Phorming The Net.

Phorm is working with major British ISP's including British Telecom, Virgin Media, and TalkTalk on a targeted advertisement service to monitor browsing habits and serve relevant advertisements to the end user. Phorm say these deals will give them access to the surfing habits of 70% of British households with broadband. BT has lied to it's customers, and in 2007 they performed a secret analysis of a selected range of customers, tracking their browsing habits[1]. Despite the little media attention regarding Phorm, they had a great deal of controversy among British Internet surfers. The main objection to such system is that it is purely illegal and plain Spyware. Traffic from ISP users is analyzed and modified by the Phorm system. The Phorm system is based upon NO OPT-IN, which leaves clueless people in the dark regarding their privacy. The Phorm system will impose restrictions, one of them is the need for a browser with a known user-agent. The browser also must accepts cookies, which in terms is a violation of user freedom on how he or she wishes to interact with the Internet.

In my opinion, this is a covert system to control and monitor browsing behavior illegally. BT markets Phorm as a Anti-Phishing system trying to protect BT customers, but as we all know that is a complete farce in regard to Phorm's true agenda. It depletes privacy and basic freedoms from users, leaving them at the wits of advertisers and shadow corporations and governments who want to control and monitor your habits through it. In April 2008, Dr Richard Clayton from Cambridge University wrote a paper about the Phorm Webwise system outlining the inner working of the Phorm system[2]. Today, we'll going in depth of that Phorm system to understand and underline it's dangers.

The Phorm system located at the ISP intercepts the HTTP traffic, looks for the Phorm cookie. If cookie does not exist, Phorm sends the request to a spoofed HOST in the ISP network. Host responds with a 307 to the client. Client gets new URI located at: webwise.net/bind/?<parameters> Phorm sends request to a host in the ISP network for performance and acting as webwise. This host will inspect available cookies correlated to the current UID. If cookie is absent, this host issues a new UID this process goes on until the client accepts the webwise.net cookie and obtains 307 with a special URI that contains the UID to the requested host. The requested host responds and Phorm can detect the response with the UID in that request and is redirected to a spoofed host inside the ISP's network that redirects the user to the host it requested, e.g. www.example.com, then the response from the requested host will contain a webwise cookie set by the spoofed host that contains the use UID.

Then the client will make the original request for www.example.com that now contains the webwise cookie, and thereby the Phorm layer 7 switch will allow that request to be made, additionally Phorm removes the cookie once it is detected, so that the requested host cannot read the cookie that was set by the spoofed host acting like the requested target. However, if the client wishes to connect to a website through a secure connection, SSL for example, the route remains unaltered by Phorm, the cookie however will remain stored in the browser and can be read by the website in question, leaving this open to another severe privacy breach.

Below my impression of how Phorm works.

 BT END-USER


GET http://www.example.com





| |


/


/


| |





ATM





| |


/


/


| |





---------------


ISP CLOUD


---------------





FIREWALL


(IPTABLES)


| ---------


| PHORM OIX


| - phishing db


| - ad server in China


LOADBALANCER ---------


| |


| |


TCP 80 TRAFFIC &lt;-- SQUID PROXY 1 &lt;-- CHANNEL SERVER 1 TCP 10080


(PBR LAYER 7 SWITCH)


| PROFILE DATABASE


PROFILER /


| --&gt; SQUID PROXY 2 --&gt; CHANNEL SERVER 2 TCP 10080


(DEEP PACKET SNIFFER)

Phorm process

CLIENT ISP








GET http://www.example.com -------------------------------------&gt;





&lt;--------------307--------------------


http://www.webwise.net/





GET http://www.webwise.net -------------------------------------&gt;





&lt;--------------307-------------------- set 16 byte base64 UID


http://www.example.com/?UID=xxx





GET http://www.example.com/?UID=xxx -------------------------------------&gt;





&lt;--------------307-------------------- check UID


http://www.example.com





GET http://www.example.com -------------------------------------&gt;





&lt;--------------200-------------------- inject spyware/cookie


http://www.example.com

Allegedly the user can set an OPTED_OUT cookie for webwise, that grants the user a way of opting out form the Phorm system altogether, however that remains a mystery in case of the already present UID in requests being made over the ISP's network. When you do not accept cookies, the Phorm system will block your IP for 30 minutes. This is a concern to users who share an IP, because it means that if one user blocks cookies, Phorm will blacklist the IP for all users on that IP. If a user-agent is used that is unknown, e.g. a bogus user-agent, the request is also blocked. When a user visits a new website, Phorm will leave the traffic unmonitored, Phorm then fetches and caches the robots.txt and rejects later access that are forbidden by the robots.txt. This means that the user will not be able to visit the pages inside the robots.txt that are disallowed, imposing further restrictions on the users freedom!

Phorm will store and correlate the following information from users

- user-agent

- IP (they say they do not log it, but they must know it in case of blocking one)

- page visited (browse history)

- search engine queries made through GET, not POST.

- recording: {URL/search/UID/words}

A page profile is then being build, based on an algorithm that extracts words from the webpage. This profiler sits at the ISP, this is then being send to a machine called the anonymiser which passes the profile across another machine called the Channel Server, controlled by Phorm. The channel server, will match this profile against a database containing channels that matched the profile for advertising.

Serving ads and CSRF.

The OIX network inside Phorm's webwise, will serve up ads to the page that was requested in the form of HTML containing an image, again the cookie which contains the UID is being correlated at the anonymiser located at the ISP, the channel server will then determine which ads to serve based upon the UID and correlates the UID's history and browsing habits. Another cookie called the "frequency cap" is being used to limit view-time of the served ads.

The Javascript from the BT Webwise website. Interestingly they source an iframe linking to the OPT-IN or OPT-OUT server located at webwise website, which reminds me of spyware tactics. Ugh, concerning security issues, these links can be used to CSRF users into opting-in their spyware:

http://webwise.net/webwise_status/setwebwise.php?opt=out


http://a.webwise.net/services/OO?op=out





http://webwise.net/webwise_status/setwebwise.php?opt=in


http://a.webwise.net/services/OO?op=in

Source from http://webwise.bt.com/webwise/

var btwwCookieName = 'webwise_test';


var btwwCookieValue = 1;


var userTypeCookieName = 'userType';


var userTypeCookieDuration = 730; // Days





function webwiseInit() {


checkUserType();





}





function checkUserType() {


var userCookie = readCookie(userTypeCookieName);


if (userCookie == null || userCookie == '') {


setUserType();


}





}





function setUserType() {


var userType;


var ref = document.referrer;


if (ref != null &amp;&amp; ref != '') {


var hostname = ref.split('/')[2];





if (hostname.match(/^(.+.)?bt.com$/)) {


userType = 'BT User';


createCookie(userTypeCookieName, userType,


userTypeCookieDuration);


}


else if (hostname.match(/^(.+.)?talktalk.co.uk$/) ||


hostname.match(/^(.+.)?carphonewarehouse.com$/)) {


userType = 'TalkTalk User';


createCookie(userTypeCookieName, userType,


userTypeCookieDuration);


}


else if (hostname.match(/^(.+.)?virginmedia.com$/)) {


userType = 'Virgin User';


createCookie(userTypeCookieName, userType,


userTypeCookieDuration);


}





TEST BLOCK


else if (hostname.match(/^(.+.)?thelathe.com/)) {


userType = 'TEST User';


createCookie(userTypeCookieName, userType,


userTypeCookieDuration);


}


articles/ articles_old/


}





}





function getUserType() {


var userType = readCookie(userTypeCookieName);


if (userType != null) {


return userType;


}


else {


return 'Unknown User';


}





}





function showBTWebwiseStatus() {


if (readCookie(btwwCookieName) != null) {


res = '&lt;p&gt;BT Webwise is &lt;strong&gt;ON&lt;/strong&gt;&lt;/p&gt;';


}


else {


res = '&lt;p&gt;BT Webwise is &lt;strong&gt;OFF&lt;/strong&gt;&lt;/p&gt;';


}


document.write(res);


showBTWebwiseStatusLink();


articles/ articles_old/





}





function showBTWebwiseStatusLink() {



if (readCookie(btwwCookieName) != null) {


res = '&lt;p&gt;&lt;a style="font-weight: normal"


href="webwise-off.html"&gt;Click here to switch BT Webwise OFF&lt;/a&gt;&lt;/p&gt;';


}


else {


res = '&lt;p&gt;&lt;a style="font-weight: normal"


href="webwise-on.html"&gt;Click here to switch BT Webwise ON&lt;/a&gt;&lt;/p&gt;';


}


document.write(res);


articles/ articles_old/





}





function setBTWebwiseStatus(stat) {





setww = document.getElementById('setwebwise');





if (stat) {


setww.src =


"http://webwise.net/webwise_status/setwebwise.php?opt=in";


setTimeout('setww.src =


"http://a.webwise.net/services/OO?op=in"', 1000);





}


else {


setww.src =


"http://webwise.net/webwise_status/setwebwise.php?opt=out";


setTimeout('setww.src =


"http://a.webwise.net/services/OO?op=out"', 1000);


}





setTimeout('document.location.href="/index.html"', 2000);


return false;


if (stat) {


createCookie(btwwCookieName, btwwCookieValue, 10);


}


else {


eraseCookie(btwwCookieName);


}





window.history.go(-1);


return false;


articles/ articles_old/





}





function showVideo(id, file, width, height) {


document.write('&lt;div id="' + id + '"&gt;&lt;/div&gt;');





var so = new


SWFObject('../../../../../webwise/swf/mediaplayer.swf','mpl',width,


height+20,'8');


so.addParam('allowscriptaccess','always');


so.addParam('allowfullscreen','true');


so.addVariable('height',height+20);


so.addVariable('width',width);


so.addVariable('file',file);


so.addVariable('backcolor','0xFFFFFF');


so.addVariable('bgcolor','#FFFFFF');


so.addVariable('overstretch','fit');


so.addVariable('image',


'../../../../../webwise/images/oix-ctp-video.gif');


so.write(id);





}





function createCookie(name,value,days) {


if (days) {


var date = new Date();


date.setTime(date.getTime()+(days*24*60*60*1000));


var expires = "; expires="+date.toGMTString();


}


else var expires = "";


document.cookie = name+"="+value+expires+"; path=/;


domain=webwise.com";





}





function readCookie(name) {


var nameEQ = name + "=";


var ca = document.cookie.split(';');


for(var i=0;i &lt; ca.length;i++) {


var c = ca[i];


while (c.charAt(0)==' ') c = c.substring(1,c.length);


if (c.indexOf(nameEQ) == 0) return


c.substring(nameEQ.length,c.length);


}


return null;





}





function eraseCookie(name) {


createCookie(name,"",-1);





}

[1] http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/

[2] http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf