Republished: A look at BT's Trial Documentation

Originally published on Benscomputer.no-ip.org 14 June 2009

Now, it can hardly have escaped anyones attention that BT ran some very questionable trials of Phorms system. It's been on BBC News, as well as many other sources, including the Governments refusal to take action. This has led to the EU intervening on our behalf, not that much has happened from that so far.

But most of the media has focused on the RIPA element of it, that is to say the Illegal Interception of the users traffic. Having read the leaked test documentation (Have a look on WikiLeaks), I'd say that there's another element to it that appears to have gone largely unnoticed.

The original trial involved injecting Javascript into each and every page the user visited (with some unfortunate results on forums), and based on the test documentation, even users who were opted out (not that they were given the opportunity in the trials) would find JavaScript being run on every page.

Now lets take a look at the problems with this, firstly users who noticed the strange behaviour believed that it was due to malware, and BT did nothing to correct this view. Secondly, it was malware.

BT did not have authorisation to run the software (i.e. the JavaScript) on those users computers, that is a violation of the Computer Misuse Act. Now had those users known about the test, and been able to opt-out, the Javascript would have continued to run. Again, probably a violation of the CMA.

The test documents highlight another issue, pages with a large number of links caused a problem within the script, and the browser window stopped responding. Phorms fix for this? Blacklist any pages that they know cause the issues, given the size of the net, they couldn't possibly block all the pages. Thats before you take into account the fact that pages evolve, so a 'known good' page could easily become a problem page.

As it currently stands, a large number of people have blocked the webwise domains at router level, but it would appear that this may be ineffective. The test documentation makes it clear that the aim is for a completely transparent proxy system, and I suspect that the requests will be routed through Phorms hardware after they have entered BT's service. That is to say, your router may never know that the traffic is going through Phorms hardware.

The Test Docs make it clear that a Squid Proxy will be used, now whilst Squid is a lovely bit of software, it does have a history of vulnerabilities (what software doesn't?). A quick search on Google shows fixes for Remote Explot vulnerabilities, as well as Denial of Service issues. Despite denials by both BT and Phorm, the simple fact is that introducing another piece of hardware into the network puts customers at risk. Especially when everyones traffic is defaulted into passing through said piece of kit.

It's public that the hardware will be running Squid, so what happens the next time a vulnerability is uncovered? All BT's customers are potentially at risk from a Man in the Middle attack. The best case scenario is that someone DoS's the hardware, and therefore temporarily denies all BT's customers access to the internet. Worst case is that the hardware could begin spoofing domains, your Internet Banking site could easily be replaced by a lookalike. The address bar would confirm that you are at https://somebank.com/login even though you are actually at http://imathievingbastard.com/somebankspoof.

BT's test documentation makes quite a big deal of the fact that the users who noticed the trial attributed it to malware. Well, thats hardly surprising really. Until recently, who exactly would have expected their ISP to secretly run a trial that involves monitoring your every move on the Internet?

Other than that, the test documentation is pretty par for the course. There's a section covering the reliability of their Squid server redundancy, and most other test failures mention that this issue should be resolved with the implementation of 'ProxySense', which is where Squid comes in.

The end result of all this is, that their end goal is somewhat disturbing. Depending on how well their newer 'ProxySense' system is being implemented, they could potentially be running it right now and we would find it far harder to notice (not impossible though!). Hopefully they aren't that stupid, but  I wouldn't deprive yourself of oxygen.