won't have income. If they don't have income they won't be able to work, and if they want to stay on the market they will have to start respecting their customers.

    Up to some point i understand passive data gathering, but this looks like interception and tampering, done without a specific case, towards all the users, it's outrageous.

    PS: Among the other things, if needed You can use html pre tags on Vanilla Forums, so the code or other preformatted plain text won't get reformatted and scrambled.

    Thanked by 1thsigit
  • Call your ISP and ask to opt-out. My ISP was doing nxdomain highjacking and I asked to be excluded from it. They complied with no grief.

    Thanked by 2thsigit Chuck
  • MelitaMelita Member, Host Rep
    edited December 2014

    Telkom Speedy is sadly the largest cable internet provider in Indonesia (owned by government), and it can reach any house in Indonesia with 250 million+ citizens as long as you have fixed telephone. In most areas, they are alone and having monopoly as cable provider.

    They use transparent DNS (any udp dpt 53 intercepted to use their own DNS) as well as transparent proxy (port 80, https not intercepted) to add javascript ads and block some sites which is having a pornographic content. Kinda works like China, but no political content blocked. Well, I do wonder why reddit and imgur also blocked.

    To bypass this as a single customer, the best solution is by using any type of VPN. Just buy any VPN / VPS located in Singapore / Hongkong.

    But if you want your website free from this script, best way might be to use SSL (cloudflare is free) or use HTML comments before body closure tag which you already mentioned.

    Thanked by 3thsigit NanoG6 Mark_R
  • rm_rm_ IPv6 Advocate, Veteran
    edited December 2014

    Melita said: But if you want your website free from this script, best way might be to use SSL (cloudflare is free) or use HTML comments before body closure tag which you already mentioned.

    Indeed the best way to prevent anyone tampering with what your visitors get when they open your website, is to use SSL. Aside from Cloudflare, you can get any number of free SSL certificates from StartSSL.

    Thanked by 1Janevski
  • MelitaMelita Member, Host Rep

    @rm_ said:
    Aside from Cloudflare, you can get any number of free SSL certificates from StartSSL.

    I am too lazy to renew StartSSL myself every year. At least we have one less yearly schedule if using Cloudflare SSL :)

    Thanked by 1rm_
  • Ads injection seems to be the new "trend" within ISPs in Indonesia.

    XL Axiata seems to be doing it worse by injecting interstitial ads before showing the requested webpages. The company president justified that he invested in the network and infrastructure, but the Over The Top providers are the ones who reaps the profits, like Google that shows paid advertisements in search pages.

  • rm_rm_ IPv6 Advocate, Veteran
    edited December 2014

    Melita said: I am too lazy to renew StartSSL myself every year.

    Haha, same here. It's a bit of a hassle to renew with them. Hopefully it's about the last time we needed to do that, as https://letsencrypt.org/ launches next year.

    Thanked by 1ehab
  • JanevskiJanevski Member
    edited December 2014

    rm_ said: Indeed the best way to prevent anyone tampering with what your visitors get when they open your website, is to use SSL. Aside from Cloudflare, you can get any number of free SSL certificates from StartSSL

    I agree, if a specific HTTPS URL is provided this should work like a charm, however, if the web site is just typed into the browser, most browsers are going to visit the HTTP destination first and if they receive HTTP 3XX redirect (or HTML meta redirect) they are going to continue, in this case towards HTTPS. Therefore as long as the initial contact is in plain text the displayed site contents towards the end user could still be easily manipulated. Most likely instead of 3XX it's going to receive a crafted 200 with injected js, html iframes etc.

  • thsigitthsigit Member
    edited December 2014

    @utama: that's my campaign, yes. If you face the same issue, please write on your own website/blog and join the campaign. I will urge some people at another channel to join too. Thanks!

    @Janevski: I can do that, but I can't ask my local customers (I build websites) to do the same. Also, a simple VPN will do good, but I am afraid this will beyond my customers' (and their clients) interests.

    @joereid: been with them for years .. And they started this too late in my country. I will stop subscription with them by the end of the month, anyway. But I didn't know the same issue with XL Axiata (another ID ISP) until @DalComp mentioned it, though.

    @Melita: indeed, SSL is the best solution. Domain is in the process of moving to a new registrat, so I would wait. The base64 script I created above will temporarily take care of the problem.

    @rm_ didn't know about https://letsencrypt.org/, so thanks for the info!

  • Looks like I will consider moving to https early next year. Wildcard SSL still expensive though, I need it for the CDN (using MaxCDN).

    I will write about it on my blog. Even though I never see any injected ads from speedy but the prospect is alarming. Is AdBlock can block this? I use it all time and maybe this is the reason I never saw it.

    Thanked by 1thsigit
  • timnboystimnboys Member
    edited December 2014

    Hello I can tell you I bought a $20 a year wildcard ssl from one of the members here in let. It had it in his signature a link to it. and it was way cheaper than paying the ssl provider directly.
    Maybe you can find him and find his link to order it as it would be better and cheap and a wildcard ssl than trying to do multiple ssl from startssl.

Sign In or Register to comment.