AT&T Demonstrates Why HTTPS Is Needed Everywhere

Ads have become a notable threat to computer security. While they are a fact of life for accessing content without paying directly for it you wouldn’t expect a company that you pay money to to infest your web experiences with ads. But some companies like to double dip. AT&T is one of those companies. In addition to getting customers to pay for hotspots AT&T is also maliciously inserting ads into websites visiting through its hotspots:

While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise.

But the web had sprouted ads. Lots of them, in places they didn’t belong.


Curious, and waiting on a delayed flight, I started poking through web source. It took little time to spot the culprit: AT&T’s wifi hotspot was tampering with HTTP traffic.

The ad injection platform appears to be a service from RaGaPa, a small startup. Their video pitch features “MONETIZE YOUR NETWORK” over cascading dollar signs. (Seriously.)

When an HTML page loads over HTTP, the hotspot makes three edits. (HTTPS traffic is immune, since it’s end-to-end secure.)

First, the hotspot adds an advertising stylesheet.


Next, it injects a backup advertisement, in case a browser doesn’t support JavaScript. It appears that the hotspot intercepts /ragapa URLs and resolves them to advertising images.


Finally, the hotspot adds a pair of scripts for controlling advertisement loading and display.

The title of this post promised Hypertext Transfer Protocol Secure (HTTPS) so some may be wondering what HTTPS has to do with ad injection. Simply put, this kind of bullshit can’t happen when the connection between a client and the server is encrypted. A man in the middle, which AT&T is in this case, cannot see the contents of an encrypted communication and if attempts to make any sort of alteration the decryption process will fail.

You won’t see any AT&T injected ads on this blog because everything is secured with HTTPS (the insecure HTTP interface just 301 redirects to the HTTPS connection). If every website did this the business model being used by RaGaPa, the ad injection services being used by AT&T, would be a total failure.

Securing connections doesn’t just protect against eavesdropping. It also protects again altering the contents, which can be just as big of a problem if not an even bigger one. In fact content integrity is another reason why the “nothing to hide” crowd should be ignored in discussions of pervasive cryptography. Cryptography is about so much more than hiding content.