Orange broadband trials error hijacking
ASP: advertising service provider
Orange broadband is trialling taking advantage of address bar spelling mistakes and server errors to serve sponsored search results and contextual ads to its customers.
An Orange spokesman said the move had been made "in order to deliver a better experience to our customers". The changes, which customers have not been informed about and are running on only part of the Orange network, were noticed by Register readers last week.
Orange said: "We will be gauging customer reaction to the service and, once the trial is complete, will then make a decision on whether to roll it out to the rest of the broadband customer base."
A similar scheme was implemented by Verisign in 2003. It invoked the ire of internet developers and users because of the firm's ethically sensitive role as controller of .com and .net domains.
Orange's action is less serious, and more akin to the forwarding to MSN search results which unwitting Windows Messenger installees are subject to, but does deny access to any useful information the browser might give on the error.
Orange's customer contact page is here (though you may need to bump up your text size to read any of the numbers). ®
I have been speaking to even more people at Orange customer relations about this.
Yesterday I was told: "If you want to see page cannot be displayed, when you mistype a URL you should unplug your network cable".
Today I was actually told by the first CSR I have got through to that actually understands it - that they have put the new feature on the following two DNS servers:
And if I don't like the new features I can use the follwing:
The problem is that the livebox doesn't seem to let you configure which DNS it uses, so you have to put the settings in each machine you use on your network (and remove them from any laptop when you go to another network).
The email I am waiting (and have been for 32 days) for a response from went as follows:
Thank you for your response.
It is a change that you have put in to the service in the past few days and is against the DNS standards that define how DNS should be used. This idea was tried by EarthLink in the USA and you only have to do a simple Google search to see how their customers reacted to it and how EarthLink have backed down from forcing it on all their customers. It was also tried by versign on a much larger scale and faced an even bigger backlash from web users the world over - and also resulted in them being taken to court by ICANN the people responsible for names and numbers (i.e. dns lookups)
I noticed that you assert there are not privacy issues. I assert that there are and they are as follows:
* With the correct implementation of a DNS server the only information that can be collected for incorrect addresses is the server hostname. You are now able to and actually collecting and using the full URL
* If someone attempts to connect to a private server (eg a corporate server) which is not accessible from the internet but is accessible through a vpn then if they have not got their vpn connected you are able to capture the full URL they were trying to access rather than just the server name
* You are collecting a "participant id" swell as the failed URL
There are also other issues:
* An incorrectly typed URL can no longer be corrected by simply modifying the typo - it has to be completely re-written
* The errors.orange.co.uk page is badly written so it is not supported by Internet Explorer on mobile devices. I use the wifi connection on my Orange phone to connect to my Orange broadband. If I were to mistype a URL I now get a silly orange advert page with a popup dialog box saying the page has more than 10 frames and is not supported in pocket internet explorer. Obviously, this was not an issue before you started redirecting all the traffic
* The IE address bar keeps a list of recently typed addresses, the incorrect addresses are kept in it because of the DNS response saying that address exists
* Some software relies on the error response from DNS queries such as third party spam filtering tools that want to check that a return email address has a valid dns record
* Other (non internet browser) traffic stalls (eg telnet, pop3, imap4, ssh, https) because the DNS server directs the traffic to your barefruit server which simply ignores it. If the DNS server respond with the "domain name does not exist" error the software could easily deal with this rather than waiting for a timeout
* Increased web traffic - loading your error page takes many KB of data instead of a few bytes of data to say domain name does not exist - this increases the chance of your customers going over their capped allowance
* You have not told your tech support people so they don't understand that this is happening
Finally you are just plain not providing a DNS server as prescribed in the internet standards therefore you are not providing an internet service.
If you are not happy to remove the service completely just yet then may I suggest you take a leaf out of EarthLink's book and provide a 'traditional' dns server that provides standard responses in addition to your newly modified ones.
I look forward to your reply,
... and so intead of a 2kb webpage saying web page does not exist, you're treated to a website of Orange's choosing which is almost guarenteed to be > 2kb in size and which will affect your download quota.
I don't know if they do this on WAP/GPRS, but two bad DNS names could then easily lead to £1 on your bill.
everyone should tunnel
I am with NTL and they run transparent proxies that mess up one or two sites all the time.
Running everything DNS, VOIP, Email, Web through a SSH tunnel to a remote proxy means they can't proxy it to save bandwidth, because the stream of data is encapsulated.
I have a constant tiny stream of compressed data going back and forth, fully secure and protected from Voip bans or port blocking, but comparitively massive bandwidth for movie downloads I levae up to them because the faster the better and I don't care what they do with it.
Also I can use any wireless connection i can find (legally of course) and it doesn't matter how monitors or sniffs it, of course a man in the middle ssh attack would work but they may as well just sit behind me for a simpler attack.