I am a co-founder at a startup that does advertising on WiFi networks. We only run advertising before you connect (when you are in a captive portal), without the use of proxying.<p>Before anyone overreacts to this article, it would be beneficial to understand the hospitality space. The hotel you stayed at is most likely owned by a franchise group and operated by a GM. GMs are responsible for contracting their own networking services with Hotel WiFi Operators such as the one mentioned here. As such, a major hotel brand such as Marriott may use <i>hundreds</i> of WiFi operators. WiFi operators range in size, managing anywhere between one property to tens of thousands. The vast majority of these operators do not leverage javascript injection.<p>The ones that resort to proxied ad injection do so because hotel IT is a thin-margin business. WiFi is considered a cost center but is tolerated because it is the number one amenity requested by guests. Operators will sometimes offer a discounted service fee to the hotel GM in exchange for mid-stream ads, although, in this case, it is just as likely that the hotel GM is unaware of this. It is almost absolutely certain that Marriott is unaware of this. Even if they were made aware, the power balance between the brand and the franchisee is not clearly defined with regards to WiFi.<p>As much as I dislike ad injection, it is important to note that public WiFi is <i>never safe</i> unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.
The hotel wifi service provider business is (and has been for 5+ years) a really crummy race to the bottom. Hotels don't want to do it themselves. They can't really; they don't have the talent in-house. It's fairly expensive to do correctly. Most hotels weren't built with cat-5 installed, so you have to pay someone to go do that. Then you have to install a bunch of networking gear which isn't cheap. Then you have to pay someone to monitor it all and come out and fix it when it goes down. You probably also want some 1-800 number your guests can call when they can't get on-line. The costs add up pretty quickly.<p>So how do you pay for it all? You're in a hotels.com price war with all your competitors, so you can't just raise room rates. Your customers will get pissed off if you tell them they have to pay extra for wifi. So eventually some genius comes along and gives you this brilliant idea that will make wifi pay for itself, and this is what you get.
There is nothing related to WiFi in this system. The hotel is running the traffic through a <i>transparent proxy</i> which is performing MITM "attacks" to disable ads from providers and show their own ads.<p>It is icky for all sorts of reasons. I suppose an individual website could consider it theft of ad revenue, and an end-user could consider their privacy invaded.
My ISP also does this. Once in a while I get a pop-over ad in the bottom right corner of HN. As a matter of fact, I just got a pop-up to this ad: <a href="http://219.238.235.221/shenzhenyocc/swf.html" rel="nofollow">http://219.238.235.221/shenzhenyocc/swf.html</a>
This is yet another reason I'm glad that SPDY is manditory TLS encryption. Shenanigans like this get a lot harder.<p>I'm hoping we see a lot more SPDY (or plain https) rollouts in the near future.<p>It's enough that I'm going to try now to https-ify all of my web properties, including adding HTTP Strict Transport Security headers where they aren't.
This is one of the many reasons to use an extension that forces SSL on every website that supports it.<p>It's possible to MITM SSL, but it would throw all kinds of security warnings on the client and prevent this kind of tampering.<p>Note: I'd recommend SSH tunneling, or using a VPN, but there's quite a bit more work involved here, so for the install-and-forget crowd, SSL is already a huge improvement.
Wow, that is very gnarly. I love that "Web experience manipulation" is listed as a <i>feature</i> on this page:<p><a href="http://rgnets.com/index.php?page=features" rel="nofollow">http://rgnets.com/index.php?page=features</a>
I was part of a startup 5 years ago that built something identical to this for hotels. We used privoxy and a regex of doom targeting the <title> tag to inject javascript that would add flash toolbar on the bottom of the page you were viewing. It would show local ads and allow access to some hotel services.<p>Worked surprisingly well but I'm glad it never took off. I don't think I could have forgiven myself for being responsible for what would come of that.
It's likely that the issue is due to that specific hotel / ISP instead of blaming the entire Marriott chain. In fact, you could contact Marriott for them to investigate.<p>Hotel chains usually have brand standards relating to internet access, so this particular install may be in violation. For example, I know the Hilton chain requires its (newer) hotels to use AT&T, so it's unlikely there's tampering from the ISP/provider standpoint (though MITM attacks are still possible so always use a VPN).
Is it legal to manipulate web traffic like this? I would assume some companies who depend on ads (eg, NYTimes.com) would object, perhaps with a lawsuit, to ISPs or other imitation ISPs (ie, Hotels) to removing original NYTimes ads and replacing it with their own.
This is BS in 2012. Hotels need to treat internet access like running water and make it at least as good as what people get at home. Especially when you consider many people in hotels are subject to international roaming fees if they resort to their mobiles.<p>Even in higher-end hotels, you get a shoddy experience, and not just this ad injection.Weird login dialogs every few hours and restricting access to one device. Outrageous fees. Lack of transparency on bookings websites about availability and pricing. And once you're online, good luck trying to watch a video or getting any work done, the connection's often too slow to do anything but check a few emails.<p>I really hope AirBNB puts pressure on the hotels to get their act together. You stay in someone's house for $40 and you get a much better experience than a $200 hotel room. The whole situation is why I recently made the decision to use AirBNB instead of hotels whenever practical.
This is a slimy practice, but I what I wouldn't mind, <i>at all</i>, are ads when I first connect to the AP. Make me watch a video, or let me click through a few pages of ads for local services - if I'm at a hotel, I'm likely from out-of-town and are interested in nearby restaurants and tourist destinations. Show them to me! It's likely that I'm using the internet to look those up anyway.<p>Being sneaky about it and hiding local ads in the banners of other websites is:<p>a) Rude, and<p>b) Unlikely to work, since I ignore those banner ads anyway. Even if I saw those ads, I'd be highly suspicious of it (in a "10 local girls are interested in talking to you!" sort of way).<p>Talk about an opportunity lost. Look at Starbucks' free wifi sign-on page. It's nice to look at. Do the same thing, and it's alright, put some ads on there. I don't mind.
Yet another reason to run a VPN over any unknown network, such as hotel wifi. Aside from people sniffing your traffic it will also protect you from MITM attacks - be they benign like this or potentially more serious.
You made the mistake of staying at an expensive hotel. Expensive hotels generally have the most gouging internet setups, whether it's silly high prices, or MITM ad revenue takeovers like here.
Singapore Free WiFi Wireless@SG was doing this for a period of time!
Serving all pages a a HTML Frame page and putting adverts in the bottom page frame.<p>I have yet to seen any for a while, but i guess is more due to the lack of advertisers.
My workaround, whenever I can't tether to my mobile phone and must use an untrusted hotspot, is to route all traffic over OpenVPN to the server running in my home.