Republished: A look at BT's Trial Documentation
Originally published on Benscomputer.no-ip.org 14 June 2009
Now, it can hardly have escaped anyones attention that BT ran some very
questionable trials of Phorms system. It's been on BBC News, as well as
many other sources, including the Governments refusal to take action.
This has led to the EU intervening on our behalf, not that much has
happened from that so far.
But most of the media has focused on the RIPA element of it, that is to
say the Illegal Interception of the users traffic. Having read the
leaked test documentation (Have a look on WikiLeaks), I'd say that
there's another element to it that appears to have gone largely
unnoticed.
The original trial involved injecting Javascript into each and every
page the user visited (with some unfortunate results on forums), and
based on the test documentation, even users who were opted out (not
that they were given the opportunity in the trials) would find
JavaScript being run on every page.
Now lets take a look at the problems with this, firstly users who
noticed the strange behaviour believed that it was due to malware, and
BT did nothing to correct this view. Secondly, it was malware.
BT did not have authorisation to run the software (i.e. the JavaScript)
on those users computers, that is a violation of the Computer Misuse
Act. Now had those users known about the test, and been able to
opt-out, the Javascript would have continued to run. Again, probably a
violation of the CMA.
The test documents highlight another issue, pages with a large number
of links caused a problem within the script, and the browser window
stopped responding. Phorms fix for this? Blacklist any pages that they
know cause the issues, given the size of the net, they couldn't
possibly block all the pages. Thats before you take into account the
fact that pages evolve, so a 'known good' page could easily become a
problem page.
As it currently stands, a large number of people have blocked the
webwise domains at router level, but it would appear that this may be
ineffective. The test documentation makes it clear that the aim is for
a completely transparent proxy system, and I suspect that the requests
will be routed through Phorms hardware after they have entered BT's
service. That is to say, your router may never know that the traffic is
going through Phorms hardware.
The Test Docs make it clear that a Squid Proxy will be used, now whilst
Squid is a lovely bit of software, it does have a history of
vulnerabilities (what software doesn't?). A quick search on Google
shows fixes for Remote Explot vulnerabilities, as well as Denial of
Service issues. Despite denials by both BT and Phorm, the simple fact
is that introducing another piece of hardware into the network puts
customers at risk. Especially when everyones traffic is defaulted into
passing through said piece of kit.
It's public that the hardware will be running Squid, so what happens
the next time a vulnerability is uncovered? All BT's customers are
potentially at risk from a Man in the Middle attack. The best case
scenario is that someone DoS's the hardware, and therefore temporarily
denies all BT's customers access to the internet. Worst case is that
the hardware could begin spoofing domains, your Internet Banking site
could easily be replaced by a lookalike. The address bar would confirm
that you are at https://somebank.com/login even though you are actually
at http://imathievingbastard.com/somebankspoof.
BT's test documentation makes quite a big deal of the fact that the
users who noticed the trial attributed it to malware. Well, thats
hardly surprising really. Until recently, who exactly would have
expected their ISP to secretly run a trial that involves monitoring
your every move on the Internet?
Other than that, the test documentation is pretty par for the course.
There's a section covering the reliability of their Squid server
redundancy, and most other test failures mention that this issue should
be resolved with the implementation of 'ProxySense', which is where
Squid comes in.
The end result of all this is, that their end goal is somewhat
disturbing. Depending on how well their newer 'ProxySense' system is
being implemented, they could potentially be running it right now and
we would find it far harder to notice (not impossible though!).
Hopefully they aren't that stupid, but I wouldn't deprive
yourself of oxygen.