7

I have recently started using tethering through an android phone for internet access.

Connection triggers nmcheck.gnome.org, which I understand is something to do with connectivity facilitation through Network Manager, per this question Some supisious software making request to nmcheck.gnome.org

Fine. Except, I seem also to be receiving an ad attached to the nmcheck response screen. Not fine.

Where is this ad coming from? Is it my ISP intercepting the http traffic? How do I stop this?

Edit:

captured ad

I have looked at a tcpdump of the traffic on port 80 during the connection process. I see connections to

  • the mobile ISP
  • Red Hat, the host of gnome.org
  • a cloud provider, which I think may provide a gateway service for the ISP.
Joe
  • 309
  • 1
  • 12
  • Could you add some more information about the ad is attached to the response screen? A screenshot, and if possible traffic dump? The `nmcheck.gnome.org` should *only* provide a short text snippet. – vidarlo Jul 13 '19 at 10:44
  • Please see edit in post. Traffic dump detail would be a security issue I think. – Joe Jul 13 '19 at 12:27
  • What country are you in? If the ISP is injecting the ads, I wonder if that's even legal under current privacy / net neutrality / computer criminality laws. – marcelm Jul 13 '19 at 19:26
  • @marcelm Net Neutrality stopped being enforced in the US, iirc. My impression is that this isn't disallowed there, no matter how much it should be. – wizzwizz4 Jul 13 '19 at 22:45
  • @marcelm I am in an EU country. The ISP and cloud provider IP addresses are also assigned to the EU. I don't know about the legalities, but would not be holding my breath on any enforcement. As another thought, that ping to Red Hat is a US IP address, which some could consider an exposure. – Joe Jul 14 '19 at 12:21

1 Answers1

7

It's probably your ISP injecting the ad, yes. I do not see it, and I've checked from a couple of locations.

There would be no reason for the gnome project to inject ads there. First of all, it's not meant to ever be seen by a human, so no-one would ever see the ad, rendering it ineffective.

Second, the Gnome project doesn't appear to have advertising at all on their pages. They load no javascript external to gnome.org as far as I can tell. The hosting is provided, as you say, by Red Hat.

To stop this, you can either use a VPN connection, or petition your ISP to stop this stupid behavior.

vidarlo
  • 21,954
  • 8
  • 58
  • 84
  • I don't think the use of a VPN will stop this at inception, as the VPN can only be set-up once the internet connection is established. So actually this could be viewed as a security leak. – Joe Jul 14 '19 at 22:49
  • A VPN will stop it, as it encrypts the traffic. There would be a time window where the VPN is not up, but this is a brief moment, and the user would probably not visit any websites in this time window. Note that the user sees the ads when he manually visits the nmcheck site. – vidarlo Jul 15 '19 at 07:13
  • The ad is seen from the *automatic* connection process - this is not a manual hack. The IP calls to gnome.org on connection initiation are interspersed with any calls to the VPN. So the point remains - there is a call at connection set-up being made to a US based server over http that is not easily countered. – Joe Jul 15 '19 at 08:34
  • I don't know how the response is being displayed - it is not a standard browser window (no menu bar, tabs etc), and shows a "hotspot" set-up icon on the left of my screen. – Joe Jul 15 '19 at 08:43
  • Aha, so Network Mananger is showing the ad? The screen shot is clearly from a browser. That's more interesting... – vidarlo Jul 15 '19 at 08:51