Wednesday, May 18, 2011

Network Provider Modifying Application Traffic En Route To Users?

To keep up with a growing demand for wireless internet service some providers are adding clauses that allow them to optimize traffic by the real time modification of large media files such as video and image.
These techniques include caching less data, using less capacity, and sizing the video more appropriately for the device. The optimization process is agnostic to the content itself and to the website that provides it. [Services Terms and Conditions - Verizon]
More info on their network optimization.

Perhaps you've fallen under the thinking that your site doesn't need SSL/TLS because you are not transferring or accepting any sensitive user data. Besides this being flawed logic, you may want to reconsider your position given this information.  This new policy may cause a portion of your users to receive images and videos in a format or quality different than you have specified.

To ensure your delivered traffic is received as intended you need to use SSL/TLS.  A site delivered via SSL/TLS cannot be tampered with anyone between the website and the user.  Any attempts to modify or intercept this traffic will result in a certificate failure and alert to the user[1].

As the move to wireless internet continues to grow so will the strain on the network and the number of users visiting your application via a wireless provider.  If you want to ensure that your images and video are delivered in the quality and format that you've specified, and not the decision of the network provider, then you need to move to HTTPS for your sites now.

Note: Please take a look at the OWASP Transport Layer Protection Cheat Sheet to avoid common vulnerabilities in design and deployment of SSL/TLS

[1] - There are exceptions if the certificate is issued by a CA that has been added to the end user's browser root certificate store e.g. corporate adds SSL proxy CA to all issued machines.

-Michael Coates - @_mwc