(ot) JavaScript detecting foreign scripts

[hofar...@houseoffusion.com]

I apologize for this off topic post. A while back someone posted a thread
where they were working on a script that would enumerate the DOM and detect
foreign JS scripts running or loaded. I am looking to consult with that
person off-list because I have a case where I need to do the same.

It appears as if in some locations Comcast's proxies are intercepting
advertising scripts (google/doubleclick) and replacing them with their own
JS that substitutes their own contracted ads. I am looking for a way to
detect this on a test page to determine how wide spread the practice is.

I would be greatly appreciative if that person would contact me directly
either by email or phone.


Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360178

[hofar...@houseoffusion.com]

>>I am looking to consult with that person off-list

Please don't do it off-list, several of us could be interrested.
I developped a client side javascript error trackink tool and it helped me a lot to debug my scripts, but I get many errors happening in foreign JS scripts.
I fixed my program to detect 5 or 6 of them and now the system is almost perfect.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360179

[hofar...@houseoffusion.com]

Good Afternoon,

I have been playing with the mobile abilities of CF11 recently and just
noticed that my trial copy of the CFB is coming to an end soon.

Does anyone have an extra license for CFB 3 that they would be willing to
part with?

I don't want to pay the full retail price for something I am just 'playing
with' yet.

Thanks,
William


----------------------------------
William Seiter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360180

[hofar...@houseoffusion.com]

> I developped a client side javascript error trackink tool and it helped
me a lot
> to debug my scripts, but I get many errors happening in foreign JS
scripts.
> I fixed my program to detect 5 or 6 of them and now the system is almost
> perfect.

Should have known it was you <smile>. What is happening is that Comcast has
engaged the company MyTurfads.com that on the fly replaces Google and other
ads with their own. They intercept the call to the script and return JS of
their own that inserts a script from their domain (adx.myturfads.com) into
the DOM. That script then calls others to handle the ads.

I have proven this using a test page http://www.uxb.net/adtest/ that only
has a single Google ad and no other scripts. The content of the single
script on that page gets replaced at my sisters in NY (Comcast) but not in
CT (Comcast) .

I want to find out how wide spread this is because 3 data points do not make
an argument. I only found out about it because my sister complained about
getting pop-up and self-running modal video ads on one of my websites and
that should not occur.

What I want to do is write a script that can detect if the domain
myturfads.com is located anywhere in the DOM. I intend to place it on the
simple test page so that once detected I can initiate an Ajax call and
record the user IP on my server. I can hack at JS code with enough
examples but sadly need a little help on this one.

Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360181

[hofar...@houseoffusion.com]

> It appears as if in some locations Comcast's proxies are intercepting
> advertising scripts (google/doubleclick) and replacing them with their own
> JS that substitutes their own contracted ads. I am looking for a way to
> detect this on a test page to determine how wide spread the practice is.
>
> I would be greatly appreciative if that person would contact me directly
> either by email or phone.

I'm not that person, but I have some suggestions.

First, my understanding is that this only happens for users of Comcast
public access hotspots, not for subscribed users:

http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/

Second, if you use TLS (SSL) exclusively, you should be able to
prevent this. Google/Doubleclick support this, and I really think it's
the way of the future. We recommend exclusive TLS use for all of our
customers. Not specifically just for this problem, but because it
limits exposure generally and because it may positively affect SEO in
the near future:

http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html

Third, there's an IEEE paper that provides some sample code for
handling this problem. I haven't read it myself, and it's not a free
paper, but it may be worth the money to you:

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6032221&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6032221

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360182

[hofar...@houseoffusion.com]

Thanks Dave I do appreciate the information.

> First, my understanding is that this only happens for users of Comcast
public
> access hotspots, not for subscribed users:
>
> http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-
> injections-threaten-security-net-neutrality/

In my research I did see that article but alas they are indeed rolling it
out to actual subscribers.

> Second, if you use TLS (SSL) exclusively, you should be able to prevent
this.

I tested for this and yes it does prevent it. However that is not actually
the point. The point is much bigger than the pennies they sole from my
websites ad revenue. Maybe I am the only one but to me this practice,
replacing the content of a webpage with their own content, is a heinous
affront to the idea of an open Internet.

Maybe I am going off the rails here but isn't this exactly what the Net
Neutrality fight was all about? Not fast lanes and slow lanes but data
integrity!

Thanks for the pointer on the JS code I will look into it and take a step
down off my soapbox.

Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360183

[hofar...@houseoffusion.com]

On Mon, Mar 2, 2015 at 8:52 PM, UXB Internet <den...@uxbinternet.com>
wrote:

> I apologize for this off topic post. A while back someone posted a thread
> where they were working on a script that would enumerate the DOM and detect
> foreign JS scripts running or loaded. I am looking to consult with that
> person off-list because I have a case where I need to do the same.

Nowadays most browsers support having a Content Security Policy which IMHO
offers a much better mechanism to do so in its reporting functionality:
http://www.w3.org/TR/CSP/

Jochem

--
Jochem van Dieten
http://jochem.vandieten.net/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360184

[hofar...@houseoffusion.com]

> > Second, if you use TLS (SSL) exclusively, you should be able to prevent
> > this.
>
> I tested for this and yes it does prevent it. However that is not actually
> the point. The point is much bigger than the pennies they sole from my
> websites ad revenue. Maybe I am the only one but to me this practice,
> replacing the content of a webpage with their own content, is a heinous
> affront to the idea of an open Internet.
>
> Maybe I am going off the rails here but isn't this exactly what the Net
> Neutrality fight was all about? Not fast lanes and slow lanes but data
> integrity!
>
> Thanks for the pointer on the JS code I will look into it and take a step
> down off my soapbox.

I agree with you that Comcast should die in a fire, but it'll take a
while for the FCC to fix that problem I'm sure. In the meantime,
rent-seekers gonna rent-seek, I guess.

I like Jochem's solution, of which I was unaware, but still recommend
you use HTTPS.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360185

[hofar...@houseoffusion.com]

I would let it expire and see if you need the license. I use the expired trial and it does everything I need. It isn't worth spending the $300 unless you use the extra tooling.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360186

[hofar...@houseoffusion.com]

>> I agree with you that Comcast should die in a fire,

So I'm not crazy then. I have to wonder some times.

>> I like Jochem's solution, of which I was unaware, but still
>> recommend you use HTTPS.

Actually I can also prevent it by switching to a different/newer ad type
with a different script but that wasn't the goal for this request. The goal
was to collect data on where (the IP) the script was being injected.
Stopping it with a technical solution is an arms race.

Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com

> Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
> Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360187

[hofar...@houseoffusion.com]

Using HTTPS may not be able to solve the problem completely either. A lot of companies, and now apparently ISPs, do a man in the middle certificate and have access to the whole encrypted stream. Companies do it to ensure that their work product isn't being ex-filtrated, ISPs seem to do it for advertising. There are ways to verify your direct connection to a server, but it requires diligence on the part of the browser user.

I was thinking at first that you could generate a hash of the page being send and append it in http headers and then use javascript to hash the DOM and compare it, but I don't think that would work because of add-ins like LastPass that inject javascript that the user wants.

Just throwing ideas out there. :)

-----Original Message-----
From: UXB Internet [mailto:den...@uxbinternet.com]
Sent: Tuesday, March 03, 2015 9:23 AM
To: cf-talk
Subject: RE: (ot) JavaScript detecting foreign scripts


>> I agree with you that Comcast should die in a fire,

So I'm not crazy then. I have to wonder some times.

>> I like Jochem's solution, of which I was unaware, but still
>> recommend you use HTTPS.

Actually I can also prevent it by switching to a different/newer ad type
with a different script but that wasn't the goal for this request. The goal
was to collect data on where (the IP) the script was being injected.
Stopping it with a technical solution is an arms race.


Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com


> -----Original Message-----
> From: Dave Watts [mailto:dwa...@figleaf.com]
> Sent: Tuesday, March 3, 2015 8:08 AM
> To: cf-talk
> Subject: Re: (ot) JavaScript detecting foreign scripts
>
>

> http://www.amazon.com/Adobe-Coldfusion-
> Anthology/dp/1430272155/?tag=houseoffusion
> Archive: http://www.houseoffusion.com/groups/cf-
> talk/message.cfm/messageid:360185
> Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
> Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360188

[hofar...@houseoffusion.com]

> Just throwing ideas out there. :)

All my pontificating aside for this particular purpose I am just trying to
detect if the string "adx.myturfads.com" exists anywhere on the DOM.

For my sister, I've already stopped it from loading by editing the hosts
file on the PC to disallow that domain.

Including the reasons you stated trying to stop it with a purely technical
solution is just an arms race. This requires legal action. I am trying to
find a way to collect data to support that.

They may have stepped over a line here because they are not just adding but
removing and replacing content.

Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360190

[hofar...@houseoffusion.com]

> Please don't do it off-list, several of us could be interested.

In case anyone is interested, as Claude recommended, It was relatively easy
to check for the foreign script injection by myturfads.com. There is a
test page with the code located at http://www.uxb.net/adtest/ that will look
to see if your client is seeing the Google ad being replaced by the
myturfads.com

In case you are wondering what I am talking about. Some ISP's are using a
proxy technology that in real time intercepts the Google Ad JavaScript code
and replaces it with their own advertising from a company (MyTurf -
www.myturfads.com) that specializes in injecting local advertising into
existing ad spaces for Local ISP's. They replace the google or double
click JS code with their own and can add/inject pop-up and video ads into
sites that only use text or image advertising from Google. Very Annoying!

Based on the testing I have done with one of my more trafficked sites that
have ads on them (hce.halomaps.org) there are at least two ISP's that are
using the ad-replacement proxy technology in three different regions:
Brewster NY, Denver CO. and Boise ID. NY and CO were Comcast and ID was
CenturyLink. I am seeing multiple IPS from each area, mostly in the same B
and C blocks.

The way the test page works is that after loading it looks for any script
called from "myturfads.com" on the page and then lists the scripts and warns
if one was found. If one was found it performs an AJAX call and sends me an
email with the client IP.

I have contacted and opened a case with Google about this and they were very
interested, but of course I only get to deal with the front line support
person so I have no idea what they intend. I also contacted a copyright law
firm and they were interested but because it is Google's Code and not mine
that is being replaced an infringement case would be tough. Not only that
but apparently there is no case law that says the ISP cannot replace or
inject scripts. To proceed further it would require I cover legal research
costs to see if there was a case to be had. It gets all muddy,
especially now with the FCC's new Net Neutrality regulations still not fully
defined and already under legal attack.

I find this behavior on the part of the ISP's abhorrent and dangerous.
Right now they are replacing advertising and stealing revenue from the
advertiser and Web Publisher. But they could just as easily replace articles
or any real content on the fly as well. And the worst of it is that there
is apparently no legal precedent to the contrary.

Thanks for listening.

Dennis Powers
UXB Internet - A website Design and Hosting Company
P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844
W: http://www.uxbinternet.com
W: http://www.ctbusinesslist.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360348