Wednesday, May 18, 2011

Network Provider Modifying Application Traffic En Route To Users?

To keep up with a growing demand for wireless internet service some providers are adding clauses that allow them to optimize traffic by the real time modification of large media files such as video and image.
These techniques include caching less data, using less capacity, and sizing the video more appropriately for the device. The optimization process is agnostic to the content itself and to the website that provides it. [Services Terms and Conditions - Verizon]
More info on their network optimization.

Perhaps you've fallen under the thinking that your site doesn't need SSL/TLS because you are not transferring or accepting any sensitive user data. Besides this being flawed logic, you may want to reconsider your position given this information.  This new policy may cause a portion of your users to receive images and videos in a format or quality different than you have specified.

To ensure your delivered traffic is received as intended you need to use SSL/TLS.  A site delivered via SSL/TLS cannot be tampered with anyone between the website and the user.  Any attempts to modify or intercept this traffic will result in a certificate failure and alert to the user[1].

As the move to wireless internet continues to grow so will the strain on the network and the number of users visiting your application via a wireless provider.  If you want to ensure that your images and video are delivered in the quality and format that you've specified, and not the decision of the network provider, then you need to move to HTTPS for your sites now.

Note: Please take a look at the OWASP Transport Layer Protection Cheat Sheet to avoid common vulnerabilities in design and deployment of SSL/TLS

[1] - There are exceptions if the certificate is issued by a CA that has been added to the end user's browser root certificate store e.g. corporate adds SSL proxy CA to all issued machines.

-Michael Coates - @_mwc


  1. Great suggestion! Although this isn't really a new problem. Wireless carriers used to maintain gateway machines that "tailor" content for the limited browsers of the day.

    For months after Motorola released their V600 phone, Cingular's gateways insisted on translating all images sent to that phone into black and white (no greyscale) WBMP pixel-vomit.

    They would also do very aggressive (read wildly non-standard) caching in the gateway that complicated delivery of real-time information.

  2. You're correct that its not necessarily a new problem. But I think it will become a more widespread issue as more people access the web via devices with embedded data connections. The strain on the network will increase as will the popularity of bandwidth heavy sites.

  3. Hi Michael,

    While I agree that in a perfect world you would use TLS for everything, including normal content; We live in a world where IPv4 is running out (providers need you to sign in blood for each IP).
    IPv6 is hardly supported and SNI (Server Name Indication) is being held back by pesky browsers and old operating systems (Thanks XP!, Android and Java)

    Now once we bite the bullet and get on some newer tech and more importantly, the stragglers move up the chain to better software we can move on. I mean SNI is hardly new or earth shattering.


Note: Only a member of this blog may post a comment.