Content Manipulation

Jump to: navigation, search

Interception/proxy + masquerading (e.g., a “local version” of a site that is not the real version) Location or Browser/Host based content restrictions

Websites choose not to serve pages to certain users

region-locked contents Web servers: - could differentiate on basis of IPaddress - could drop, degrade, redirect to alternate content Take down online social network (OSN) posts/accounts censor controls DSN vs. does not control Weibo vs. Twitter/FB Javascript Injection

Script injections (browser)

Ways to measure:

Web Trip Wires Compare HTTP and HTTPS

Static content: easy Dynamic content: hard

In-Flight Manipulation of Content Potentially achievable through the implementation of a Apache + Browser plugins: Challenge exchange on the hash of the content in order to identify remotely programmable, on-the-fly ad substitution on the home router, Idea would involve fetching a hash of the object’s content from the server along with the object itself: Server gives page and random key, Client returns a content of the hash; Attacker could, however, suppress a hash and disavow that it ever happened, CAPTCHA-based key distribution so that middlebox in the middle can’t detect, Devolves into a key distribution problem -- have to do key distribution for static content; Other ideas: Timing differences with content is served? Differences in click patterns? Treating various parts of the network as a black box and trying to discover what the transformation operations are, detecting on-path proxies, middleboxes, etc. What about performing some kind of cryptographic operation that is expensive enough that it would make it difficult for a middlebox to perform in a reasonable amount of time? Self-certifying content or ads?