Re: CSP and HTML manipulation by Internet Access Providers from Daniel Veditz on 2012-01-14 (public-webappsec@w3.org from January 2012)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sat, 14 Jan 2012 10:34:23 -0800
To: Hendrik Brummermann <nhb_web@nexgo.de>
CC: public-webappsec@w3.org
Message-ID: <4F11CAAF.1080302@mozilla.com>

On 12/28/11 6:29 PM, Hendrik Brummermann wrote:
> While there are some reports on ISP manipulating HTML code (e. g.
> http://www.zdnet.de/magazin/41515603 in German), there seems to be no
> documented way for a website to prevent or even detect this manipulation.

The ISP is performing a MITM attack; all CSP is doing is alerting
you to that fact. CSP wasn't designed to detect MITM so it's more
likely to detect dumb ones like this than an actual malicious
targeted attack which would presumably suppress the CSP header, or
use "allowed" hosts and intercept those requests as well.

> TL;DR: Some providers manipulate the HTML code causing their customers
> to end up with CSP violations and there seems to be no documented way
> for a website to prevent this other than using CSP on https pages only.

The only tool designed to prevent MITM is TLS. Short of that there's
not a lot you can do in this situation. CSP has detected the damage,
do you want to live with it or fight it?

* Is modifying content--note, this is far more than "network
management" that might be allowed--illegal in your user's
jurisdiction? I bet a good lawyer could make a case this is a
copyright violation (they have created a derivative work without
permission). Is there a German EFF that could help?

* Even if this modification is legal it may not withstand customer
demand if users knew the ISP was doing this. Can you let them know
in some way? They could maybe switch ISPs if they have a choice (not
always possible), flood the ISP's customer support, raise a ruckus
with their legislators, switch to a VPN service if they need
immediate protection.

* You could talk to the ISP and explain the damage they are doing.
Inlining cachable JS is stupid, surely their own technical experts
can help them see that part. If their image redirection is for
performance reasons there may be different tools they could use, or
they could use real host names so you could add them to the policy
(if you were convinced they were benign).

* You could give up on CSP, or maybe conditionally based on client IP.

Sorry this is probably not a lot of help.

-Dan Veditz

Received on Saturday, 14 January 2012 18:35:48 UTC