
Comcast is injecting 400+ lines of JavaScript into web pages - CSDude
http://forums.xfinity.com/t5/Customer-Service/Are-you-aware-Comcast-is-injecting-400-lines-of-JavaScript-into/td-p/3009551
======
Declanomous
I'm annoyed by this on several levels. The biggest issue is that I'm using an
Arris SB 6121 and I'm getting notifications that my modem is EOL. However, the
SB6121 is listed as a supported modem for my speed level on their supported
modems page.

If I go to their supported modem page, I literally get a page where my current
modem is shown as not supported, and the exact same modem is shown next to it
as "supported."

I'm calling Comcast, and if this isn't immediately resolved I'm filing a fraud
claim with the Illinois attorney general. This is the third or fourth time
I've had a supported modem that Comcast has claimed isn't supported, and I'm
sick of jumping through hoops getting this resolved.

Every time this happens their customer service reps tell me that the only way
to avoid this is to use one of their modems. I'm sick of this. What a terrible
company. Fix your shit before you start injecting garbage into the websites I
visit.

edit: Proof [https://imgur.com/lzKBkMs](https://imgur.com/lzKBkMs)

~~~
throwahey
There is a reason they are doing this. After signing up for Xfinity I noticed
that the modem we were leasing was broadcasting a public access point with no
way to disable it. I purchased my own modem immediately. Then some time later
they rolled out their mobile services, which you guessed it, rely’s on those
open access points and Sprint as a fall-back. So now customers are paying
monthly to host Xfinity mobile services.

I will admit that it is clever, but this should be transparent and customers
should not be subsidizing the cost.

~~~
sethrin
As far as I am aware, it is possible to disable the public 'xfinitywifi'
hotspot on all Comcast modems which provide this feature (I had a stint as a
TSR relatively recently). Further, I believe this is a user-configurable
setting on all CC modems. I personally have this feature disabled on my Arris
1682G, and this should be their most common model in most regions.

~~~
marklyon
I was told I could not disable their hotspot, nor could I set my own DNS
servers. Since I kept having connectivity issues due to Comcast’s DNS being
flaky, and not wanting to manually configire every client, I bought my own
modem and wireless setup.

~~~
Pyxl101
You can disable the hotspot and use your own DNS servers if you want. The
ability to disable the hotspot is documented in the public FAQ (Google:
"XFINITY WiFi Home Hotspots FAQs").

I've used my own DNS servers before. I have no problem making DNS queries to
8.8.8.8, and in fact I switched my PC to use it one time when Comcast DNS was
down.

~~~
JadeNB
What's the point of giving Google instructions instead of just linking
[https://www.xfinity.com/support/articles/disable-xfinity-
wif...](https://www.xfinity.com/support/articles/disable-xfinity-wifi-home-
hotspot) ?

------
metaphor
J. Livingood (a Comcast VP) responded to the OP:

> _[JL] We are not trying to sell you a new one. If you own your modem we 're
> informing you that it is either end of life (EOL) or that you are about to
> get a speed upgrade that the modem will be unable to deliver._

Incidentally, Livingood is a co-author of IETF RFC 6108, which he has
conveniently linked. From the RFC's general requirements numero uno:

> _R3.1.1. Must Only Be Used for Critical Service Notifications. Additional
> Background: The system must only provide critical notifications, rather than
> trivial notifications. An example of a critical, non-trivial notification,
> which is also the primary motivation of this system, is to advise the user
> that their computer is infected with malware, that their security is at
> severe risk and /or has already been compromised, and that it is recommended
> that they take immediate, corrective action NOW._

As composed as Livingood's response was, a modem at EOL and/or incapable of
supporting an incremental speed upgrade doesn't strike me as _critical_. To be
sure, Comcast is scheduled to increase speeds by 12/19 (at least in my
region): 10Mb->25M, 25M->60M, 75M->100M. Although I disagree with Comcast's
method and categorization, it would be interesting to learn what modem the OP
was using.

It would also be interesting to learn if the OP received this message on
multiple instances. If yes, it would be in violation of its own requirement--
in particular, _R3.1.8. User Notification Acknowledgement Must Stop Further
Immediate Notifications_ , which itself is contradictory in its use of _must_
and _should_ :

> _Additional Background: Once a user acknowledges a critical notification,
> the notification should immediately stop._

EDIT: Apparently, Livingood is an executive.

~~~
jlivingood
> Although I disagree with Comcast's method and categorization, it would be
> interesting to learn what modem the OP was using.

We start telling customers that a modem needs to be upgraded when one of two
things happen: either they are about to or just had a speed upgrade that their
modem cannot support or the modem has gone end-of-life (EOL) from the vendor.

In the former case, if the device is leased, you are send a new one to replace
the device and just have to basically say ok. In the latter case, it is a
customer-owned device so the customer is asked to go buy a new one someplace
(e.g. Amazon, BestBuy).

And in the EOL case, the vendor may have gone out of business or shut their
cable modem business down, or otherwise decided to no longer support the
device due to its age. That of course means that if a security issue came up,
as they do, that the vendor would not be able or willing to provide a software
fix for the device. So it's best to get the ball rolling to get those devices
replaced when that occurs. Most of our EOL devices today are DOCSIS 2.0
devices (10+ years old), which can only do a single upstream and downstream
channel (no channel bonding) and 1st generation DOCSIS 3.0 devices (5 - 8
years old).

~~~
_jal
First, thanks for participating.

Second, I am a Comcast customer who will never see these messages precisely
because you do things like MITM unprotected traffic. Because I can't trust you
to leave my traffic alone, all my traffic is tunneled.

So at the very least, if you feel this is a critical service you are offering
(as implied by the RFC), you need an alternative communications channel for
people like me who don't permit this one. Snailmail is fine; you try to upsell
me constantly through that channel already.

~~~
pooloo1
I second this, in addition, the injection is not only related to EOS/EOL for
modems it is also for when you are approaching your data cap. Which is rather
annoying because it actually can halt your gaming or netflix experience oddly.
I have had both happen, one I was playing PlayerUnknown's Battlegrounds and
the game crashed. Since the game itself uses web based tools, for its menu
system, upon restarting the client a Comcast injected message popped up
warning me I have used 90% of my data cap.

The same thing happened on Netflix ...

~~~
aaomidi
TBH what kind of game doesn't use https...

~~~
cookiecaper
HTTPS is not free. Game developers are usually very performance-sensitive. If
you're not transmitting any sensitive data, it may seem appealing to forgo the
seemingly-needless HTTPS overhead.

~~~
enzanki_ars
Please cite your sources on the speed comparison. See:
[https://istlsfastyet.com/](https://istlsfastyet.com/)

Also, most games I have played seem to use HTTPS. The only time it is used is
when the game does not need an instant result, in which case they use HTTP or
HTTPs. Most of the times, this is in the main menu or similar. Doing this
makes it even harder (assuming they use certificate pinning) for users to
change the values returns to gain any advantage on their client.

Any part of the game that needs speed should be using a UDP based protocol.

------
BrandoElFollito
When reading about Comcast I was always wondering why they have no competition
when everyone who comments is complaining.

I live in France and use Orange as my fibre provider. 1 Gbps/250 Mbps without
constraints. I used to have Free which was great but did not offer fibre when
fiber was installed. I switched to Orange in 5 min via a web page. I have
another possibility (SFR) but they are despicable liars and for this reason
alone I scraped them.

This is France, where competition is not a national sport so I was expecting
the US to have 5 other companies banging on the door.

~~~
Chriky
In a natural monopoly regulation /increases/ competition and freedom for the
consumer.

The BBC had an article about this a few years ago [0]. Basically the highly
regulated countries had cheaper and faster internet.

> Rick Karr, who made a PBS documentary in which he travelled to the UK to
> find out why prices were lower, says that the critical moment came when the
> British regulator Ofcom forced British Telecom to allow other companies to
> use its copper telephone wires going to and from homes.

> But US regulators took a different approach. Rather than encouraging
> competition between operators using the same network, the US encouraged
> competition between different infrastructure owners - big companies that
> could afford to build their own networks.

> Some believe that UK-style regulation is bad for competition and innovation,
> however, and suggest that the US is already one of the world leaders in
> broadband.

[0]
[http://www.bbc.co.uk/news/magazine-24528383](http://www.bbc.co.uk/news/magazine-24528383)

~~~
trappist
It might be easier to convince me ISPs were a natural monopoly if they weren't
also a legally protected monopoly where they are, and generally have plenty of
competition where they aren't.

~~~
brians
I’m not sure that’s evidence against their natural monopoly position. It might
be that we’re in a world where in some places, it’s plausible to have two
ISPs, and in many it’s not—but if two try, they’ll both fail to get enough
people to be profitable. Then any sane provider wants to demand exclusivity as
the cost of pulling fiber through a community, and unhappily acknowledges that
they’ll have to cover all of their exclusive territory. If we’re in that
world, and the service is nearly essential, we’ll see legal monopolies in lots
of places, and some places with no legal monopoly and no service—they can’t
agree on a price.

I’m prone to suspicion of their business practices too, but every one of the
Comcast technical staff I’ve met, from Jason down, has been an excellent
person deeply committed to the best mission of a telecoms company, enabling
human communication. Is that a marketing campaign? Yes, but as far as I can
tell it’s an honest campaign of showing the world who they are and what they
care about.

~~~
Bud
This is laughable in light of Comcast warring against net neutrality and lying
about it to customers and everyone else.

Laughable.

------
Brybry
Comcast is not alone in this. Cox Communications has been injecting code into
HTTP traffic for years.

I think sometime around 2008 I first saw them do it (I noticed NoScript
blocking a script on a page that it wouldn't normally). If I remember
correctly, following it to its source hinted that it was a test for some alert
system.

In 2012 I saw them injecting a script to notify people that their email
servers were down (
[https://www.dslreports.com/forum/remark,27826161](https://www.dslreports.com/forum/remark,27826161)
) though the paranoid in me thinks that was an innocuous way to test how
acceptable altering traffic would be.

The escalation I've seen in the last couple of years is the ability being used
for Cox customer surveys.

As far as I know they haven't injected anything into my SSL/TLS traffic...
yet.

~~~
CydeWeys
> As far as I know they haven't injected anything into my SSL/TLS traffic...
> yet.

You say that as if it were even possible. Or are you referring to the use of
SSL stripping?

HSTS preloading (or visiting a site with HSTS headers that you've previously
visit) will protect you from even that.

------
fuzzieozzie
Comcast forced me to upgrade a perfectly acceptable modem so I would have to
option to have higher speed service (which I do not want)! Here's what they
did: 1\. asked me to upgrade the modem (emails and letters) 2\. Inserted a
filter on my line so I lost my connection 3\. I bought a new modem (not
realizing they stuck a filter there) 4\. They removed the filter

I guess this approach does not scale as well as the 400 lines of Javascript!

~~~
timzentu
What spec of DOCSIS was your old modem? If it was 1.0, 1.1, or 2.0, sorry you
lose all support, the older specs had hard bonded channels that HD TV on them
after the swap that they informed people of for 2 years before it happened.
And they put TV on them since they were degrading channels due to overuse
across the entire network (as in across the country).

The later specs allowed for floating channels based on channel maps, which
allowed Comcast to bypass those degraded channels.

Note: I'm not an apologist, but I worked for Comcast and for a subcontractor.
Comcast treated (at least in my opinion) their customers like wallets that
called and complained, but under the subcontractor I saw that since they
didn't rewire 100% of all networks purchased, it was common that the older
lines were causing the degradation and also reflection on other RF channels
sometimes on the other side of an area even. Now if Comcast invested in their
network as opposed to buying other companies and calling it investment, this
might have been fixed, but that would be decades vs. having every modem that
wasn't compliant to the new spec swapped.

~~~
uxp
The SB6121 is a DOCSIS 3.0 4x4 modem rated for 174mbps, SB6141 is a 8x4 rated
for 343mbps, and SB6181 is a 16x4 rated for 686mbps. Outside of their
capabilities, the hardware on them are nearly identical. There is nothing
"EOL" about the SB6121 except for the idea that it's unable to support
200mbps. It's a perfectly good entry-level modem capable of offering speeds
that are over 7 times the minimum definition of "high speed internet".

------
w_t_payne
I thought HTTPS was supposed to prevent this sort of man in the middle attack?
(Or at least make it harder) -- and I thought that most websites used HTTPS
these days...

or am I misunderstanding?

If they are able to do this, and are injecting JavaScript for something as
low-return as online ads, then what is to prevent them from changing the news
headlines on <insert your news website of choice here>, or the stock ticker
feed... How do we know that they aren't?

Do we, as a community, have any mechanism to detect if these sorts of attacks
are occurring?

~~~
freneticfox
The injection is currently for non-HTTPS only, but I can easily see this
situation evolving for the worse as HTTPS becomes increasingly the default.

What will happen is someone at Comcast will notice that their injections
aren't happening often enough anymore due to HTTPS adoption. Someone at
Comcast will suggest implementing a MITM TLS proxy service to get things
working again. Someone else at Comcast will note that wouldn't actually work
because they can't install fake root certs on every client device...

Then Comcast will basically switch to a model where the HTTPS interception is
"optional" (requiring the client-side use the proxy explicitly), but they'll
start shipping some kind of "Comcast Setup" executable (or mobile app) users
are supposed to run on their client laptops/phones so that they can get these
important service notices, which turns on the client-side use of the proxy and
installs the fake root certs. Geeks may not install it, but the bulk of their
customers will, and everyone loses. I don't think broadband consumers are
aware of the fact that they shouldn't trust software provided by their ISP...

~~~
ec109685
Chrome and all other browsers would quickly put an end to that.

------
candiodari
The thing that's so irritating about large telco's is not just that they're
evil, but the casual stupidity of their actions, including their evil actions.

I mean, look at the code. Look at the function of this code. Look at the
business purpose of this code. Look at the security aspects of using this
code. Look at the legal ramifications (why the hell is that LGPL thing up top
there ?). Look at their internal communication. Look at how easy it is to see
exactly what they're doing ...

All of it screams "no double digit IQs anywhere near this thing".

And yes, I mean, I know that's not true. Their people are not this stupid
(though some must be). But they do this anyway. The organisation does business
analysis at the level of a 5 year old, codes like a 10 year old, obviously
this has not passed legal review, ...

How can an organisation that executes this badly become this big ? I mean, I
know the answer is "government" and government making them a monopoly, but
still. WTF.

~~~
kw71
I have a few years of experience inside Comcast and I've concluded that
Comcast's executive management are the ones at fault here. Across several
divisions, their engineers have been fantastic and a pleasure to work with.
This all goes to shit when the businesspeople around the engineers are making
terrible, selfish decisions and optimizing their hourly employees for numbers
(call center I'm looking at YOU)

~~~
jstanley
Good engineers don't do evil things, even if their bosses tell them to.

~~~
nkrisc
A mortgage and tuition for kids is a powerful motivator.

~~~
paulie_a
The yuppy nuremberg defense. From the excellent movie "thank you for smoking"

~~~
katastic
You guys sound like you're 20.

You think things in the world are so "obviously" black and white.

Comcast making shitty business decisions is not burning Jews in ovens. And the
fact your not immediately laughed out of the room when you make such
comparisons is the real sad reflection of society in this thread.

~~~
macawfish
There are other companies doing much more evil things.

------
AndyMcConachie
TFA mentions a Comcast tech referencing RFC 6108:

"[JL] This is our web notification system, documented in RFC 6108
[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108),
which has been in place for many years now."

However, RFC 6108 requirement for use R3.1.1 states:

    
    
       R3.1.1.   Must Only Be Used for Critical Service Notifications
                 Additional Background: The system must only provide
                 critical notifications, rather than trivial notifications.
                 An example of a critical, non-trivial notification, which
                 is also the primary motivation of this system, is to advise
                 the user that their computer is infected with malware, that
                 their security is at severe risk and/or has already been
                 compromised, and that it is recommended that they take
                 immediate, corrective action NOW.
    

RFC 6108:

[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)

~~~
robterrell
I'm sure the comcast "tech" knows what's in the RFC. Look in the top-right
corner; he's one of its authors. He's also replying in this thread.

~~~
AndyMcConachie
Do you consider upselling subscribers on modems a critical service
notification? I don't.

------
sccxy
That is one reason why HTTPS is must for all sites.

~~~
nkkollaw
Would HTTPS help at all in this case, though..?

~~~
Xylakant
Yes. You can’t inject code in a TLS-secured connection unless you can MITM TLS
and if they can do that, all is lost anyways.

~~~
izacus
There are several corporate firewall products that can do just that. Comcast
can just start demanding that their customers install their root cert and
that's that.

Remember they are the only venue to access the internet for a lot of people,
what are they going to do? Stop using the pretty much mandatory communication
and information platform?

I'm always surprised just how many people here on this site think you can
fight social/political fights with technology. Especially when it comes to
entities that can bribe legislation and control your communication.

~~~
mseebach
They could, but they don't. Until they do, or imply in any way that they
might, let's stick to the facts and leave wild, flailing speculation to
reddit.

Regardless of what an ISP might do, HTTPS everywhere is excellent advice.

~~~
izacus
After all the horrible consumer practices Comcast does regularly you'll still
give them the benefit of the doubt? How many times do they have to prove
themselves as untrustworthy and consumer hostile that you'll stop sitting
there and just hoping that next magical tech will make them stop trying to
extract maximum money and inject ads into your stream?

Yes, HTTPS is great and should be deployed everywhere. But thinking that
they'll just give up on injecting ads into your stream when a large chunk of
people use it is hopelessly naive - especially when off-the-shelf enterprise
solutions that MITM HTTPS traffic already exist.

~~~
Xylakant
The technical capability to MiTM TLS exists since the very moment TLS was
designed. It all hinges on the ability to get a trusted certificate for the
domain you want to MiTM. You can do TLS MiTM with Apache if you choose to.
Acquiring the Cert has always been the problem and nothing changed in that
regard. Strictly speaking, things on that front have become harder since
browsers are becoming more and more strict about enforcing TLS security. If
Comcast moved to distributing a CA cert to their customers I could quite well
imagine that all Browser vendors block that root, as they’ve done with CA that
fell out of trust.

~~~
izacus
Comcast and their telco friends just managed to lobby legislation away while
completely ignoring complaints and good business. It doesn't look like
Americans have any power to fight against these companies so trust into other
for-profit companies which are reliant to Comcast & Co. for their profits
seems a bit optimistic to me :/

~~~
lostcolony
That post wasn't about legislation. It was about the fact that if Comcast
started trying to install root certs on the machines of customers using them
for their ISP (which itself is unlikely because of the extra cost both to
install, and to troublehsoot, i.e., "why can't I browse anything when I am on
my new phone"), Google, Apple, and Microsoft could, and likely would, decide
to reject them in their respective browsers as being untrusted. Because they
have seen fit to do that in other instances where user security was
compromised, and an ISP MITM every bit of your traffic is no less alarming.

------
freen
In my humble opinion, there is no situation that would merit javascript
injection that would not rise to the importance of fully disabling someone's
internet connection, if only temporarily.

Case #1: Malware. Full disconnect, redirect to explanation.

Case #2: EOL hardware causing interference. Full disconnect, redirect to
explanation, method to rectify.

Case #3: Consumer not getting what they paid for: email me/snailmail.

I think the RFC makes it clear: this should not be for trivial notifications,
only critical notifications, and if it is truly critical, it should disable
the entirety of the connectivity until the user
acknowledges/remedies/whatever.

I call shenanigans.

------
Veratyr
Could this legally be construed as creating a derivative work under copyright
law?

As a site owner, could I prosecute Comcast for infringing on my rights by
altering the content of my pages?

~~~
philjohn
That was my first thought - the web page is copyrighted code.

Unfortunately, expect to see more of this happening with the useful idiot Pai
running the FCC.

------
exikyut
The gigantic image:
[https://i.imgur.com/kN2rMhK.jpg](https://i.imgur.com/kN2rMhK.jpg) (source:
[http://comcastsupport.i.lithium.com/t5/image/serverpage/imag...](http://comcastsupport.i.lithium.com/t5/image/serverpage/image-
id/34982i05D20DB4C25229CF/image-dimensions/200000?v=1.0&px=-1h) \- URL
manually edited to display largest possible size)

I paged through the JS curiously, and found the URL
bnpsa.g.comcast.net/images/mydevicealert/browser/. I wondered what would
happen if I hit that from my ISP in Australia. I was surprised: I got an
NXDOMAIN back.

But I discovered that googling the above URL as a quoted string finds a bunch
of copies of the JS scattered around the Internet. Might be useful.

So then I tried hitting bnp-service-alerts.gslb2.comcast.com/images/. This
actually resolved, and Chrome hung at "Connecting...". After rechecking the
URLs I noticed this one was referenced in the JS as HTTPS, so I added that,
and promptly got 403 Forbidden.

Question to anyone on Comcast [edit: which has been answered]: does
[http://bnpsa.g.comcast.net/images/mydevicealert/browser/](http://bnpsa.g.comcast.net/images/mydevicealert/browser/)
resolve for you?

~~~
mehrdadn
> Question to anyone on Comcast: does
> [http://bnpsa.g.comcast.net/images/mydevicealert/browser/](http://bnpsa.g.comcast.net/images/mydevicealert/browser/)
> resolve for you?

Nope, it does not for me. Non-existent domain.

~~~
pdpi
That's the sort of domain I could very well see only resolving from comcast
DNS, and them not propagating it anywhere else.

------
hardlianotion
This is the bit I find amazing:

> Comcast has my phone office number, my cell for texts, my email, and my home
> address, yet they choose to molest my requested web pages by injecting
> hundreds of lines of code.

[JL] The notice is typically sent after a customer ignores several emails.
Perhaps some of those ended up in your spam folder?

So ignoring spam entitles you to this behaviour?

~~~
oxymoran
What he is saying is that they exhausted all other contact methods. If they
stopped after the email and let the persons modem stop working, they would
have likely been livid about that as well. Look, I don’t like Comcast any more
than you do. But at some point, you need to recognize your biases when
evaluating your enemy. I thought this was some nefarious attack based on the
headline, but it’s just a critical system message that was thoroughly
explained by an executive and you all are freaking out...

~~~
csydas
I sincerely disagree, especially as per the report Comcast's own second level
confirmed there was no need to replace the modem. It was an automated
advertisement done in a very not good way; Comcast's own billing system
notifies you of just about everything else; you can forward your billing
statements and other such information to other emails, why not this?

The reason everyone is freaking out is because they feel pretty darn strongly
that the ISP should not be injecting code into webpages delivered, especially
not in an automated way without some oversight. If this is to be a service,
the bar for what is necessary for such information must be far higher than "an
automated system decides it's time." We get into really scary territory just
by doing this in the first place, but to use it for advertisements or basic
maintenance? That is a misuse of such technology.

And no, I don't think people would be as livid as you suggest if the modem
just broke; ISP modems are fragile little things, and it's not uncommon to go
through them. I don't think I've had a single ISP where I didn't have to
eventually, and the natural progression for each one (Comcast included) was:

1\. I called the ISP

2\. We did some test with support

3\. Once we did the Speedtest / reboot song and dance, a new modem was issued
that day.

This is expected; if I had asked for such a service from Comcast, this would
be a different discussion entirely (an Opt-In service), but as it is, it's a
pretty lame reason to suggest that Comcast needs to be able to inject data
into pages I load.

And I rather liked Comcast for the year I had it - I wasn't keen on being on
them since I would rather have been with our Municipal, but the place I was at
was not yet in a service area for the municipal. More or less, even with my
support and canceling experience, I was fine with the service I received. This
would have upset me considerably.

~~~
jlivingood
> I sincerely disagree, especially as per the report Comcast's own second
> level confirmed there was no need to replace the modem.

I am skeptical of this - maybe we made a mistake in telling the customer that.
The people that are sent notifications are carefully checked to match the
EOL/EOS modem criteria or speed mismatch criteria and would not be sent
otherwise. It is sometimes the case that a customer has recently upgraded
their device but their old device remains provisioned and on their account
(and needs to be removed), which sometimes explains this.

> It was an automated advertisement done in a very not good way;

It was not an ad - it was a request that the customer replace/upgrade their
device. They can buy that anywhere, whether used on eBay or new on Amazon,
etc.

> Comcast's own billing system notifies you of just about everything else; you
> can forward your billing statements and other such information to other
> emails, why not this?

We've been working to greatly simplify billing, as customers have told us for
some time that we were packing too much info into those statements and it was
sort of information overload.

> The reason everyone is freaking out is because they feel pretty darn
> strongly that the ISP should not be injecting code into webpages delivered,

Available alternatives are not great, such as using DPI everywhere, DNS
modification (we use DNSSEC), or a walled garden (all service disrupted while
in walled garden). These methods tend to be more costly and cause more
disruption for customers. As noted elsewhere, we're working on better methods
and part of that might depend on Internet-wide standards rather than something
Comcast-specific (which is always my personal preference).

> If this is to be a service, the bar for what is necessary for such
> information must be far higher than "an automated system decides it's time."
> We get into really scary territory just by doing this in the first place,
> but to use it for advertisements or basic maintenance? That is a misuse of
> such technology.

It's not basic maintenance - that should always be transparent to customers.
This is about moving to new technology from outmoded technology. A good
example of a key concern for modem upgrades is that the vendor does not
support it any longer and the software/hardware is 8 - 10 years old.

~~~
csydas
Well, thank you for the response, but I am not very satisfied with the
answers.

The crux of disagreement is the method of delivery and the importance of the
upgrade requiring this sort of injection. You write:

> Available alternatives are not great, such as using DPI everywhere, DNS
> modification (we use DNSSEC), or a walled garden (all service disrupted
> while in walled garden). These methods tend to be more costly and cause more
> disruption for customers.

I'm still not convinced as to why a phone call or an email would not suffice.
What information is specifically being cited by customers as "information
overload"? Why can this not simply be a notification as a part of the Xfinity
main page? Why isn't an email that only has information on the EOL of a modem
is less obstructive than yet another pop-up for users who are trained to
ignore pop-ups?

The case for an injection isn't really made simply because other intrusive
methods are more intrusive; the presentation of the message itself is just
more information in a sea of information, and the criticality of the issue
isn't sufficiently justified either. This is not the appropriate way of
communicating information that has no such urgency. It's a very nice thing to
phase out modems that are EOL, sure, I will grant that. But the information is
not so urgent that it needs to be delivered right now or injected into the
webpage. That is not something the ISP should be doing, which I suspect is
another point of contention that will be had.

------
Aaron1011
From Comcast's RFC that's linked in the thread:

> R3.1.1. Must Only Be Used for Critical Service Notifications

> Additional Background: The system must only provide critical notifications,
> rather than trivial notifications. An example of a critical, non-trivial
> notification, which is also the primary motivation of this system, is to
> advise the user that their computer is infected with malware, that their
> security is at severe risk and/or has already been compromised, and that it
> is recommended that they take immediate, corrective action NOW.

Not only is Comcast trying to justify this awful practice, they picked one of
the worst possible examples to do so. There is no set of circumstances under
which a 'You have malware!' popup should be taken seriously.

------
tosh
"Comcast's Web Notification System Design"
[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)

~~~
lsmod
"Must Only Be Used for Critical Service Notifications." [0]

[https://tools.ietf.org/html/rfc6108#section-3.1](https://tools.ietf.org/html/rfc6108#section-3.1)

~~~
mtgx
> and is instead based in open IETF standards and open source applications.

Why did the IETF ever agree to standardize this? It reminds me of their
standardization of Cisco's "lawful intercept" router backdoor protocol.

[https://tools.ietf.org/html/rfc3924](https://tools.ietf.org/html/rfc3924)

[https://www.blackhat.com/presentations/bh-
dc-10/Cross_Tom/Bl...](https://www.blackhat.com/presentations/bh-
dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-slides.pdf)

I guess this is what you get when the IETF literally has NSA agents as chairs
of its groups.

[https://arstechnica.com/information-
technology/2014/01/nsa-e...](https://arstechnica.com/information-
technology/2014/01/nsa-employee-will-continue-to-co-chair-influential-crypto-
standards-group/)

~~~
garaetjjte
These are only informational RFCs, which can be published by anyone.

>This RFC is not a candidate for any level of Internet Standard. The IETF
disclaims any knowledge of the fitness of this RFC for any purpose

~~~
SAI_Peregrinus
RFC stands for "Request For Comments". Some of them get turned into standards,
but most are just the IETF equivalent of a forum thread. They're a way to
start a discussion about a network engineering design.

------
jijji
I've worked at comcast too for a while as a consultant, and I think the
problem is that they take people that were working in customer service and
promote them to senior engineer roles and management roles. This is why they
hire consultants when everything goes upside down. Alot of telco's do this,
I've seen this in many datacenter environments with ISP's and telcos. You got
guys making decisions that don't really have the background to be making those
decisions.

------
kyle-rb
>Why did you vandalize my car!? >>Well you weren't responding to my emails,
so... >But you can't just do that! >>No, no, it's fine. I've been doing it for
years, and I've documented the practice right here.

------
actuator
Unfortunately, in the US and Europe at least most people will care about this
and even get a response. I think 4-5 years back when I was in one of the
cities in which MTNL is there in India, ads were being served in the same way
on MTNL. They were injecting an ad serving pop-up on every page served on
HTTP. The worst thing was it sometimes used to show some sketchy virus ads
also. I complained about it multiple times, never even heard back from them.

~~~
menckenjr
It strikes me that the best way to combat this might be in the browser itself
- intercept and remove the offending javascript (or better, redirect its
execution into a walled sandbox where it _thinks_ it's setting cookies and
downloading code) and remove it from the main page viewing stream.

------
kels
I had this happen to me recently when I hit 90% of my data cap from Comcast
for the first time.

At first I noticed that all traffic was being hijacked to show me a full page
message that I was at 90% of my data limit and to contact the Comcast Security
Assurance team. It looks really scammy like those alerts from "Microsoft" that
my computer is infected.

After clicking on the acknowledge link multiple times it wouldn't stop so I
called the security assurance team.

While waiting on hold for 30 minutes it finally stopped but I was already
irate. I had to argued with the rep because he told me that I could disable
the web notifications and he finally found out that Comcast removed that
option and he apologized that there was nothing he could do.

------
sathackr
As a big ISP that stands to profit from the current FCC standpoint, Comcast is
in the crosshairs of the internet community.

But if what has been said by all parties is true, I can't find significant
fault with Comcast.

Here is the text of the "ad" (typed from viewing the attached image in the
OP):

    
    
      Get ready, we're increasing Internet speeds in your area.
    
      Our records show that the modem you currently have connected to our network won't be able to handle these faster speeds, so we recommend updating your equipment.
    
      <b>Buy from a Retailer</b>
    
      Before you make your purchase, visit https://mydeviceinfo.xfinity.com to view a list of modems certified to work on our network with your speed tier.
    
      <b>Lease and XFINITY Modem</b>
    
      Call 1-855-242-2876 and we will send you a Self Install Kit
    
      <b>Equipment Update</b>
    

Seems appropriate and to the point. They tell the customer they can either go
buy a modem from a retail store, or lease one from XFINITY. Hardly a high-
pressure ad.

Injecting anything into a website makes me feel a bit dirty, but nobody has
refuted Comcast's claim that other communication methods were tried first and
that this was more of a last resort.

Speaking in general terms because I'm not involved deeply with DOCSIS, older
devices are less efficient and generally use more spectrum(even in a cable,
there are RF spectrum limitations) to deliver the same speeds. Customers using
old devices that don't support the newer and faster standards reduce the total
bandwidth available to all customers, increasing costs for both Comcast and
its customers.

edit: fix formatting. HN needs a preview button.

~~~
rdiddly
It's most likely Comcast's own fault the other messages were ignored. They
pollute every communication channel with marketing spam.

The Boy who Cried Wolf didn't have man-in-the-middle technology available but
the lesson remains the same: if you want to be heard, shut the fuck up until
you've got something to say.

------
gigatexal
Let me just drop Comcast like a bad habit. Oh wait. I can’t. There’s not
another provider in my area with similar speeds. So I’m screwed.

~~~
jswizzy
I know and 90% of the web wants to give Comcast even more power to keep out
competition by turning the Internet over to lobbyists.

~~~
marviel
90% of the web? Who specifically are you talking about? Is this big-startup-co
or...?

------
bluepeter
Ignore their spammy emails? Per their VP, they are totally going to up their
game and inject their "notifications" in your everyday Web traffic.
[https://twitter.com/jlivingood/status/939848009386549248](https://twitter.com/jlivingood/status/939848009386549248)

~~~
jlivingood
What I meant in the context of that exchange was that the notifications come
only after for example multiple emails have not resulted in the device being
replaced.

~~~
freen
If it is truly critical, disconnect the device and use the disconnected
landing page as your means of communication.

Anything else fails to meet the criteria of "critical".

If I buy a crappy 802.11b wifi dongle, are you going to inject JS too?

------
vages
Most interesting part was the reply from the Comcast employee.

~~~
exikyut
Yes, indeed it was. It's a fairly standard, unsurprising response for this
situation; doesn't try to be defensive, doesn't try to provoke. [Edit: I'm
horribly under-perceptive, after reading other comments I see I'm a bit off.]

But... this bit.

> _... [JL] This is our web notification system, documented in RFC
> 6108[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108),
> which has been in place for many years now. ..._

Oh, interesting, what Internet technology are they using?

> _" RFC 6108: Comcast's Web Notification System Design"_

> _February 2011_

Cue jawdrop. My instinctive response was to WAT and think "this is not what
RFCs were for..."

But then I read this part,

> _Status of This Memo_

> _This document is not an Internet Standards Track specification; it is
> published for informational purposes._

> _This is a contribution to the RFC Series, independently of any other RFC
> stream. The RFC Editor has chosen to publish this document at its discretion
> and makes no statement about its value for implementation or deployment.
> Documents approved for publication by the RFC Editor are not a candidate for
> any level of Internet Standard; ..._

Hmm.

Reading through, this outlines a way to avoid using deep packet inspection by
using Squid and Tomcat instead.

Initially when I read this my brain was sort of going in the direction of
"this kind of thing is where the net neutrality repeal thing started..." but
now I've spent a bit of time reading it I don't actually think my snap
response was particularly on point.

This is a bit of a stream-of-consciousness but I wanted to draw attention to
that RFC.

~~~
jlivingood
An RFC is not always a standard - often they are simply 'informational'. For
us, when we wrote the document, it was a way to document as transparently as
possible how the system worked so that folks would not need to speculate about
it and for us to explain the rationale and alternatives considered. This
seemed to me at the time far better than being evasive about it. And a request
for comment is often a way to solicit exactly that - good comments (e.g.
suggestions on alternatives). In this case, it has led in part to things like
the IETF's new(ish) CAPPORT working group being created to develop a better
Internet-wide standard for how to interact with so-called captive portals. See
[https://datatracker.ietf.org/wg/capport/about/](https://datatracker.ietf.org/wg/capport/about/)
for more details and feel free to join the mailing list and contribute!

------
jimnotgym
I'm struggling to find it, but there was a article a couple of weeks ago about
communities forming their own isps. It's beginning to seem very sensible

~~~
bluepeter
[https://www.reddit.com/r/Documentaries/comments/7dvqjd/peopl...](https://www.reddit.com/r/Documentaries/comments/7dvqjd/people_building_their_own_internet_in_detroit/)

------
pdkl95
Anybody want to sue them for copyright infringement? I doubt they acquired
authorization to make derivative versions of your website.

------
pleasecalllater
You have really pathetic law in the US. After something like that in Europe,
the company managers would have really huge problems.

And in US people seem to be happy about that. If they wouldn't, it would be
changed.

~~~
coldcode
No one is happy, but we have almost zero opportunity to affect change. Look at
the FCC's deliberately crappy email campaign for responses on eliminating net
neutrality. They won't even release the data to a state DA. Between
gerrymandered districts and lock step Republicans controlling everything
currently, not to mention local monopolies by the biggest ISPs, our ability to
affect change is virtually zero.

------
ksk
I wonder if a website could sue Comcast for copyright violation.

~~~
exikyut
Unfortunately if this were to happen and it succeeded, the precedent would
kill the Web Archive.

:(

~~~
Keyframe
Not necessarily. Comcast derives from your work in order to exploit it for
commercial purposes. Archive does not. A significant difference.

------
Tepix
If my ISP were to try this i would sue them for

§ 303a Datenveränderung

------
kerpele
I love the Comcast representative's comment basically saying "we've been doing
this for years, too late to complain now"

------
gmac
Vote with your feet if you can. Meanwhile, use a VPN.

[https://github.com/jawj/IKEv2-setup](https://github.com/jawj/IKEv2-setup)
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)
etc.

------
tjoff
How fucked up are we when we live in a society where this not only dreamed up
but actually believed to make sense and implemented.

Yes, it speaks volumes about comcast but i also speaks about the culture where
comcast exist. And even IF there is backlash from this the whole idea that
they might have gotten away with it is just absurd.

------
chrissnell
Comcast has been doing this for years and not just to push modem upgrades.
They do it for their stupid WiFi app, too:

Scroll down this link slightly for a screenshot:

[https://nas-row.com/showthread.php?t=696](https://nas-
row.com/showthread.php?t=696)

------
nathan_long
Imagine that you get a letter from a friend. In the middle of the letter is a
strange paragraph praising the postal service's new product. You later learn
that this was inserted by the postal service.

I'd argue that both you and your friend have been harmed by this and that the
postal service should be punished. Their job is to deliver messages unmodified
and uninspected.

Here, the friend is a web page and the postal service is the ISP. Same deal.
Injecting content into a page defames (and possibly breaks) the site and
deceives the requester.

(Yes, the site should use HTTPS to prevent this. And you should lock your
house's door. But that doesn't excuse dishonest ISPs or burglars who take
advantage when you don't.)

------
cies
So how exactly is this not criminal?

~~~
betterunix2
They are not blocking, throttling, or interfering (in any way that harms
functionality) with legal applications; in a nutshell that is 2015
requirement.

Now, if that Javascript happens to interact badly with some particular web
page, then you could complain to the FCC as long as the 2015 rules remain in
effect (which is more than a week, for what that's worth).

~~~
danschumann
In a way it throttles.. lets pretend they included 4,000 lines of code in each
website, or a 1gig of data. It also throttles the experience by taking up
processor cycles to render the data. It harms functionality because the popup
covers usable website area, and what was meant to function without closing a
popup does not. It blocks screen real estate. I really hope someone makes a
case.

------
RKearney
They’ve been doing this for at least 5 years.

[https://gist.github.com/ryankearney/4146814/42d9ca5ec42fe43c...](https://gist.github.com/ryankearney/4146814/42d9ca5ec42fe43c5f7af69a60ae4c60c9bb567f)

------
visarga
Apparently the internet is too important to let Americans have it unfiltered.
Let's face it - there are people who don't want to let us access the net
directly, even though its importance for the public is incalculable.

------
bedros
Cox is also trying to sell new modems to its customers. Last year when I
called cox in California complaining about slow speed at prime time (6-9p) the
customer rep told me getting a newer modem will make it faster; I told her my
modem is only 3 years old; and asked her how a newer modem would make it
faster, she could not answer that

I think we should have a regulation that forces ISP to post the average speed
of their networks at peek time everytime they advertise their theoretical
network.

------
WhitneyLand
They’re just business people trying make a profit and the market will work to
collectively accept or reject this practice, is that what they would say?

Would you make this decision if it doubled your salary?

I love making money, helathy forms of capitalism, fierce competition, and
benefiting as a consumer from other companies competing.

But I’ll not be a part of this for any job, not in a free country where there
are so many opportunities to do better that this. No sir, I respectfully
decline your offer.

------
esP3FJhD
Do they modify the CSP, or is it not an issue since sites that bother with a
strict CSP probably use HTTPS anyway? [https://developer.mozilla.org/en-
US/docs/Web/HTTP/CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

------
Balgair
When folks are getting a new modem via this process, are they signing up for a
new contract? What does that contract say, in reference to the issues that
going on with NN? Might this perhaps be a way to get people to sign new
contracts in preparation for a change to NN being more favorable to the ISPs?

------
swayvil
Mediacom does a little injection too. Mostly to warn you about something. Get
a big red banner now and then. But that's the just the visible stuff, so who
knows?

I thought that was illegal. Like, it's editing somebody else's copyrighted
work or something.

------
brian-armstrong
I'm concerned about inviting the Comcast evildoers to here for discourse. It
feels like it normalizes what they're doing and sets a bad precedent. Guys
like that should be blacklisted from tech, not invited in for tea and
crumpets.

------
butterfi
I dropped Comcast for a provider that doesn't do this, but given Comcast is a
monopoly in many areas, I know this isn't a good option for everyone. But
frankly, the only leverage we have over these people is how we spend our
money.

------
jchavannes
This is (one of the reasons) why you should use HTTPS Everywhere and enable
blocking of all unencrypted requests. This isn't new.

You're susceptible to even worse MITM attacks if you allow unencrypted traffic
when using public wifi.

------
zeep
A family member got a letter asking them to change their modem but they are
also saying that their connection speed slowed down... are they throttling
older modems? (I didn't get a chance to do speed tests yet)

------
vm
All the more reason for ISP competition. The government will be slow to (or
just won't) police this behavior so the ideal is to enable customers to
quickly replace awful service providers with alternatives.

~~~
masonic

      All the more reason for ISP competition
    

Agreed, and decreasing competition is one negative impact if pure net
neutrality is enforced. Nobody is going to build out (or improve) an ISP
infrastructure only to have Netflix/Hulu/Youtube suck up most of your
bandwidth from 5PM to midnight local time, forcing you to continually expand
your infrastructure on your own dime.

Google foresaw this, hence Google Fiber / Alphabet build-outs being stopped 14
months ago.

------
hi41
Does Comcast inject this code in https urls or just http urls? Since https
transfer is encrypted I suspect the code injection can't be done. Can someone
please tell if my reasoning is correct?

~~~
derimagia
Yeah that's correct, they can't do it in https unless they did something with
root certs, which would be 1000x more messed up (And that's saying a lot
because this is already pretty despicable). At any rate if they were doing
that browsers would revoke the CA.

~~~
hi41
Thank you, Derimagia.

------
pvsukale3
BSNL- The state-owned broadband provider here in India does this regularly.
They intercept HTTP traffic and redirect it to their plans page. The saddest
part is no one really cares about this here.

------
jancsika
Could Comcast hijack DNS and redirect https requests to a page explaining the
issue with a button that lets the user go back to the site they wanted to
visit?

Or do modern browsers mitigate that?

~~~
derimagia
They could but because of HSTS
([https://blog.stackpath.com/glossary/hsts/](https://blog.stackpath.com/glossary/hsts/))
which would largely mitigate it. They have a preload list in browsers too. But
if a site wasn't using HSTS then yeah they could do that. I don't think that's
better per-se.

------
newshorts
This behavior is the reason why I’m short on Comcast. They are creating space
for an ethically centered company to compete on concerns having nothing to do
with internet speeds.

------
LogicX
FWIW, looks like this may be a service comcast uses:
[http://www.frontporch.com/](http://www.frontporch.com/)

------
amazingman
I was greeted with this injected advertising a few weeks ago and was floored.
And yet here I am stuck in a contract, with no good alternatives even if I
weren’t.

------
cjsawyer
My friend has Comcast and I was absolutely floored when a bandwitch
notification popped up on stack overflow.

We need to burn these monsers at the stake.

------
bluepeter
Comcast VP suit isn't helping his cause much on Twitter
[https://twitter.com/jlivingood/status/939248407562080261](https://twitter.com/jlivingood/status/939248407562080261)

Oh and of course he's also retweeting a lovely Net Neutrality tweet...
[https://twitter.com/feamster/status/938236691126636546](https://twitter.com/feamster/status/938236691126636546)

~~~
cornchips
Jason Livingood: "This is a web notification system that presents an overlay
service message for non-TLS sessions. Documented in RFC 6108 & in place for
many years -
[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108) .
In this case the alert informs customer of need to upgrade an end of life
device."

[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)
Comcast's Web Notification System Design

Yeah, cuz we're all supposed to know about rfc6108.. Guess I have some
catching up to do on "Internet Engineering".

------
santoshalper
I am not fan of Comcast, but this is a bit of a tempest in a tea kettle. In
over a decade of having their service, I have only seen them use this once,
when my cable modem was nearing EOL and upgrading to a new modem that
supported DOCSIS 3 (I think?) gave me a big speed boost. I probably wouldn't
have looked at snail mail or email from them, so I appreciated it.

I guess their is a "slippery slope" argument to be made here, but in the
current incarnation, this is innocuous.

------
sslalltheway
Umm.. You should not be using http to begin with. Everything else is the
results of not using ssl for everything.

------
apl002
How can an ISP seriously do this? Is the random domain even aware than comcast
is injecting JS into their site?

------
shapiro92
Can someone tell us if this is legal?

------
vorotato
I wonder if this violates the CFAA if/when this gets run on a businesses
machine.

------
gbraad
... And that is why you open https.

------
knodi
Crapcast. If only we in the US had more options, this kind of shit wouldn't
fly to well.

~~~
rocky1138
Rogers and Cogeco both do this in Canada, as far as I remember.

~~~
knodi
Ya, I believe CA is in a worst position than US (in terms of a competitive
market).

------
sschueller
Does the injected code count towards the data cap? If so there may be a legal
case there.

------
polock
Why are Comcast, Uber like companies trying to be evil? I really hate these.

------
kup0
Our local ISP Shentel does this as well, mostly for data cap alerts.

------
tehlike
Let's encrypt adoption will end this for once and for all.

------
free2rhyme214
Why don't they use the Chrome Extension - uBlock origin?

~~~
joshribakoff
Ads from website owners are not new, what is new is ISPs injecting into other
people's pages, this sets a new precedent. Its a fundamental principle that
was violated, so saying "just block it" is like saying people in China should
just use a VPN... while a valid point, its still an outrage to some people
that a government/ISP would tamper/block your traffic. Not trying to equate
Comcast to China by the way, just using a metaphor

------
a_imho
Isn't this against the CFAA? Like Comcast is acting without / exceeding
authorization?

------
kkmx
This is why we need to get everyone to move to HTTPS ASAP.

------
Feniks
WTF America continues to be an example to us all... of what not to do ;)

I shall keep up my vigilance against the telecom industry.

------
thriftwy
You take one packet from web server, you deliver a different one to the
client. That's the definition of fraud.

