My tweets and the previous post have gone viral. Lots of reactions both positive and negative. Some retweeted immediately and some calling me a fool for writing about injecting content within an SSL connection. Amazing to see all the responses. There is a pattern to be seen with people who reacted negatively: they tend to don't care about the ads.
Here's my said tweet:
Here are some replies:
What some of the repliers didn't notice was the juicy stuffs happening behind the scene not even touching the network layer or its HTTPS protocol, doesn't have to. Just now I tried accessing KlikBCA and the ads are gone. People who tried now may not get the same page I got from my first screenshot.
If you've heard of Phishing then you'll know that it doesn't take sophisticated means to get credentials. You fake a login page as if it's coming from the rightful owner. This is what actually was happening with me. XL served me a login page of KlikBCA which XL had injected their own codes. The codes displayed ads on a connection I already paid for.
Here's a jQuery style demo of how you can do this with KlikBCA as the target:
So we as users are on XL's mercy, if they decide to do nasty stuffs or worst, XL doesn't even know they're doing nasty things to us. It's just too easy. I don't know what XL is doing so I won't trust them with any of my web based authentications and you should too.
@kendivhy is also saying that the added bytes that users have to download are free of charge from XL. This is one of the more absurd statement I've read so far. For every website XL is injecting ads, our user experience quickly degrades. Why? The download times multiplies. As a web developer, I do work to shave off download times and XL just made years of work into the garbage. And why do you give in to the ads XL is serving? We've paid for our 3G connection remember?
Bottomline, your opinions are your own and this is mine. I can't agree with these kind of practices. Period.