Comcast Takes Heat For Injecting Messages Into Internet Traffic
from the meddling-and-fiddling dept
Since around 2013 or so, Comcast has been injecting warning messages into user traffic streams. Sometimes these warnings are used to notify a customer that their computer may have been hacked and is part of a botnet. Other times, the warning messages inform users that they’ve (purportedly) downloaded copyrighted material as per Comcast’s cooperation in the entertainment industry’s “six strikes” Copyright Alert System (CAS), a program that pesters accused pirates until they acknowledge their villainy and receipt of “educational” materials on copyright.
More recently, Comcast has used the system to urge customers to upgrade to a newer modem, or to warn users in capped markets that they’re about to reach their monthly usage allotment and will soon be paying overage fees:
While Comcast’s efforts here may be well-intentioned, the act of fiddling with user traffic and injecting any content into the user data stream has long been controversial. Pretty much like clockwork over the last three years, you see stories popping up every few months or so explaining how letting such a fierce opponent of concepts like net neutrality fiddle with user traffic just isn’t a particularly smart idea. Users have also consistently complained that there’s no way to opt out of the warning messages.
But in addition to being annoying and a bad precedent, many think Comcast’s efforts on this front open the door to privacy and security risks. iOS developer Chris Dzombak, for example, penned a blog post last week explaining how getting broadband users used to this level of popup pestering by their ISP opens the door to hackers to abuse that expectation and trust via man-in-the-middle attacks:
“This might seem like a customer-friendly feature, but it?s extremely dangerous for Comcast?s users. This practice will train customers to expect that their ISP sends them critical messages by injecting them into random webpages as they browse. Moreover, these notifications can plausibly contain important calls to action which involve logging into the customer?s Comcast account and which might ask for financial information.
Any website could present its users an in-page dialog which looks similar to these Comcast alerts. The notification?s content could be entirely controlled by criminals hoping to harvest users? Comcast account login information. This would give an attacker access to users? email, which is a gateway to reset the user?s passwords on most other sites ? remember, most password recovery mechanisms revolve around access to an email account.
Each time this subject pops up, Comcast’s engineering folks are quick to point out that this is all perfectly ok because the company filed an informational RFC (6108) back in 2011 explaining what the company was up to. Usually this results in media outlets quieting down for a while until somebody new discovers the popups. But Dzombak is quick to correctly note that filing an RFC isn’t some kind of get out of jail free card for dumb ideas:
“Comcast has submitted an informational RFC (6108) to the IETF documenting how this content injection system works. This appears to be a shady effort to capitalize on the perceived legitimacy that pointing to an RFC gives you.
First, let me point out that just publishing a memo that says you plan to do something, doesn?t mean that the thing you?re doing is acceptable.
Second, RFC6108 does not address this concern whatsoever. There?s a short section about security considerations, which largely boils down to this guidance: ??the notification must not ask for login credentials, and must not ask a user to follow a link in order to change their password, since these are common phishing techniques. Finally, care should be taken to provide confidence that the web notification is valid and from a trusted party, and/or that the user has an alternate method of checking the validity of the web notification. ?”
In short, that puts the onus on customers to know that these popup notifications should not ask for login information. But most users simply aren’t going to know that, and would be easily fooled by a phony popup that mirrors this dialogue but redirects users to a malicious third-party website asking for their user credentials. This is just a snippet of HTML on an unencrypted website; there’s no magic bullet way of being sure the web notification you’re viewing “is from a valid and trusted party.” Comcast told Dzombak his points are fair on Twitter last month, but still hasn’t seriously addressed the problem.
Comcast has your e-mail address for notifications. There’s really no reason to fiddle with user traffic. It’s a horrible precedent that’s not only annoying, but a potential privacy risk. Fortunately the problem may self-resolve as Comcast can’t inject the messages into encrypted streams — and encryption use overall is on the rise. Still, it’s still not a particularly great precedent to let a company with a long, proud history of fighting net neutrality fiddle with data streams, however purportedly noble the intention.