DEV Community

Brian
Brian

Posted on

Comcast is proxying all unencrypted content

I originally posted this on the originally unsecure platform, facebook. I should edit this for grammar, but I just wanted to bang it out, because you know... job/work.

I cannot stand #comcast, no one that knows me finds this surprising, I'm forever ranting about them. The fact that Comcast is the only option for so many people is ridiculously sad. My job requires me to be on the internet constantly, I do a lot of security research and general research.

Today, I found the most horrific thing a security nerd can find. Comcast is FORCING all unencrypted traffic through Comcast proxy servers. I don't have a choice, I wasn't asked, or notified (I'm sure the TOS that's 938429 pages long mentioned it). This enables Comcast to inject anything they want into your unencrypted web browsing.

If you want to see technical details about what these jackholes are doing, see here: https://gist.github.com/bdmorin/7bd16b34cf75c0f6dd56155301793c4d

I tested a popular website, tvmaze.com (a http only website) with and without a VPN on, and the difference in HTML delivered was comcast HTML injection, which included 3rd party asset calls, analytics tracking, etc.

I want to protect my entire network (including all those people in my home) against this kind of absolutely unacceptable spying, however it gets fugly, because as cord cutters, we use streaming services, and Netflix and Hulu are NOT VPN friendly. These services actively block VPNs because viewers can appear to be in a different geological location (ODIN FORBID YOU NOT BEING AN AUTHORIZED AREA), so if I run my whole house through a VPN, then we won't be able to use streaming services.

I've been considering deploying a local forced proxy for any port 80 traffic to be forced through a VPN connection at MY gateway and not comcast's. Nearly every streaming service uses HTTPs, so this wouldn't diddle with streaming services.

The point of this rant is to SHAME comcast, not that they care in the least about consumers. You may constantly see ads for VPNs as you browse online, and these are the reasons why, you absolutely CANNOT trust your local service provider when it hijacks your content and modifies it before it gets to you. Ask China what it's like to have all your traffic monitored and modified before it gets to you. Comcast could potentially change anything before you have a chance to read the original version. If Comcast obtains a CA that browers accept, they would then be able to hijack your HTTPS connections, which is ABSOLUTELY concievable at this point.

Websites that use web application firewall services like Cloudflare are also subjected to this kind of risk. Cloudflare inspects all traffic to and from source servers, so it's a single point that could modify, track, and potentially block content. If a BlackHat were to compromise Cloudflare, thousands of ecommerce businesses could be at risk of having traffic snooped. Same with Comcast, if (AND WHEN) they are compromised, they could modify YOUR traffic so that you're seeing what someone else wants you to see.

Trust no one. Especially worthless corporations like Comcast.

Top comments (7)

Collapse
 
kspeakman profile image
Kasey Speakman

There was also the case where Verizon got busted and fined (pre-telecom-leadership FCC) for adding tracking cookies to customer traffic.

These aren't even ad-supported free services. Customers already paid for services and the providers are double-dipping by also injecting ads or tracking. I haven't verified it, but I suspect ATT fiber is doing the same thing. Their original fiber offering even had a discount if you knowingly let them spy on your traffic. And they block service unless you use their terrible router, which does who-knows-what. (It has a hardware encryption key which is required for their custom version of 802.1X network authentication. So non-ATT routers cannot even connect to the network.)

Yeah, this stuff really irritates me.

Collapse
 
andrewmcguinness profile image
Andrew McGuinness

Proxying http was pretty common for ISPs going years and years back, originally to reduce traffic by caching (which is arguably legitimate).

Injecting content into responses is crossing a different line.

"Trust no one" == "avoid sites that aren't https"

Collapse
 
skds1433 profile image
Shea Sollars • Edited

I am not sure I usnderstand. Did their Acceptable Use Policy just prohibit me from running servers on my own internet?

Under Prohibited Uses and Activities:

use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers;

xfinity.com/Corporate/Customers/Po...

Collapse
 
lmorchard profile image
Les Orchard

Comcast has been doing this sort of thing for a very, very long time. They even wrote IETF RFC 6108 about it.

tools.ietf.org/html/rfc6108

Collapse
 
bdmorin profile image
Brian

Oh my ...

Collapse
 
bgadrian profile image
Adrian B.G.

Pro tip, do not asume people know what Comcast is, I suspect is an ISP from the article.

Collapse
 
lesha profile image
lesha 🟨⬛️

gee that injected html looks horrific

Some comments may only be visible to logged-in visitors. Sign in to view all comments.