ADSL cap warning not a man-in-the-middle attack: Telkom

[Kevin Lancaster]

New ADSL cap warning not a man-in-the-middle attack: Telkom

Telkom has rolled out an in-browser notification system which has raised a number of security concerns.

 

[MickZA]

Old news - better late than never I suppose though.

 

[Kosmik]

Re-direct and injection are certainly not the same thing, from reading that article, certainly sounds like an injection. Now if the were to re-direct the page when first opened to a warning page for a few seconds, that would be a re-direct.

 

[Johand]

It reminds me of the joke "When you make somebody breakfast in bed the least you should expect is Thank You. Not all this who are you and what are you doing in my house nonsense."

Good intentions horrible execution Telkom overstepped the line!

 

[Nephew_]

Yes, Telkom, I know I am out of cap. Do you really have to remind on every freakin page I visit, on every device? Really?

 

[jetlee]

OK, I havent seen it, so I may be well off the mark .. but that flow is for WiFi Auth .. not the telkom cap notification, so it isnt clear if its altering page content or not. If its Injecting javascript, as the article says, then it may well be both man in the middle and cross site scripting, both of which are serious security vulnerabilities ..

IMHO, anything trying to change your web content, after the server has served it, whether for invisible proxy caching or for adverts .. is a massive security concern.

 

[jetlee]

Also, as an aside, I have a very different usage pattern when using an authenticated WiFi hotspot, than my own internet, for very good reason .. following a Wifi hotspot workflow, for a private internet connection, is madness .. from a security perspective.

 

[alexandergrahambell]

It's helpful and I like it. Does that make me stupid, vulnerable to snooping by the CIA and the ANC, technologically illiterate, a Telkom fanboi, someone who shouldn't be trusted with a four digit calculator or all of the above?

 

[¯\_(ツ)_/¯]

We need to remember that this is coming from the company that believes "security is a personal decision": http://mybroadband.co.za/news/security/78873-adsl-router-security-concern-in-sa.html

 

[MrGray]

In order to inject the script it means their servers have to parse html intended for you, and you only. This is not on. They should rather just redirect users when the cap is used, or even better send an sms.

 

[ranger]

Yes, Telkom, I know I am out of cap. Do you really have to remind on every freakin page I visit, on every device? Really?

No, we don't. Click the notification, log in, click acknowledge.

Then, if you don't want it in future, click on the notifications menu item, and uncheck the 'In-browser notification'.

Depending on feedback, we could make the 100% notification work like the 80% and 90% notification (if you click it, it gets disabled).

 

[ranger]

We need to remember that this is coming from the company that believes "security is a personal decision": http://mybroadband.co.za/news/security/78873-adsl-router-security-concern-in-sa.html

"D-Link’s technical supervisor, Altus Lourens, explained that by default all of their routers have the remote management feature on port 80 disabled.

Lourens added that this is also true for the firmware supplied to Telkom Internet for the D-Link routers they sell."

So, Telkom supplies the modem with the remote administration feature disabled by default, must they prevent users from enabling features that are available?

 

[ranger]

In order to inject the script it means their servers have to parse html intended for you, and you only. This is not on. They should rather just redirect users when the cap is used, or even better send an sms.

1)We did for a brief period redirect customers when they reached their quota. You had to log in to the portal, and click a button to continue in Softcap mode. With this configuration, the call centre complained that they were unable to handle the volumes of calls for users who didn't know their password and were complaining that we cut them off from the internet.
2)New customers (for the past 3 years or so) automatically have email or SMS notifications enabled, and all customers can enabled them. However, we still have a large percentage of our customers who log line faults when they don't know they are over quota.
3)You can disable the in-browser notification the first time you see it ... if you aren't able to, you probably don't have email or SMS notifications enabled ...