Comcast is the honey badger of ISPs – injects pop-ups into browsers, doesn't give a fsck As an ostensible courtesy to internet customers now facing 1TB monthly data caps, Comcast has begun notifying those approaching their quotas through popup browser windows. But the way it delivers those messages – injecting web code into the customer's browsing session – undermines online security, said iOS developer Chris …
It's not just a security problem: There's more than just web browsers using http. Any automated tool that pulls over HTTP could potentially be broken by this sort of injection because it is expecting the remote end to respond the way it always has -- without injected code. It may have hardcoded offsets, etc. The average person (cough, or even more inept, the average lawmaker) of course doesn't ever think about this but most of the communication on the internet is automated, not interactive. We're wiring in toasters, cameras, cars... we're wiring in all our public utilities infrastructure too. And a lot of the time, those things are accessed over http -- you think your wifi box is the only thing with that? Try again: The chemical factory four blocks from where you live probably has similar web management interfaces. Or the sewage processing plant. The internet of things is here, and the most common cause of failure isn't hackers or terrorists -- and it never was. Failure usually doesn't come to the screams of "Death to America!" or "Gimmie your money, bitch!"... it's to the quiet sound of "Oops."
-
Network neutrality isn't about bandwidth or protecting competition and all that jazz... it's about protecting the integrity of the communications themselves. When you start screwing with the content, you're making assumptions. Comcast is assuming that only web browsers live on port 80. Engineers know better.
-
Enlightened engineers are hoping the world comes to its senses and bans this sort of thing before something bad happens. Which is adorable. The more practical of us are just waiting out the inevitable death, destruction, and mayhem that's going to happen eventually, because we know that lawmakers are like children: No matter how many times you tell them not to touch the hot stove, they're not gonna listen, so you just sit back and let them burn their hands... not because you hate the kid, but because that's just the nature of what a child is.
-
So, a word of advice: If Comcast serves internet in your area and you live next to the sewage processing plant, invest in a pair of rubber wading boots.
BT uesd to do this (maybe they still do?) everytime a new version of their (never used) BT Broadband helper tool was available. It knackered all the automated ticketing systems etc. in my business (rack in my basement at the time!). I couldn't figure out what was wrong until I tried to use a web browser and it came up with the nagging page.
Lucky me. I live in a capped area. Fortunately, I only seem to be using about 1 GB/day (Thanks, uBlock Origin!). The penalty for watching too many cat vids is severe:
You have two courtesy months to exceed a terabyte of usage without charge. After using these two months, if you exceed your data usage plan you will be charged $10.00 for each 50GB of additional data provided, but charges will not exceed $200 each month, no matter how much you use.Reviewing past months' usage makes me think they only count bandwidth via your home/business connection. I was hitting their local hot spots regularly before this month, and the amount of bandwidth they report doesn't reflect that.
Guess I'll just have to poke my head out of the VPN trench now and again to see if we've tripped the limit. All. content here is through a VPN because of Comcast's other rude behaviors, DNS aside. That's the next hack on the list now. [My machines are off net, now. Go ahead, hack my tablet.] Gods above below, this sucks. Multiple Netflix, multiple subscriptions, are used to death here and they dont do business and residential on the same property, or so they tell me
PlusNet used to block all your web access if it noticed port 139 unsecured.
That's much more reasonable and much more an impetus to action.
However, with SSL etc. all that happens is sites like Google (many people's home page) will just fail to load with a security error if tampered with in that way.
How about ringing your damn customers or sending them an email?
> and you get redirected to the page where you can purchase more
Which absolutely shouldn't be possible if security is done right. You can't serve a 302 when MitM a HTTPS connection unless you can convince my browser to trust the certificate you sign the page with. And with HSTS you can't even get my browser to talk HTTP even if you type it into the address bar if the server is known to support HTTPS. (Try to visit Google over HTTP)
And if you use a VPN, your ISP has exactly zero ability even for this sort of farting around. Send an SMS or email. Hardly rocket science.
"Not defending Comcast, but it's not easy to get in touch with customers."
Both ISPs (and three separate accounts) I've used here in NZ give you the option of sending alerts to either/both of an email address of your choice or by SMS to a cellphone of your choice - it's not that difficult to make it happen.
"Not defending Comcast, but it's not easy to get in touch with customers."
That reminded me to login and pay my bill.
Half of the email messages in the account were obvious spam. Somehow sent to an email address that should be known only to Comcast and myself. Most of rest were Comcast marketing, even though I opted out of everything possible.
Even if the spammers were guessing by looping over every possible email addresses, Comcast should have been able to stop them before they guessed my username. So there is obviously an internal leak that resulted in a list sold to spammers.
And the Comcast originated marketing... I opted out of every list. But that doesn't keep them from sending it.
Any problems Comcast has with reaching me by email is because they have abused that path in the past. And apparently they plan on continuing that abuse.
This post has been deleted by its author
By injecting code into the HTML, Comcast is effectively changing the contents that a web server is sending to the browser. Do they have permission from the copyright holder to do that? I'm betting they don't, which means that Comcast are probably infringing someone's copyright.
Sorry, is that a queue of lawyers I see?
Imagine issuing a DMCA takedown to Comcast and it working????
Then announce that you are standing for President.
You will get voted in by a landslide even in deep-red or deep-bluse states.
All my US friends hate Comcast with a vengance. In many areas, there is no alternative.
We can thank ourselves lucky that we have at least some modicum of choice here in Blighty.
About two years ago, I started getting an extra tab opening in my browser. It was apparently from Virgin Media (my ISP) telling me my account filters were set to 'family safety is on' and I had to visit the website and sign in if I wanted the 'family safety' filter turned off. I thought this was strange because about two years before that, I'd told them over the phone to turn all filters off when I took out a new contract. So, I closed the tab after swearing a bit at the interruption.
After a week of this, every time I started the browser, I phoned their technical support to ask what was happening. Some new law regarding 'protecting children' had been enacted and my verbal statement of two years previously was now no longer enough. I had to make a definite recorded choice to allow dangerous filth into my home. So I did.
They could have explained this on the injected tab but no; it was, "this is how it is, you have to do something."
@AC - "My god its 2016, who's on a capped connection in this stone age?"
The vast majority of UK internet users
Although whether most people *understand* their usage is limited is a different matter of course.
I'm currently shopping around to see if I can get a better deal on broadband, I have FTTC and no Virgin availability. The competition seems to be fierce *IF* you don't mind a double digit GB limit. Once you look at 'unlimited' usage, there is little to differ between providers. And of course, unlimited, rarely means that*.
I can't work out is why so many people want really fast Fibre but accept limits so low that that they could conceivably burn through their monthly limit in barely more than an hour.
TCP/IP just wasn't meant to be metered and this post is just me venting. Comcast claims my home uses 1.8 TB per month and that is more than 99% of their customers. I have no easy way to verify either claim. I have a lot of tech, three teenage boys, my spouse, and me in this home.
I called them and asked how I am supposed to comply. They asked what I am doing to use the internet. Do I game? No, but my three boys do. Do I watch Netflix or YouTube? Occasionally and the rest of my family does. Where is the data going? Is it Evernote updating multiple instances? Is it because if TiVo updates? Is it because I stream audio from my server? Is it Windows updates of multiple machines? Is it WebEx I use because I work from home? Is it synchronizing corporate email?
Just dropping this new cap on my home and telling me that it's OK because they made a data meter available is complete crap.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
