from the meddling-and-fiddling dept
More recently, Comcast has used the system to urge customers to upgrade to a newer modem, or to warn users in capped markets that they're about to reach their monthly usage allotment and will soon be paying overage fees:just isn't a particularly smart idea. Users have also consistently complained that there's no way to opt out of the warning messages.
But in addition to being annoying and a bad precedent, many think Comcast's efforts on this front open the door to privacy and security risks. iOS developer Chris Dzombak, for example, penned a blog post last week explaining how getting broadband users used to this level of popup pestering by their ISP opens the door to hackers to abuse that expectation and trust via man-in-the-middle attacks:
"This might seem like a customer-friendly feature, but it’s extremely dangerous for Comcast’s users. This practice will train customers to expect that their ISP sends them critical messages by injecting them into random webpages as they browse. Moreover, these notifications can plausibly contain important calls to action which involve logging into the customer’s Comcast account and which might ask for financial information.Each time this subject pops up, Comcast's engineering folks are quick to point out that this is all perfectly ok because the company filed an informational RFC (6108) back in 2011 explaining what the company was up to. Usually this results in media outlets quieting down for a while until somebody new discovers the popups. But Dzombak is quick to correctly note that filing an RFC isn't some kind of get out of jail free card for dumb ideas:
Any website could present its users an in-page dialog which looks similar to these Comcast alerts. The notification’s content could be entirely controlled by criminals hoping to harvest users’ Comcast account login information. This would give an attacker access to users’ email, which is a gateway to reset the user’s passwords on most other sites — remember, most password recovery mechanisms revolve around access to an email account.
"Comcast has submitted an informational RFC (6108) to the IETF documenting how this content injection system works. This appears to be a shady effort to capitalize on the perceived legitimacy that pointing to an RFC gives you.In short, that puts the onus on customers to know that these popup notifications should not ask for login information. But most users simply aren't going to know that, and would be easily fooled by a phony popup that mirrors this dialogue but redirects users to a malicious third-party website asking for their user credentials. This is just a snippet of HTML on an unencrypted website; there's no magic bullet way of being sure the web notification you're viewing "is from a valid and trusted party." Comcast told Dzombak his points are fair on Twitter last month, but still hasn't seriously addressed the problem.
First, let me point out that just publishing a memo that says you plan to do something, doesn’t mean that the thing you’re doing is acceptable.
Second, RFC6108 does not address this concern whatsoever. There’s a short section about security considerations, which largely boils down to this guidance: “…the notification must not ask for login credentials, and must not ask a user to follow a link in order to change their password, since these are common phishing techniques. Finally, care should be taken to provide confidence that the web notification is valid and from a trusted party, and/or that the user has an alternate method of checking the validity of the web notification. …"
Comcast has your e-mail address for notifications. There's really no reason to fiddle with user traffic. It's a horrible precedent that's not only annoying, but a potential privacy risk. Fortunately the problem may self-resolve as Comcast can't inject the messages into encrypted streams -- and encryption use overall is on the rise. Still, it's still not a particularly great precedent to let a company with a long, proud history of fighting net neutrality fiddle with data streams, however purportedly noble the intention.