
Comcast injects JavaScript into webpages to show copyright notices to customers - Jarred
https://gist.github.com/Jarred-Sumner/90362639f96807b8315b
======
rtl49
What is there to say? This is an incredibly obnoxious theft of attention.
Comcast has perfected the art of harassing its customers with unwelcome noise
for what must be marginal profit. I know someone with a Comcast cable box
whose channel menu forces the viewer to pass over a banner advertisement after
every fourth channel. This combined with the horrible rubbery buttons on the
remote means that to browse through twenty channel titles takes perhaps as
many seconds. Add to this "actionable" banner advertisements displayed over
the content and seemingly endless commercial "breaks" and I find it
essentially unusable. On top of it all, I understand that people pay over a
thousand dollars a year for this service. Comcast's flagrant disregard for
customer satisfaction, or even their basic human dignity, is a striking
testament to the failure of regulators to ensure adequate competition in this
space.

~~~
mcv
If this is how Comcast treats its customers, I wonder why anyone would want to
pay them to be their customer. Especially a thousand dollars a years. Is this
because there's no real competition in the US?

~~~
chrismbarr
I live in a small town in Georgia and literally my only internet access
options are Comcast and AT&T. AT&T's service here is fairly slow compared to
Comcast's offerings, and since I work from home remote for a company based in
Florida I have to choose the fastest options available to me, and that's
Comcast. I would love to have more options, but I just don't.

I only pay for internet access, I don't use their cable TV or telephone
offerings. Internet alone is about $80/month. I just ran a speed test and I
get 14.1Mbps down & 8.6Mbps up. I forget which speed tier I'm paying for, but
I know I'm paying for _much_ more than that! Ugh...

~~~
fndrplayer13
Same thing in my big town -- Chicago. Some parts of Chicago you get RCN
competing, which is amazing. They have 100mb plans for $40 a month. But for
most people, myself included, you pay $80/mo for "50mb" internet that really
runs at about 20mb 80% of the time, 2-3mb 15% of the time, and totally not
working at all 5% of the time.

~~~
selectodude
In my different area of that small town, I pay $40 for 75 mbit, that actually
gives me 95mbit (even at 7:00pm). And is rock solid. I don't mean to sound
like a shill but I think "most people" is an incredible stretch.

~~~
fndrplayer13
Yeah, you're totally right. I just went to Comcast's website and it seems like
we're basically just getting shafted. I wonder if they adjusted their prices
now that RCN is selling 105mbps internet for ~$40-50/mo

------
JustTim
Comcast is on my list today for a different reason. We have Comcast Business
Class service at one of our FL locations.

Tuesday we could not access VNC nor our remote database services from that
location. All port 80 traffic was fine. I had one of the staff call, wait on
hold for an hours.

Just as I suspected Comcast had implemented port blocking on a high priced
business account. It took the guy a second to release it. It put our company
down for two to three hours.

Also the speed of Comcast service drops to 15-20% of advertised from 2:30 to 5
PM when kids arrive home from school.

Once the contract is up we are moving the service to someone who understands
"business class"

~~~
virtuallynathan
Can you email me about this? nathan (_) owens (@) cable (.) comcast.com

~~~
archildress
With all due respect, your customer service policy should be based on doing
the right thing regardless of the forum, as opposed to simply responding to
those who have an audience.

The data caps you've recently put into place in my market are going to
effectively double my account price per month. I look forward to the day that
I have other choices.

~~~
samtho
The employees are not to blame here. If he is browsing HN, he knows the pain
points with Comcast and is just trying to help.

~~~
virtuallynathan
I do my best (customer support is not my day job) - if you are having issues
I'd encourage you to try out the tool I helped build here:
[https://speedexperience.xfinity.com/](https://speedexperience.xfinity.com/)

~~~
douche
Does it ever say anything but chat with an agent?

Some listing of what the actual issue is would be kinda useful, even if you
shove it in a collapsible div to hide it away.

I (and most people) are more likely to rage-quit and go do something else than
try to navigate three layers of outsourced customer service that is designed
and optimized to deflect people, waste their time, and only if they are
sufficiently insistent, and border-line belligerent, maybe give them an answer
more involved than "unplug your modem and plug it back in"

~~~
virtuallynathan
Yes, it depends what the issue is. We check:

\- If your modem is EOL

\- If you modem's ethernet port is 100Mbps, and you have >100Mbps service

\- If your modem is otherwise capable of providing your speed (i.e. number of
DOCSIS channels)

\- We check your signal levels to make sure they are in spec

\- We check if you have been impacted by our Protocol Agnostic Congestion
management system in the past 1 day or 30 days.

If any of these checks are triggered, we show it on the page. If nothing is
triggered, we allow you to go straight to a chat.

We'll be adding more checks as time goes on, mostly around Wifi - MCS Index,
Link rate, RSSI, etc.

~~~
douche
Thanks for the response. If I can keep bothering you, is any of this specific
to using Comcast-provided equipment?

~~~
virtuallynathan
Yes, all of the wifi stuff we add in the future will be only possible on
comcast-provided wireless gateways (XB2/XB3). We have some other nifty ideas
that would use our gateways too. Most of the existing stuff I mentioned is not
specific to comcast-provided devices, or wireless gateways.

------
api_or_ipa
HTTPS Everywhere can't happen too soon.

This is abusive. Imagine if anyone else had access to pus you notifications by
intercepting your communications. Imagine Uncle Sam interrupting your calls
announcing you haven't submitted your tax returns yet. Because that's
basically what's happening here.

~~~
vbezhenar
Why do you think that they won't intercept HTTPS traffic? They will just
instruct user to install their root certificate. It must be illegal for them
to interfere with traffic, no matter what this traffic is. Otherwise there's
nothing that would stop them.

~~~
dietrichepp
They'll never ask users to install a root certificate or I'll eat my hat.

* It will incur a lot of wrath because it gives them power over your bank account

* Only gullible / ignorant users will actually install the certificate

* If your internet access is working, why would you go through extra steps?

~~~
mdpopescu
I worked for a company where, as part of one product, users were giving us the
user AND PASSWORD for their bank account. We had thousands of users before I
left. As a programmer, I was sure that the product wasn't going to be
viable... boy was I wrong.

~~~
kybernetyk
Hah, we have a payment processor here in Germany called "Sofortüberweisung".

It works like this: When you want to pay for something you give them your
login credentials to your bank account and a TAN and they send the money to
the merchant for you.

The selling point of this service is that SEPA wire transfers usually take one
day. But with their service the merchant gets an instant notification of money
received and you can get your stuff one day earlier.

It's crazy but people use this and have no problem handling over the keys to
their bank account.

~~~
Silhouette
_It 's crazy but people use this and have no problem handling over the keys to
their bank account._

I wonder whether there's more to that story. It seems like a potentially
useful payment service, but it also seems like something the banks would
surely be aware of. Customers giving up their credentials like that is
probably a blatant violation of the bank's normal terms of business, and
asking for those credentials or failing to keep them secure seems legally
risky for the payment processor as well, particularly if anything ever goes
wrong. Are you sure there's no separate agreement or commercial arrangement to
cover this, probably between the payment processor and the banks?

~~~
germanier
While it's against most bank TOS, that clause has been ruled uncompetitive and
therefore void by courts. As far as I know there is only a single German bank
(DKB) that officially cooperates and gives them API access. For the rest they
use web scraping, the banks are not allowed to (intentionally) break it.

The banks don't like that payment processor and therefore just started a
competitor where you only give your credentials to your bank. Hopefully it
gains traction.

------
Jach
The header and people's reactions makes it seem Comcast will just do this on a
whim as if it's inspecting the page you visit and deciding on the page to
display the warning or not. If you read the screenshot, it's just a notice
that someone filed a complaint against your IP, and Comcast is alerting you
via email, maybe phone, maybe even a letter, and now your web browser. One
might argue whether it's better they redirect you to a Comcast Message Page on
their own domain one time. One might argue that this is a "feature" on the
level of Comcast DNS servers that "helpfully" forward your bad domains to a
search engine instead of giving a proper server not found response.

Don't want to receive these messages from Comcast? Don't seed your torrents.

~~~
virtuallynathan
This is correct. It is only performed after you are sent emails, letters,
phone calls, etc. We do the same for when you are about to exceed your 300GB
of data. Most people don't give us a good email, don't login to check it,
don't login to their comcast account, etc... This type of notification is to
cover those people. We are working on better ways to do this, see:
[https://www.caida.org/workshops/aims/1503/slides/aims1503_ba...](https://www.caida.org/workshops/aims/1503/slides/aims1503_bauer1.pdf)

This system is well documented:
[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)

I'll bring up the idea of an opt-out for users that DO check their mail,
email, phone, comcast account, etc...

~~~
coldpie
Alternatively, your company could choose not to act as a copyright cop.

Edit: Actually, reading the IETF link you posted, notifying users of a
potential malware infection might be an example of how to use this technology
in a non-shitty manner.

~~~
crumpled
These companies aren't necessarily choosing to be copyright cops. I can't
imagine that sounds very fun or beneficial to them. Systems were negotiated
under legal pressure from the RIAA and MPAA.

Of course, Time Warner and Comcast are both also content creators, so they
might have some motivation to concede.

[https://en.wikipedia.org/wiki/Copyright_Alert_System](https://en.wikipedia.org/wiki/Copyright_Alert_System)

------
golemotron
I think this is actually illegal. If you own the copyright for your content
and they inject into it, they are creating a derived work without your
permission.

~~~
motles
doesn't all music sampling rely on the fact that creating derived works
without permission is completely legal?

~~~
mcav
A sample _could_ fall under fair use.

~~~
laumars
It doesn't. Sampling is technically illegal. However the bootleg market is
often too small to go noticed and larger artists get authorisation before
sampling (or at the very least - releasing).

You do often see some artists turn a blind eye to sampling though.
Particularly dance artists because many of them know their entire genre exists
of the back of sampling. So it would be counterproductive / hypocritical for
them to chase after royalties

~~~
decode
It's not quite that clear-cut:

    
    
        Sample clearance is generally not required if:
    
        - You are just using the sampled music at home.
    
        - You are using the sample in live shows. This is because, 
          usually, you are not making copies and the owner of the venue
          pays the blanket license fees to performing rights organizations
          such as Broadcast Music Incorporated (BMI) or American Society of
          Composers, Authors, and Publishers (ASCAP).
    
        - You plan to distribute copies to the public but meet one of the
          following: (1) an average listener would not notice the similarities
          between your end product and the sample, or (2) your use of the
          sample falls under the "fair use" doctrine. For more information on
          these, see "Defending a Lack of Sample Clearance," below.
    

[http://www.nolo.com/legal-encyclopedia/permission-sampled-
mu...](http://www.nolo.com/legal-encyclopedia/permission-sampled-music-sample-
clearance-30165.html)

------
samdroid
The `checkBrowser` function says it is from brainjar.com and used under their
terms of service. On the brainjar.com terms of service, it seems to say the
code is licensed under the GPLv2+.

Doesn't this make the Comcast script now under the GPL - since GPL code can
only be included in compatibly licensed products. Or is Comcast violating the
GPL?

~~~
jakejake
This is a crappy move on Comcast's part, but as far as GPL they most likely
are not in violation. You can use GPL code in a commercial product as long as
you are not distributing it.

If they ever choose to sell or distribute their "content injection system"
though, they would have to release it under the GPL or else negotiate another
license from the copyright owner.

~~~
Natsu
How are they not distributing it if they send this JavaScript to each user
notified? Of course it's JavaScript so maybe that counts as distributing the
source...

~~~
bitJericho
I think the FSF would consider this a distribution and require the backend to
be released under the GPL.

[https://www.drupal.org/node/173294](https://www.drupal.org/node/173294)

Er, actually it may be more complicated than that. You'll have to read the
discussion.

~~~
lwf
Backend? IANAL, but using a frontend JS library under the GPL doesn't have
implications for your backend per-se; they can be entirely separate works.

You could argue about their frontend, though.

------
wmt
Always using VPN has really made using Internet a lot nicer place, I can use
any Wifi without any fears, don't have to care about ISPs doing funny things
with my traffic, and if I get country blocked content I can just quickly route
my traffic to another exit node.

Of course then the VPN provider is the single point of failure, but if it's
trustworthy enough only folks with proper court orders should have access to
my traffic. And it's an extra ten bucks per month or so.

~~~
retube
Aren't you then just effectively shifting your choice of trusted provider from
ISP to VPN?

Is it possible to run your own VPN on a VPS host, digitil ocean or linode or
similar?

~~~
netheril96
>Is it possible to run your own VPN on a VPS host, digitil ocean or linode or
similar?

Yes. I run several types of VPNs and shadowsocks on a VPS host. I mainly use
it to bypass GFW though.

Of course, trusting the VPS provider and its ISP is no different than trusting
a VPN provider and its ISP.

~~~
bigiain
On the other hand, while your VPN or VPS provider may be no more trustworthy
than your local ISP, it's _much_ easier to switch VPN providers - and you can
arrange to have them in a different jurisdiction as well - If my net
connection is through a proxy server in the Netherlands run by a company from
Germany in a datacentre owned by a Japanese firm and I'm in Australia browsing
websites in the US - there's a lot of legal hoopjumping needed to get to me.

------
mbesto
> _Click the button below to confirm you received this Copyright Alert and to
> close it._

> _< button>Close this message</button>_

Ahhhh, enterprise IT and corporate counsel synergy at it's finest.

~~~
reitoei
While a web developer locks him/herself in a dark room with a bottle of
whiskey and a revolver.

------
shade23
They apparently started small, But this has been happening for more than a
year now[1],[2]? I wonder if there have been any repercussions yet :

[1]:[http://arstechnica.com/tech-policy/2014/09/why-comcasts-
java...](http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-
ad-injections-threaten-security-net-neutrality/)
[2]:[http://gizmodo.com/comcast-is-injecting-ads-right-into-
web-p...](http://gizmodo.com/comcast-is-injecting-ads-right-into-web-pages-at-
its-pu-1632327503)

~~~
eli
Much longer than that: [http://blog.ryankearney.com/2013/01/comcast-caught-
intercept...](http://blog.ryankearney.com/2013/01/comcast-caught-intercepting-
and-altering-your-web-traffic/)

------
guelo
You don't have to use Comcast. I sacrificed Comcast's speed and went with a
local, privacy conscious DSL provider and I couldn't be happier. I'm getting
about 6mbps with dual bonded phone lines. It's kind of pricey at $80 but it's
worth it knowing I'm dealing with an honest business. In most areas there are
alternatives and DSL is available everywhere, it's worth it even if it's a lot
slower for the peace of mind. As long as you don't trade in one evil giant
corp for another like AT&T or Verizon.

~~~
losingthefight
I don't think this is reflective of most consumers in the US. I have a family
of four. I couldn't imagine the kids working on school work, watching Netflix,
or gaming while I try to teach online all while on a WiFi router connected to
DSL. While it may work for you, the fact of the matter is that it likely will
not work for many, hence the reason Comcast can get away with this crap (well,
that and the monopoly).

~~~
coldtea
>* I couldn't imagine the kids working on school work, watching Netflix, or
gaming while I try to teach online all while on a WiFi router connected to
DSL.*

At 6mbps? Tons of consumers in the US get even less...

------
poizan42
How does this go along with ISPs being classified as common carriers? Are they
actually allowed to modify the data they are carrying?

------
austerity
I wonder what's in it for them? Sending an email should be enough to comply
with DMCA. Are they paid by some copyright groups or just being a pushover?

~~~
hayksaakian
isn't comcast owned by NBC?

that means they have a distinct corporate interest in protecting their IP
(legitimate or not is another discussion).

~~~
DrScump

      isn't comcast owned by NBC?
    

Vice-versa.

------
zackboe
Cox Communications also injects js to display downtime messages and data usage
alerts when nearing the upper limits of their now enforced data caps. Their
response to a FCC complaint was essentially "it's convenient for our users"

------
mavrc
CableOne does this for lots of different stuff. If you're over your bandwidth
cap, if you haven't paid your bill yet...

Come to think of it, we have had a rocky relationship, they and I.

~~~
vlunkr
Yes, I've seen CableOne banners get magically injected into web pages.
Sometimes for things as trivial as advertisements.

~~~
bencollier49
They're adding advertisements to other people's IP?

~~~
vlunkr
I wish I had evidence of this, but I swear I've seen it. I'm not on CableOne
anymore or I'd try to find one

------
feld
Charter injects into your browsing to force you to accept a Terms of Service
update, even on a business connection.

I got a packet dump of it happening.

[https://feld.me/pub/charter.pcapng](https://feld.me/pub/charter.pcapng)

------
closetnerd
This shouldn't be possible with https enabled website right? Or am I missing
something?

~~~
Washuu
While it does not do anything to HTTPS connections they still get routed
through their proxy causing slow downs.

~~~
function_seven
What assets does their proxy proxy on https connections?

~~~
adrianbg
None. The fact that everything goes through an extra hop causes a slowdown.

~~~
ars
They probably only proxy port 80, so https would not be slowed.

------
KhalilK
Same was done during the Tunisian revolution only to inject keyloggers.

~~~
chippy
Comcast was doing this, or a Tunisian ISP? Do you have a source for that?

~~~
KhalilK
Tunisian ISPs. HTTPS was the solution of course.

[http://www.businessinsider.com/tunisia-
facebook-2011-1](http://www.businessinsider.com/tunisia-facebook-2011-1)

[http://www.theregister.co.uk/2011/01/25/tunisia_facebook_pas...](http://www.theregister.co.uk/2011/01/25/tunisia_facebook_password_slurping/)

------
thoughtexpt
From what domain does comcast.js originate? Does the injection still work if
we block connections to the IP for that domain?

~~~
jand
The script is inlined, so blocking by origin seems not possible. You could
write a greasemonkey script (is that still a thing?) or write an extension
which removes the line

_ComcastAlert.go();

from every visited page.

~~~
ryan-c
I think you could also insert a script in the document head that adds an event
listener for beforescriptexecute that checks for and cancels execution of the
comcast script. A website could do this themselves even.

Better yet, block the script if detected, then fire the acknowledgement.

~~~
notahacker
If script detected, serve not-strictly-accurate but damaging to Comcast
warning about "insecure Comcast connection"...

------
jand
It seems to me, as if they also do some magic to intercept requests to the
currently visited page. They use a relative path url (SYS_URL) to poll for a
state and to send the acknowledgement (functions checkBulletin() and
sendAck()). From my understanding that would be a request to the current
domain/visited page, right?

So they just intercept their 'own' magic url, but it bothers me somehow.

Can anybody confirm this? My uptime is far beyond reasonable.

~~~
ryan-c
It looks to me like that's what they're doing.

------
supernintendo
Out of curiosity, I wanted to know what the maximum z-index is. The CSS 2.1
spec doesn't present this information, but it turns out to be 2147483647 (the
maximum value for a 32-bit integer).

Now what does that z-index say about the JavaScript developer who chose it?
"Fuck it, 999999 is enough." Man, what a tool.

~~~
rym_
Not a JS developer at all, what does a zIndex of 99999 do?

~~~
mentando
Well it is a very high zIndex, which of would force the element in the plane
99999.

What it says about the developer though, is that he didn't bother reading up
on, what is the highest value, but just chose a rather high value of 99999.

~~~
adrianN
Clearly he wanted to future-proof his code. Maybe in a while he'll need to
display an even more important message.

------
atthegate
I was hit with this a couple of months ago. A one-line Chrome extension
handled it fairly well...

> document.getElementById('comcast_content').remove();

~~~
scrollaway
Hiding this is counterproductive; trivial as it may be, and this goes for
everyone, please don't publish such an extension. People need to see this and
get pissed off, complain to comcast, understand why https is needed.

------
chrisBob
If I serve a page with a no-derivative license can I sue Comcast for the
license violation? There must be a good way to legally stop this.

~~~
mark-r
There was a link posted here not long ago that pointed out the proliferation
of arbitration clauses in contracts and customer agreements. No doubt your
agreement with Comcast has such a clause.

~~~
johnward
The customer agreement may but the website owner never agreed to this.

------
scelerat
Isn't Comcast violating StackExchange's copyright here by modifying and
redistributing their content without their permission?

------
gargravarr
If there was ever a reason for HTTPS to be default on every site, this is it

------
mikeryan
They've done similar before

[https://news.ycombinator.com/item?id=5482178](https://news.ycombinator.com/item?id=5482178)

Back then it was to alert folks who were hitting bandwidth quotas and you
could make the argument they were trying to help but this one, ugh.

------
mahouse
The problem is not that Comcast does it, the problem is that the US government
allows them to do it

------
chris-at
Wouldn't Comcast be violating the copyright of every site it injects this code
into?

------
Cymen
Is there an example of this in action Jarred? I'm on a Comcast connection
right now (DSL was too slow). Looks like it has been happening for a while --
from 2013:

[https://gist.github.com/ryankearney/4146814](https://gist.github.com/ryankearney/4146814)

Blog post: [http://blog.ryankearney.com/2013/01/comcast-caught-
intercept...](http://blog.ryankearney.com/2013/01/comcast-caught-intercepting-
and-altering-your-web-traffic/)

So also used when you near the monthly traffic cap (if your area has active
caps).

------
Cshelton
TimeWarner does this as well. I don't have proof, but when my roommate was
torrenting stuff, no vpn, nothing, I had a notification like this pop up on a
random web page. This kind of shit has got to stop.

~~~
tnuc
Timewarner does it whenever I use their "free" wifi hotspots.

------
hippo8
Sorry for the silly question. Is it possible to have an internet without ISPs?

~~~
privacy101
Some cities have created public-owned ISPs like Chattanooga's fiber network
(community fiber[1]).

You could also become your own ISP.

[1] [https://www.eff.org/deeplinks/2014/07/hate-your-isp-maybe-
yo...](https://www.eff.org/deeplinks/2014/07/hate-your-isp-maybe-you-need-
community-fiber)

------
andyjohnson0
I don't live in the US, but what are the countermeasures for exploits like
this? Is there a local proxy that can strip this and similar js out, and would
it be simple enough for non-expert users to deploy?

~~~
malka
use a VPN. even shady vpn operators are more trustworthy than comcast :/

------
RKearney
They've been doing this for over 2 years

See:
[https://gist.github.com/ryankearney/4146814](https://gist.github.com/ryankearney/4146814)

------
akerro
headingtext2: '<strong>AN IMPORTANT MESSAGE FROM COMCAST</strong>'

You can read it as: WE CAN DO EVERYTHING WITH YOUR NETWORK TRAFFIC AND WHAT
CAN YOU DO ABOUT IT?

------
thejaredhooper
> {zIndex: 999999}

Something so simple as this CSS property shows you the intent behind the code.
They're basically saying "screw every bit of content on this page."

------
userbinator
Emailing is not enough? I wonder who came up with this idea.

~~~
Washuu
Oh no. You get the browser notice, the email, the text message, and then
finally two days later a phone call that will KEEP CALLING until you
acknowledge it through a series of key pad press prompts.

This happens at every 10% starting at 90%.

~~~
fabulist
I'm glad they're responding to negative public opinion in the only honorable
way, driving themselves out of business. It's so rare to see a corporation
with values.

------
jupp0r
Even more reason to drive opportunistic encryption.

------
smizell
I had a situation with our local ISP where they injected some banner on each
page to let users know they were close to going over their bandwidth usage
when they got to like 90%. I reached out to them and said this was essentially
a man in the middle attack and that I didn't want messages injected. A week
later they messaged me to say it had been removed.

------
nicksuperb
I've been noticing an issue when getting bandwidth limit notifications. The
same injection technique is also being used. When I attempted to filter out
these messages, Comcast promptly reduced my internet speed to 1Mb. It took 3
calls over two days to realize that they were doing this as a reaction to my
inability to receive the notices.

------
tzmudzin
... and now Comcast will sue for posting this very code to Github. I am sure
it is copyrighted...

And it does not matter that they pushed it down the throat of their paying
customers...

I am a big fan of rules & regulations, but in cases like these I'm afraid as a
society we play stupid games (... and win stupid prizes...)

------
jtwebman
When all webpages start using https this is going away. They will not be able
to inject anything.

------
k_vi
This might not be relevant to the topic(I don't use Comcast), but Im curious
how web elements are forced to be overlay consistently across all websites,
doesn't the existing css properties on the page affect the behaviour of the
injected scripts?

~~~
Jimmed
It's done via the 'z-index' CSS property [0]. Essentially, the higher the
z-index, the higher the priority of the element; a higher z-index will appear
in front of a lower z-index.

[0]:
[https://developer.mozilla.org/en/docs/Web/CSS/z-index](https://developer.mozilla.org/en/docs/Web/CSS/z-index)

------
magoon
This means Comcast is assembling the packets up to the application layer for
deep inspection and injection, which slows down receipt of the packets because
it must receive the full payload before processing, reassembling, and
transmitting.

~~~
virtuallynathan
No need to speculate:
[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)

------
SanPilot
Surely this can't work on HTTPS secured sites, correct?

------
wmf
The root of this problem is that there is no "control channel" (or whatever
you want to call it) from an ISP to its customers. Email doesn't work because
ISPs don't always have the customer's address and email can get spam filtered.
Paper mail is expensive and may not be read. Until someone defines and
implements a protocol for this, ISPs are going to keep inventing weird
kludges. I wonder if Hotspot 2.0 can be adapted for wired networks.

~~~
userbinator
_Email doesn 't work because ISPs don't always have the customer's address_

What ISPs don't provide an email account (usually something like username@isp-
domain) with their service? I thought that was the standard way to do things,
and it's what mine does to send me alerts about service outages and
maintenance windows.

~~~
0x0
Lots of people don't even realize they have an ISP provided address, or they
don't bother with it.

------
shmerl
It's time for sites to always use HTTPS.

------
anonymfus
How it is not network neutrality violation?

------
chrisan
Anyone know how to reproduce this? I'm on Comcast Xfinity and I can't find it
on any HTTP page I visit.

------
lrsh2
I wonder why none of these programmers who do such webpages not visit HN? Are
they in a different planet :-(

~~~
noir_lord
Fundamentally there are two types of programmers, those who are interested in
programming in all it's forms and actively seek out communities with similar
interests (you see this in framework communities and language communities
particularly) and those who don't, the second set may be good programmers or
not (I'd suspect having met some of them that the average second set
programmer is not as capable as the first set but that's anecdotal).

They also tend to be the ones who use whatever tool they are using for a long
time and argue "good enough is good enough" as a justification for not
learning new things.

I know this is a horribly broad generalization but I have seen it repeat
constantly over time, you also tend to find them working for large
organisations or on legacy stuff that wasn't legacy when they wrote it.

Again, horribly broad generalization and some enterprise programmers are
amazing.

~~~
lrsh2
I wonder in terms of ethics. Why don't they tell the bosses it is unethical?
Like bankers software engineers need some ethics treatment. I look at you who
add multiple trackers to websites.

------
payne92
Wow. The Internet service providers complain about network neutrality, while
they pull stunts like this.

------
grantk
Here's my 2c, this code is shit.

------
yAnonymous
They're causing damage to the sites where this is injected. Couldn't the
owners sue them?

------
mikx007
I wouldn't be surprised if in a few years they started to inject ads.

------
SarahofGaia
What is this A/B formatting? 20/5, 100/50, etc.

------
grantk
Here's My 2c, this code is shit.

------
rubyfan
And then we all started using Tor.

------
Zekio
would the Https Everywhere plugin prevent this?

~~~
viraptor
Only on websites which actually have https version. Many do, but many don't.
It's usually ~100% on websites I use daily and goes well below 50% when I try
to google for anything uncommon.

------
kensign
such total shit

------
jsatk
Shameful.

