
Xfinity Is Man-in-the-Middle Attacking My Internet - grepsedawk
https://rietta.com/blog/comcast-insecure-injection/
======
KingMachiavelli
> This attack entirely breaks tab ordering, deeming the internet unusable for
> people requiring software assistance to provide accessibility to the World
> Wide Web. Additionally, the “escape” key, which is often used to close
> dialogs, doesn’t close the Xfinity notice.

A few weeks (months?) back there was an article about ongoing litigation on if
websites are required to have accessibility compliance under the ADA act. I
would be very happy to see Xfinity sued for this practice under that precedent
and hopefully _any_ injection would be considered a violation.

Status of supreme court case: [https://www.scotusblog.com/case-
files/cases/dominos-pizza-ll...](https://www.scotusblog.com/case-
files/cases/dominos-pizza-llc-v-robles/)

~~~
jorvi
Only tangentially related, but how is the ADA act looked upon by Americans?
The only time I've heard about it as an European was when Stanford (?) was
forced by litigation to take entire swathes of free online education offline
because it didn't have subtitles. I'm all for making the web more accessible
but it really soured me on the notion of such acts and if they are the best
way to enforce said accessibility.

~~~
panzagl
My HOA was sued for some slightly uneven sidewalks and the fact that some
people had parked cars that jutted out of their driveways. Plaintiff doesn't
live here, has pretty much made a living by such lawsuits. So while I agree
with the tenets of the ADA, it's just one more example of how legislated
morality will be abused by a small percentage for their own gain. If it were
repealed tomorrow I would shrug.

~~~
nothal
Just because someone is entering a seemingly frivolous lawsuit, is it fair
that the HOAs sidewalks are inaccessible in general? I feel like it feels
wrong because someone is profiting on it but society is more equitable as a
result and I don't feel that is an abuse of the legislation.

~~~
bobthepanda
In fact, if profit drives more people to fight for what's right, then it
becomes easier to make the world a better place.

Profit is just one form of incentive that we can align for increasing
compliance with directives with a positive social benefit. All incentives are
abusable if you design them incorrectly, so I see no reason to vilify profit
over other kinds of incentives.

------
pdkl95
This is copyright infringement.

>> 17 U.S.C. § 106

    
    
        ...the owner of copyright under this title has
        the exclusive rights to do and to authorize
        any of the following:
    
          (2) to prepare derivative works based upon
              the copyrighted work;
    

Instead of conveying the authorized copy from the webserver to its intended
recipient, Comcast is intercepting the original copy of the file and making a
_derivative_ version of the work. Unless they received special permission from
each website owner (which is unlikely), Comcast is infringing the someone's
copyright every time they make a modified copy without permission.

How many HTML files have they _willfully_ [1] modified?

[1] why willful? They published the technical details of how they modify the
original work in an RFC.

~~~
Analemma_
I'm not sure you want to make this argument. If this is copyright
infringement, then ad-blockers and GreaseMonkey are also copyright
infringement.

This can be a crummy, anti-consumer practice without having to invoke
copyright.

~~~
turc1656
I'm not sure they are equivalent. One is being done by someone else perhaps
without your knowledge (most people are not tech savvy and won't even
understand what Comcast has done). The other is being done by you explicitly
to your own "copy" of the work. I don't think the ad-blocker argument would
hold up in court.

But this line of reasoning got me thinking...I've seen some pretty loose
interpretations of the CFAA over the years. I'm not sure what the law says
about Comcast's privileged position as an ISP, but I would think that in most
cases, specifically altering data between two networks counts as unauthorized
access, no?

~~~
dicknuckle
In this case, one could argue that adblocking is like using a marker to
blackout sentences you don't want to read in your personal copy of a book or
newspaper.

The same as using a blue light filter on your computer (modifying the output
of every program, copyrighted work, website, and text) vs wearing blue-blocker
(yellow) sunglasses to the movie theater or library.

------
gregmac
One of the problems with this is the same as _any_ other bad behaviours
companies often do that are indistinguishable from an attack, such as asking
for your PIN on the phone, or sending account-related e-mails with links: They
condition the user to expect this is "legitimate".

As the article points out, an attacker could do something on an unrelated web
server that injects this same notice (using the same code [1] as a basis),
with a link that says something like "Extend your limit for free by 1GB",
which loads a fake "Xfinity login" in a pop-up to phish their Xfinity account
credentials. Because the link was presented using the familiar UI, it could
easily trick someone and it would be nearly impossible for most users to
realize it's not legitimately Xfinity.

[1] [https://rietta.com/blog/comcast-insecure-
injection/injection...](https://rietta.com/blog/comcast-insecure-
injection/injection-attack.js)

------
throwaway-mitm
I have first-hand knowledge about how Comcast's content injection happens.
(they'd prefer to call it "User Messaging") I'm sure you'll find the same
ability from several ISPs because they all purchased a network appliance that
does the content injection.

One question people are asking here: does it work over HTTPS. No it does't
work over HTTPS, but if the page requests content via HTTP it is possible.

Interestingly enough, the technique is very similar to what Edward Snowden
revealed as Quantum Insert, where HTTP requests monitored by the ISP and are
intercepted and another web server (the network appliance in question) is able
to respond more quickly. It starts with a very fast response that leads to a
302 redirect. The network appliance will then serve up a modified version of a
file (usually a JS asset). The injected JS will then query the network
appliance for "messages" and show them if the user is "eligible" to receive
them.

~~~
syntheticcorp
Could you elaborate on this a bit please?

What is the appliance called? Do all HTTP requests flow through it and
anything else bypasses it? Does it store or log any of the requests or
responses?

~~~
throwaway-mitm
I'm hesitant to name the device, because thus far the company who makes it has
escaped scrutiny, and I'm not the one who's going to change that right now.
There was an Ars Technica article a few years ago that made reference to
Xfinity doing this to notify people that they were using a hotspot. They had a
follow-up article that nobody read where they pointed to the company that made
the device, but they slightly misidentified them. Mostly people were upset at
Comcast. The appliance is used at Cox, Shaw, and many other major ISPs all
over the world: Europe, Latin America, The Middle East, Asia. There are
basically two major companies operating in this space, as far as I know.

It is capable of monitoring ALL http requests, which is only about <5% of
traffic going through an ISP. The more traffic you have, the more devices you
need, but one can take care of a LOT of traffic, and I believe it can run as a
VM. I'm not sure how it works as a VM exactly, because it also contains a
custom Ethernet driver.

The same device directs people to the captive portal (if i'm not mistaken)
used for logging into xfinity, or other public wifi from other providers.

Because performance is a high priority, the logging is minimal, but it keeps
track of who's been served a message and doesn't collect any PII. The device
is capable of serving any content, even causing a request from a third-party.
So, it's possible that the content that gets ultimately injected is able to do
whatever... anything a malicious advertisement would be capable of doing.

Your message eligibility is highly configurable, and can include metrics such
as whether you visit certain sites, and possibly even your physical location.

There's a couple phases. First the network appliance injects so light code,
using the Man-On-The-Side 302 redirect method. Once that's done, the injected
code is probably going to request additional content after checking if you
qualify for a message.

~~~
xtat
Can I ask why you would protect the company behind the devices?

~~~
throwaway-mitm
All the information a person could want is available if you know where to
look. I'm providing well-documented information. If more information becomes
public I can talk about it, otherwise, I simply can't. Let's just leave it at
that.

------
grawprog
I'm not sure if it still works like this or not, but up here in Canada with
Shaw cable for the longest time, it just started out of nowhere one day, I'd
always get redirected to a Shaw landing page or have Shaw ads injected into
pages when I was browsing. I finally really noticed it one day so I did some
searching at the time and found out Shaw has an option in their account
page(enabled by default),

I can't remember what it's called, something like 'Shaw enhanced browsing' or
some shit, but basically this 'feature' allows shaw to route traffic through
their servers and inject content into sites. There was no description of this
option in the account settings, they were buried 3 or 4 layers deep, there was
no mention of this 'feature' from any of Shaw's customer service people, the
only way I discovered this was through some random forum conversation I found.

There was also people mentioning (this never happened to me)that despite
switching the option off, they would find it turned back on again a day or two
later and have to repeat the process. I have no idea if this is still the
case, this would have been quite a while ago now, but I was pretty unimpressed
when I figured it out and realized what was going on.

~~~
grepsedawk
IMHO getting redirected would be WIDELY more acceptable than injecting
content.

~~~
ianmobbs
I mean I suppose, but even that seems wildly inappropriate.

~~~
grepsedawk
I agree, but I still think it's "better"

------
masswerk
On a broader level this is why the FCC is IMHO wrong in not considering
broadband a telecommunication service. As ISPs inject their content (including
advertising) into third party content, they essentially take over said
content. E.g., if someone requests access to my content via their service,
besides any corruption of functionality, artistic work and even intended
meaning, any revenue generated by this is directly drawn from my content
without license. From my perspective as a potential content provider, this is
clearly a violation. It may be even a violation of existing contracts, e.g.,
if there's a no third parties clause involved in an existing advertising
contract the content provider has agreed to.

~~~
jopsen
As a content provider this is why you need HTTPS, and it's why you should
ensure you certificate is in the transparency logs, and that your site
requires CT entries.

~~~
masswerk
However, this is more like "better have a lock so that thieves have a harder
time breaking the door". If the US are making IP violations legal, they put
themselves in danger to be treated like other countries who are considered
notoriously ignoring IP as part of their overall business model.

~~~
jopsen
True..

The sad thing is that with many kinds of cybercrime, it's easier to fix the
security vulnerability, than it is to track down the criminals and make them
stop :)

In this case, the vulnerability is using HTTP, not HTTPS.

~~~
masswerk
Still, if we do not take care of bad actors, bad actors are what we get (and
probably what we deserve).

Edit: Also, what stops those ISPs from impersonating the requested host by
means of their own root certificate, just like antivirus software does it?

~~~
Sohcahtoa82
Then my browser would throw a certificate warning unless I added my ISPs root
cert.

~~~
masswerk
As pointed out by another comment already, "you" maybe as well the ISP's
installer software.

------
kinghajj
This is exactly why I cancelled my Comcast service a few years ago and
switched to Sonic, even though it had orders of magnitude less bandwidth. I
even offered to stay on as a customer, and pay whatever 'overage' fees they
charged, if they implemented some way to make exceptions and never inject the
data cap warning on my account, but they claimed that was impossible. When I
returned the rental equipment, I made it absolutely clear that I considered
this practice immoral and reprehensible.

If anyone else considers cancelling their service, but has trouble getting
Comcast to let them actually do it, just remove your payment method from the
account, and let them know that if they attempt charging to it again, you'll
sue them for fraud; that'll get your account closed real quick!

~~~
mjevans
The suburb (outside of Seattle city limits) that I live in is a suburban area,
density is easily high enough.

My choices are Comcast (up to 1gbit down / 30 mbit up IIRC) or rotting exposed
copper POTS (from Clink?) that has VDSL at something around 10mbit down / 1
mbit up.

Thus, I have only one choice of broadband provider and due to lack of
competition as well as lack of regulation, no broadband providers that offer
unlimited service* (technically Comcast will happily charge me 600 extra
dollars a year for no increased speed but no caps; however they shouldn't even
bother with caps on their highest tier packages).

------
Sephr
Xfinity is most likely committing data usage measurement fraud due to their
implementation of this banner.

I asked the person responsible for the banner if it counted towards data caps
and was ignored.
[https://twitter.com/sephr/status/941067958096244741](https://twitter.com/sephr/status/941067958096244741)

~~~
milankragujevic
They could measure the size of the JS payload, and subtract that from the size
of the web page, before adding that number to the number of bytes used in a
billing period. That way they could "more-fairly" measure bandwidth usage even
with their MITM "value-add" and "informative" content.

Though, seriously, I have a hard time understanding the reasoning for data
caps on DOCSIS infrastructure. On LTE, yes. WISP, yeah - kinda. DOCSIS, DSL
and GPON? Absolutely no!

Not to mention the horrifying realization of most uninformed people that their
ISP can and will intercept, log, modify or restrict access to content that the
user has requested, even though the user has the right to such content, having
paid the monthly subscription fee for the connection. But hey, I don't work at
a large cable ISP, I couldn't possibly understand their reasoning and advanced
calculations. /s

~~~
Sohcahtoa82
> Though, seriously, I have a hard time understanding the reasoning for data
> caps on DOCSIS infrastructure.

It really $houldn't be that hard to under$tand.

------
daviesgeek
I just got this as well. I’m appalled at the complete lack of thought put into
this. I’ve had numerous emails & push notifications telling me I’m over my
data cap; I don’t need injected content into my page in addition.

~~~
grepsedawk
They have my #. They have my email. They have my address.

Those are the ways I want to be contacted.

------
Youden
Honest question: If I own the copyright to a webpage (say my personal blog)
and Comcast modifies my page to insert this "helpful" warning message, is it
likely I'd have a case to sue them for creating an unauthorized derivative
work of my content?

~~~
na85
IANAL but I think you have to demonstrate harm.

~~~
pdkl95
Regarding actual damages, popups about data limits that _appear_ to come from
my page can easily damage my reputation or give the false impression that I
have so9me kind of relationship with Comcast.

Since they are making a new derivative work without the authorization of the
copyright holder, they are probably guilty of copyright infringement. The
remedy for that could include statutory damages _for each work they infringed_
of "a sum of not less than $750 or more than $30,000 as the court considers
just"[1]. However, since the infringement was patently willful (they published
an RFC explaining their intentions and methods), "the court in its discretion
may increase the award of statutory damages to a sum of not more than
$150,000."[2]

[1]
[https://www.law.cornell.edu/uscode/text/17/504#c_1](https://www.law.cornell.edu/uscode/text/17/504#c_1)

[2]
[https://www.law.cornell.edu/uscode/text/17/504#c_2](https://www.law.cornell.edu/uscode/text/17/504#c_2)

------
cjsawyer
I used to live in Fort Collins and I was _floored_ the first time that an
xfinity data limit popup appeared on a random website. Colorado needs a better
provider.

~~~
nolroz
This makes me want to move back.
[https://ourcity.fcgov.com/citybroadband](https://ourcity.fcgov.com/citybroadband)

~~~
cjsawyer
I’m glad that someone is benefiting from my vote :)

------
acdha
This is sadly common: I’ve run Sentry
([https://github.com/getsentry/onpremise](https://github.com/getsentry/onpremise))
for years to collect JavaScript errors on the sites I run. If you haven’t done
so, it’s eye-opening how noisy the JavaScript environment is for many people:
ISPs, browse extensions, anti-virus software, etc. all injecting tons of
marginally-tested code, most of it written at a level which would have been
shameful back in 1998, and apparently little awareness of how to avoid
polluting the global namespace.

A similar bit of malware had a surprising twist: many ISPs, especially mobile,
used an image compressor which made things look terrible but, unexpectedly, it
honored Cache-Control: no-transform. See
[https://stackoverflow.com/a/4113511/59984](https://stackoverflow.com/a/4113511/59984).

I’m curious whether Comcast does that – it would be surprising but also
possible as a way to reduce the risk of lawsuits.

------
kdbg
Currently down, here is an archived version:

[https://web.archive.org/web/20191029172726/https://rietta.co...](https://web.archive.org/web/20191029172726/https://rietta.com/blog/comcast-
insecure-injection/)

~~~
grepsedawk
Cheers, back up now. Might have been scaling.

------
jermaustin1
At least Xfinity is giving you information /s. Optimum Online does this and
serves me advertisements for new channels or movies available through VOD [1]

1: [https://imgur.com/a/UZYd7JH](https://imgur.com/a/UZYd7JH)

------
josefresco
How do you know that their (Xfinity) JavaScript code counts against your data
cap?

~~~
BoorishBears
So much of the tone of this article is vaguely alarmist, which is a little
annoying... seeing as the issue described is already _extremely_ alarming

It didn't need the theatrics and intentionally misleading garnishments (like
quoting Comcast's own RFC that's describing their own recommended behavior for
themselves, then pointing out you can phish people, and then awkwardly trying
to glue those tangential points together)

The bad behavior is bad enough that it'd stand on it's own, and if it instead
focused on things like accessibility up front, it'd be much stronger of an
article (and people would be more likely to read it all the way through)

------
VonGuard
First time I saw one of these 4 years ago was when it popped into a Steam sale
advertising window. Really creeped me out. A sure sign Comcast is pretty much
100% infected with Bovine Spongiform Encephelopathy. Still they offer Internet
that is 10 times faster than the competition. Ah, the tyranny of the last
mile. I went with Comcast Business, and they don't have data caps...

------
crooked-v
Of course, this whole thing is also overlooking the absurdity of a 1 TB
monthly data cap on a service offering up to 1000 Mbps bandwidth.

~~~
zeta0134
I did the numbers with the AT&T sales rep here in South Texas, which has a
similar plan and cap. If my math is anywhere close to correct (questionable),
actually pulling 1000 Mbps would would exhaust the 1 TB cap in about 2.3
_hours._

Yes, _hours_. That cap cannot sustain the advertised speed for even one full
day before hitting overage charges.

Needless to say, we went with a different service provider. We are fortunate
here to have an option (alas, still a cable company) that has no data cap, but
not everyone is so lucky.

~~~
mitchty
Yep, it doesn't take long.

[https://www.wolframalpha.com/input/?i=1Terabyte+at+1+gigabit...](https://www.wolframalpha.com/input/?i=1Terabyte+at+1+gigabit%2Fsecond)

Think of all the "cloud" kind of things you could enable if you could use that
bandwidth. Only we can't.

Think backups of your entire disk etc... massive p2p cluster filesystems stuff
like that. All not possible cause of these data caps.

------
jkoberg
> (Comcast still has datacaps. Pricing like it’s 1999…)

That's not how internet was billed in 1999. You paid for the size of the pipe,
not how much data came through.

Per-byte pricing is pretty much a cell carrier and Comcast invention

------
chrisjc
They can do this on any site including secured ones? I don't think the link
makes this clear.

~~~
bdamm
Right, and presumably using a VPN would stop this as well, but you'd have to
get a pretty nice VPN to not impact your experience by 250ms/req.

~~~
xoa
> _but you 'd have to get a pretty nice VPN to not impact your experience by
> 250ms/req._

Eh? I was thinking the opposite, that's such a ludicrous latency overhead that
it would be trivial to go to any VPS provider even sort of nearby and spin up
a $5 instance with Algo. The only concern normally for some of them is the
super cheap simple managed instances often have data caps too (though some
provides are bandwidth limits only), but in this use case even that doesn't
matter because the limits are still higher than Comcast's regardless. There
are datacenters in Denver, but even if you had to go all the way to SF and
it's a worst case adding 1800 miles RTT that should still only be around
10-14ms or so right? The article seems a little silly to go on so much about a
few kb of data out of tens of gigabytes or a TB or whatever Comcast's caps
are, but 250ms is wild, even without all the other breakage.

Although I've always heard that if you're ever forced to go Comcast, the
average HN type would be best off seeking a Comcast Business connection that
has actual support and customers that use the internet fully.

~~~
linsomniac
Agreed. I used to run all my traffic through a VPN I ran, and found that the
average latency was lower than routing it to the default gateway.

This was possible because my server was well connected and very low latency
talking to Comcast, and also very low latency talking to the rest of the
Internet via Level-3, Time Warner, QWest and InterNAP. Where directly routed
traffic would run over the Comcast network most of the way across the country.

------
LeoPanthera
I also have Xfinity and began to experience this a few years ago. When it
started I configured my router (pfSense running on an APU2) to forward all
outgoing connections on port 80 (and a selection of other commonly unencrypted
ports) through a VPN - but leave all other ports, especially 443, alone.

I’ve been doing that ever since. It works great, and for me is a good trade-
off over using a VPN for literally everything.

------
peter_d_sherman
We need a service which tests web pages from different points on the internet,
including foreign countries, at regular intervals, and compares the results to
a known good version of that page, and its code.

It should answer such questions as:

1) Did the website load?

2) How long did it take to load?

3) Was the content tampered with in any way, was anything added to, or deleted
from the content, including any code, such as its javascript?

So, be able to perform those tests, from a variety of points on the Internet,
from a variety of IP addresses, at regular intervals, and report back.

Noting any and all discrepancies, and storing all anomalous web page data
retrieved (including code) for further analysis...

------
regcapture
This is why regulatory capture matters:
[https://en.m.wikipedia.org/wiki/Regulatory_capture](https://en.m.wikipedia.org/wiki/Regulatory_capture)

Big govt bureaucracy is terrible, but a private one (which is confident they
won’t face any trouble or practical consequences) is still trouble.

There hopefully won’t be “mask off” moments for these providers & get really
gnarly but this kind of behavior can screw over regular Joe’s & Janes

~~~
lostcolony
I'm intrigued by why you created a one off account just to post this. To
address something that stuck in my craw though -

"Big govt bureacracy is terrible, but a private one (etc)"

You're implying big government bureaucracy is the only option here. How about,
you know, regulating internet as a utility? The thing we've been wanting since
forever? Unless there's actively a shortage of water or power, I can get those
and use them as I feel like, paying extremely low fees. I don't care if my
internet is pay for use, provided it's priced close to the actual cost.

------
shmerl
States should ban data caps. That's the only way to deal with those ISP
crooks.

~~~
nishmastime
Disagree. Paying per byte is a critical part of making people realize they are
part of botnets and to create the only incentives that have a shot at working
naturally like pressure against poorly secured smart devices. Unlimited
bandwidth just forces everyone behind Cloudflare and breaks the internet.

~~~
shmerl
Pay per byte is a fleecing scheme, nothing more. You already pay more for more
bandwidth. ISPs get more than enough doing that without any monthly data caps.

~~~
RaiseProfits
It’s an extortion scheme.

------
badrabbit
Oh please,this is not new. They've been doing this for at least 5 years that I
know of. If you pirate,they dmca alert you with MITM'd divs in the html pages
you visit. I mean the fact they inject http headers is one thing but they
don't even care to do a 301 or mess with DNS responses,they will inject code
in your browser tab!

Lawyers on HN, how is this not a violation of CFAA? If I sat at a coffee shop
and did the same thing (say a "harmless" js "alert('Hi everyone!');") that is
punishable with penalty up to 5 years imprisonment. So you're saying if I was
the ISP that's ok? Why is the FBI/DOJ not criminally prosecuting comcast's
CEO? Preferential treatment or prosecutorial discretion? Will comcast start
pushing back on dragnet sutveillance cooperation?

The whole thing is so crooked! How can we bring this to the attention of
lawnakers and media?? If the post office put notes in your mail (outside of a
law enforcement request) would it not be a big deal?

~~~
acdha
Have you read your ISP’s terms of service? Do you really think Comcast didn’t
include language giving them the right to do almost anything to your traffic?

~~~
badrabbit
An agreement is invalid if it is unlawful. Think of it this way, a packet in
transit belongs both to the sender and receiver but never to the intetmediary.
Even if a comcast customer agreed to a ToS stating all their traffic solely
belongs to Comcast, the servers sending the traffic to the Comcast customer
never gave that permission,they never allowed comcast to present altered
content to their customer. The only way that reasoning holds up is if comcast
and comcast's customers are one legal entity(you're essentially their subject
much like an employee but even then employees are distinct)

~~~
acdha
How is this unlawful without robust network neutrality legislation? They’re
not claiming ownership or redistributing it, and I’m sure they’d argue that
this shouldn’t have any side effects.

I’m far from a fan of Comcast but this doesn’t seem like something we have a
good legal angle for addressing.

~~~
badrabbit
Because they're manipupating content, CFAA is a law that exists to mitigate
unauthorized access and obstruction of computer systems...that's how,the same
law any ordinary person would face.

~~~
acdha
Whose systems do you think they’re accessing? They’re not hacking the web
server to add that warning: instead, they’re waiting for it to send a reply to
you and modifying it as it passes through their systems as permitted by the
legal agreement you signed. This is like trying to say DoorDash should be
tried for trespassing if they put a flier in your delivery.

Again, this should be illegal but I think we need strong network neutrality
laws to make that so. Wishful thinking won’t save us the trouble of passing
them.

~~~
badrabbit
More like if doordash put extra salt or spice on my food, the restaurant
owner's expectation of the food's quality and integrity were violated.

With comcast,the expected privacy of the traffic by the server is violated,
until delivered the content belongs to the sender. An intetmediary transports
content but does not own it,has no right to manipupate it. Vandalizing other
people's property is a crime everywhere,the question is does it apply to
network packets in transit?

------
RickS
Does changing your DNS modify this behavior? I had some similar issues with
Cox in DC, and switching to run everything through 8.8.8.8 resolved the
issues. It also resolved a problem with CenturyLink in Seattle where for
whatever reason I couldn't speedtest through fast.com.

~~~
grepsedawk
Nope, they physically open your packets, change the content of the HTML, and
send the packets along the way. Even if you access the IP directly, it still
injects code via MITM attack.

~~~
bloody-crow
I saw the MITM injection from Comcast exactly once and it served as a reminder
to go and change the DNS settings on my routers. Never seen the injection
since, and I've been on Comcast for years.

~~~
AtomicHyper
That is odd, I recently got a MITM injection even while running everything on
openDNS.

~~~
bloody-crow
Maybe you're right and me not seeing injections could be explained that a lot
more traffic goes through SSL/TLS by default, or I'm just not getting close to
my monthly quotas any more.

------
useful
This is related but what is the best trade-off for security vs privacy?
Personally, I'd love the ability to inspect what goes over my network and
devices. I should be able to choose to intercept/log unencrypted content. (I
guess this is actually the NSA-lite argument) With key pinning and HSTS it
makes seeing what the content of a packet is really hard. On android you
actually have to hack apk's to replace the keys.

It used to be very easy to put everything through a proxy server or mitmproxy
and install a certificate on a device. While I value privacy and security it
seems like everyone tech company moves to "protect users" is really a way to
keep their adware and spyware running on their walled gardens.

------
swasheck
doesnt fort collins have municipal internet now? reading here:
[https://www.fcgov.com/connexion/](https://www.fcgov.com/connexion/) i guess i
didnt realize all of fort collins wasnt yet covered.

~~~
Jaepa
Even if that is a case for this specific user, that doesn't really resolve the
underlying uses that is also affecting spaces that have a regional monopoly
(e.g. me).

EDIT: I understand that's not your point. And I whole heartedly support people
leaving and supporting municipal ISP.

~~~
swasheck
i understand your perspective. i live in denver and xfinity and whatever
comcast lets centurylink have are my choices. i was initially reacting to the
sentence in the post that mentioned that xfinity was the only available option
and that struck me as wrong. i did a bit of research before firing off a post
and discovered that my thought was incorrect and based off of incomplete
information, but i left it there in case anyone else was under the same
impression as me.

------
grepsedawk
Twitter thread:
[https://twitter.com/grepsedawkward/status/118922234976323584...](https://twitter.com/grepsedawkward/status/1189222349763235841)

------
corford
1\. Grab a cheap VPS with a decent monthly b/w quota and datacentres near you
(Linode or Scaleway come to mind)

2\. Buy whatever meets your criteria on
[https://openwrt.org/toh/start](https://openwrt.org/toh/start) and install
OpenWRT on it (I use a Mikrotik RB750GR3 with a Ubiquiti UAP-AC-LITE for wifi)

3\. Setup Wireguard
([https://lists.openwall.net/netdev/2018/08/02/124](https://lists.openwall.net/netdev/2018/08/02/124))
on the VPS and OpenWRT

4\. Be happy

------
rthille
The also MITM DNS and cache negative responses. Comcast sucks.

------
ekimekim
I made a complaint to the FCC about this when they started to do this to me. A
month later I got a cookie-cutter response from Comcast, but it felt good to
at least cost them some tiny amount of time to need to respond. I ended up
moving house to get away.

ISP options are now my #1 factor in deciding where to live, and if Comcast is
the only viable option then I'm happy to tell apartment managers I'll look
elsewhere.

------
paulmd
Their data cap notice interstitials are seriously obnoxious, I ran into the
same problems. I'd end up with "stuck" pages where it would just randomly
appear even after I clicked close.

What I eventually had to do was open a browser tab with no adblock (perhaps
Chrome Incognito), close the notice, _restart my router and modem_ to flush
DNS, then flush locally to be sure it's gone. That usually worked.

------
xeromal
Yeah, they've been doing this for years. It sucks.

~~~
grepsedawk
Totally aware it's old news... and I was hoping to paint a better picture than
the previous artists.

~~~
xeromal
Yeah, I'm not hating at all. Just signalling frustration with you.

------
djsumdog
I noticed this type of notification injection on a mobile phone in the EU for
my own personal websites. It strongly pushed me towards implementing
LetsEncrypt and redirecting my users to HTTPs. ISPs can't inject anything into
the HTML if you force a secure connection (unless they've gotten the end user
to install their CA and inject generated certs).

------
DaniloDias
Can we get technical details here? What JavaScript is being injected? What
destinations are they adding?

Edit: I missed it: [https://rietta.com/blog/comcast-insecure-
injection/injection...](https://rietta.com/blog/comcast-insecure-
injection/injection-attack.js)

~~~
grepsedawk
Javascript is in the blog post

~~~
yellow24
how was it being injected? was it all pages http? could it be a plugin you
have? did you try multiple browsers?

------
celeritascelery
I am in Fort Collins as well. Can’t wait for the city broadband to come to my
area and ditch Comcast permanently.

------
floatingatoll
Post author, what website were you visiting that was served over
[http://](http://) allowing a data injection to occur?

Have you contacted them to warn them that Xfinity is injecting JS into their
site, and asked them to implement HTTPS+HSTS to protect against that?

~~~
ProAm
[http://xfinity.com](http://xfinity.com)

~~~
grepsedawk
Hahaha they have mixed content

------
simpsond
Cox does this as well. I was recently staying a hotel and they were doing
something similar prompting me to rate my experience. I started thinking about
standards to make this kind of thing impossible... Ultimately TLS solves this
issue. We should be bullish on making TLS standard.

~~~
GhettoMaestro
TLS is pretty much standard. Unless you mean in some other way I am not paying
attention to.

~~~
simpsond
I agree it is "pretty much standard" but the ISPs and other network providers
are not doing this with TLS traffic. They are only injecting the scripts in
HTTP requests without TLS, at least in my experience.

~~~
tekknik
Cox is absolutely MITM this too. HTTP/HTTPS it doesn’t matter. Terminate the
tunnel, forge a cert and QED.

------
tolmasky
Setting up your own VPN with something like Streisand should protect against
this right?

~~~
grepsedawk
yes

------
auiya
So the decision then becomes which do you trust more, your ISP, or your VPN
provider? I choose to only give my money to businesses which perform in good
faith to their customers, regardless of competitive advantages in other areas.

------
accidentaldev
This is happening with BSNL ISP in India. They re direct non https pages to
phishing sites that claim my computer has virus. It is just shocking that ISP
will re direct me to known phishing site.

------
hansdieter1337
Did you just upload Comcast’s code to your site, made it publicity available,
and glue a GPL license to it? I wouldn’t be surprised if Comcast will try to
sue you for that.

------
glitcher
I have Cox Internet and they do the same thing when you reach 85% usage. I
probably don't see it very often though because most of the sites I'm on are
https.

------
yellow24
Can you post the code that was found or how they are doing this? I feel like
details are needed before everyone grabs their pitchfork here.

~~~
gzer0
[https://rietta.com/blog/comcast-insecure-
injection/injection...](https://rietta.com/blog/comcast-insecure-
injection/injection-attack.js)

------
bifrost
Glad I dropped the worst ISP in the USA. You know its bad when even important
morons (bureaucrats) call you a terrible company.

------
getcrunk
Does and if so how does this happen over https?

------
fortran77
Can someone tell me for sure if XFinity is managing to inject this in Https
pages? And, if they are, how are they doing it?

------
turc1656
Yet another reason to use a VPN. Comcast can't inject this crap if they can't
see the DOM/html.

------
peter303
Comcast gives me terabyte of downloads a month. I use 5% to 10% of that, but
on what I dont know.

~~~
bdcravens
If you have one of their newest routers, you can see a breakdown by device.

------
dmix
This is why I hate those “why you shouldn’t use VPN” articles.

------
giancarlostoro
Wonder where this falls under the Computer Missuse act?

------
boomlinde
Take a screenshot of your website with this notification injected and send
Comcast a standard DMCA take-down request. They are distributing illegally
modified copies of your website.

------
_bxg1
HTTPS should prevent MITM on web pages, no?

~~~
aaomidi
Yep - all websites should be using https honestly. There's barely any excuses
left not to.

------
jwilk
Ugh:

    
    
      <style>
      body {
      display: none;
      }
      </style>
    

To read the article without JS, disable also CSS.

~~~
inetknght
Better solution: use Firefox and just prepend `about:reader?url=` to any URL
you load. This article loads _very_ nicely in Reader mode.

about:reader?url=[https://rietta.com/blog/comcast-insecure-
injection/](https://rietta.com/blog/comcast-insecure-injection/)

~~~
grepsedawk
One of the things I tried really hard to do is make the HTML _really_ clean
for things like this. Is reader mode "really good" or do you think it loads
very nicely because of the work we put in to make the HTML nice?

~~~
inetknght
I think it's a mix of both. Honestly I _vastly_ prefer Reader mode's
presentation than _any_ other layout, and especially any layout which changes
if I interact with it (resize window, move mouse, click mouse button, press
key, send window to background, whatever).

I have seen some sites that completely break when using Reader mode. I have
seen sites that are very well done in Reader mode complete even with pictures.

------
api
Encrypt all the things.

------
wil421
I have Xfinity and they’ve done this to me. It only happened to my wife when
she was browsing. My data Cap has hit 90% this month but I haven’t seen the
message. 4K Netflix is no joke and can easily make me hit 1TB.

Safari is my main browser and I recently stopped using Chrome. I believe my
wife uses Chrome. Maybe this doesn’t work on Safari?

~~~
lameiam
How are they Communistcast? Clearly the represent the worst of capitalism
unless I am missing something.

~~~
wil421
Removed.

------
generalpass
Why not get a $5/mo VPS and use VPN?

~~~
LinuxBender
This is a valid work around for an invalid problem.

If your ISP is tampering with packets, that is the anti-pattern that needs to
be remediated ASAP.

In my opinion, the only packet change behavior that an ISP should be involved
in is adhering to QoS headers. 0x08, it's bulk. 0x04 reliability, 0x10 low
latency. And if they want to charge me more for 0x04, that is fine if it's
clearly spelled out in the contract.

~~~
generalpass
How is the problem invalid? I mean, seriously - those guys spend a lot of
money greasing the wheels of your local town council, and they gotta' put food
on their plates like everybuddy else.

~~~
LinuxBender
The problem is invalid, because it is not a "problem". It is an "incident".
Specifically a security incident that needs remediation.

