Interception/proxy + masquerading (e.g., a “local version” of a site that is not the real version) Location or Browser/Host based content restrictions
Websites choose not to serve pages to certain users
Script injections (browser)
Ways to measure:
Web Trip Wires Compare HTTP and HTTPS
Static content: easy Dynamic content: hard
In-Flight Manipulation of Content Potentially achievable through the implementation of a Apache + Browser plugins: Challenge exchange on the hash of the content in order to identify remotely programmable, on-the-fly ad substitution on the home router, Idea would involve fetching a hash of the object’s content from the server along with the object itself: Server gives page and random key, Client returns a content of the hash; Attacker could, however, suppress a hash and disavow that it ever happened, CAPTCHA-based key distribution so that middlebox in the middle can’t detect, Devolves into a key distribution problem -- have to do key distribution for static content; Other ideas: Timing differences with content is served? Differences in click patterns? Treating various parts of the network as a black box and trying to discover what the transformation operations are, detecting on-path proxies, middleboxes, etc. What about performing some kind of cryptographic operation that is expensive enough that it would make it difficult for a middlebox to perform in a reasonable amount of time? Self-certifying content or ads?