1. 41
  1.  

  2. 14

    Charter/Spectrum did a MITM on me to make me sign their new customer agreement thing after they replaced a faulty cable modem. Apparently it’s required as part of their new provisioning system. They sent a TCP RST to any request on port 80 and then hijacked that session to make me hit their webserver to redirect me to their portal. I have pcaps of it.

    Completely unacceptable.

    1. 10

      One thing about your article that stood out to me was that you say this injected code breaks accessibility on websites. Unfortunately (depending on your viewpoint,) as far as I know in the US there are no enforceable legal standards to follow website accessibility outside of Section 508 which are bound to federal, state and local government websites.

      However website accessibility is protected as a civil issue, being that they shouldn’t discriminate; it would be interesting to see what result someone suing Comcast for injecting code into all HTTP requests that essentially discriminates against them due to a disability.

      1. 1

        Oooo that’s deep. Interesting insight!

      2. 6

        Is this for only HTTP, or are they abusing their certs to MITM HTTPS for injecting javascript too?

        1. 3

          Do they have a trusted CA to use for a MITM? I don’t think they do.

          Regardless, assuming they did that’d be a completely different level of attack that would be noticed and discussed on MDSP and would almost definitely lead to their CA being distrusted by browsers.

          MITMing HTTP sucks. MITMing HTTPS from a privileged position (outside of a client trusting your intermediates) is untenable.

          1. 2

            HTTP only. Comcast has been doing this for a couple years at least so I’m not exactly sure how this is news.

            I am no fan of Comcast in the slightest but I don’t consider this an attack as much as a poorly conceived notification system.

            1. 1

              Is it possible to make SSL injection without installing a certificate on the client?

              I have been worked with bandwidth optimization appliances (Sandvine) for an ISP some years ago and they are able to inject JS in HTTP traffic, not in HTTPS

            2. 2

              This just completely cracked me. Not just because it’s obviously wrong to inject data into customer’s traffic (it can break programs/computations that rely on a specific format), but because they just opted for the most stupid way of implementing it. If I understood correctly:

              • they do it on every request

              • it’s not an external script, so it can’t be easily cached nor blocked (via extension)

              1. 1

                It breaks apt!

                1. 1

                  Wait, apt repos aren’t https?

              2. 2

                Do they redirect/spoof DNS? Or is this for non-TLS websites only?

                1. 1

                  A part of the Swedish penal code refers to “dataintrång” and outlaws unauthorized modifications of information meant for automated processing (or unauthorized changes to databases). MITM attacks would be prosecuted under that law. Doesn’t the U.S. have a similar law?

                  1. 1

                    Swede here. Not a lawyer, but I’m pretty sure you can write an agreement that you have to sign when accessing the service that includes the right to inject JS/ads.

                    As far as I know, it’s not an issue in Sweden so far as we actually have decent competition in the broadband market…

                    1. 1

                      Swede here. Not a lawyer, but I’m pretty sure you can write an agreement that you have to sign when accessing the service that includes the right to inject JS/ads.

                      Ah, yes. Not a lawyer either, but I’m sure you’re right.

                      As far as I know, it’s not an issue in Sweden so far as we actually have decent competition in the broadband market…

                      Indeed. In some places you can get 10 Gbps to your house, no quota, 499 SEK / month. Should be enough for one household or a small country. :)

                  2. 1

                    This is why I tunnel most of my traffic beyond the sight of ISP, you can’t trust them these dąys.

                    1. 1

                      My old ISP, Wide Open West, performed a similar HTTP-level (not DNS) hijacking to 307 redirect HTTP requests to their messages such as planned outages, etc. A particularly fun “glitch” on their part made it not register that I had acknowledged the notification and so it kept doing it to me on any HTTP site I went to. This and Comcast are what finally drove me to using only strict HTTPS, no exceptions, for my own websites, and to start using the HTTPS everywhere extension. We should not have to force HTTPS as the only option for static content (though it is a fine default), yet here we are.

                      1. 0

                        We all know Comcast is trash, however we won’t be able to change anything.

                        1. 2

                          Yeah, but I found lots of articles didn’t communicate at the “general public” level of the severity of what these things can cause – from a social and technical level.