Ad Injection by ISPs Via HTML/Javascript?

Nevermind the fact that a content provider could lose ad revenue, truly the underlying evil in this is that ISPs can change your content. This is why net neutrality is important. Data needs to be untouched as it traverses the Internet.

The Problem

Crazy how some ISPs would be bold enough to do this. Consider the following scenario:

You’re browsing your favorite blog site, say dForge.net. All of the sudden, an H&R Block ad creeps up from the bottom because, you know, it’s tax season. Nothing unusual, right? It’s just an ad. From a company who can do your taxes, which is actually pretty good timing. Except it is unusual. Because that ad actually isn’t endorsed by dForge.net. How?

What’s Happening?!

What happens is, in fact, extremely interesting. And it can happen at any time along the way from the server (dForge.net) to the client (you). Web traffic, for the most part, is sent in clear text. ISPs know this and could, on the fly, modify content before it reaches the client. So, essentially, this is what happens:

  1. Client web browser makes a request to the web site.
  2. Request goes through client’s ISP.
  3. Request gets routed through the Internet.
  4. Request goes through server’s ISP.
  5. Server responds with HTML/CSS/Javascript/images/etc.
  6. Response goes through server’s ISP.
  7. Response gets routed through the Internet.
  8. Response goes through client’s ISP.
    • ISP appends HTML/CSS/Javascript to response that generates ad.
  9. Client web browser receives response and displays the web page.


ISP appends HTML/CSS/Javascript to response that generates ad. Wait, what?! Unfortunately, it happens. Check out this article. As a matter of fact, it can happen at any point between 6-8 (yes, at any of the number of hops through the Internet). Sucks, I know. So instead of ad revenue going to the blog or site that you visited, it will go to the ISP.

An Analogy

This is akin to someone setting up a milkshake stand in front of your general store. Your general store is at a great location, on top of a hill. You sell milkshake, too, because you’ve noticed that after climbing that hill, some customers become extremely thirsty. Unfortunately, though, some customers will buy from the milkshake stand (because, you know, it’s right there!), and some won’t, but bottom line is you’ve lost revenue.

Nevermind the fact that a content provider could lose ad revenue, truly the underlying evil in this is that ISPs can change your content. This is why net neutrality is important. Data needs to be untouched as it traverses the Internet. It most certainly should not be discriminated based on user/content/site/whatever. Any unsolicited modification of that data is wrong. ISPs do not speak for me. I don’t even use H&R Block. Maybe I think TurboTax is better. Maybe my milkshake is better!

The Fix

I think it will be an upward trend where more and more Internet providers will implement this “feature”, unless legislation prevents ISPs from doing this. Note that content insertion isn’t limited to ISPs; this could occur at hotels, for example, where their routers would insert content into web pages you are browsing (of course, only while you’re connected to the hotel Internet). So, how do you defend against this? The best way is to run a pure SSL website. Remember, when using SSL, content is unencrypted only at the endpoints (i.e. at the client and at the server). As the content traverses through the Internet, however, it is completely encrypted. In this case, man-in-the-middle attacks (i.e. code insertion of Javascript by the ISP) can’t be done!

Implementing SSL on your site is easier said than done, however. For example, if you’re a content provider that relies on ad revenue, your ad content will also need to be secured over SSL. So let’s say you use Google Adsense to provide your ads. Google would need to provide resource links that are secured over HTTPS. Unfortunately as of this writing, Google does not provide this so you’ll likely have to find an ad provider that supports SSL (Adspeed seems to support this).

So, go get that SSL certificate and start serving your pages securely over the Internet! Google did it. dForge.net did it (well, I at least somewhat have it; I use Google Adsense so it partially works!). Now, so should you.