thoughts/post/2015-11-20-comcast-injects-...

61 lines
2.9 KiB
Markdown

# Comcast injects JavaScript into web pages
It seems that Comcast has decided that it is a good idea to [inject
JavaScript into web pages][js] visited by its customers in order to inform
them of Copyright violations.
[js]: https://gist.github.com/Jarred-Sumner/90362639f96807b8315b
This is a huge violation of user privacy and trust. Further, it shows that
an ISP (and probably others) feel that they have the authority to dictate
what is served to the user on a free (as in speech) Internet. Why should we
believe that they won't start injecting other types of scripts that spy on
the user or introduce advertising? What if a malicious actor compromises
Comcast's servers and serves exploits to users?
It is no surprise that Comcast is capable of doing this---they know the IP
address of the customer, so they are able to intercept traffic and alter it
in transit. But the fact that they _can_ do this demonstrates something far
more important: _that they have spent the money on the infrastructure to do
so_!
<!-- more -->
Comcast isn't the only ISP to have betrayed users by injecting data. One
year ago, it was discovered that [Verizon was injecting "perma-cookies" into
requests to track users][verizon]. This is only one example of the
insidious abuses that unchecked ISPs can take.
So what can you do to protect yourself?
What Comcast is doing is called a [man-in-the-middle (MITM) attack][mitm]:
Comcast sits in the middle of you and your connection to the website that
you are visiting, proxying your request. Before relaying the website's
response to you, it modifies it.
In order to do this, Comcast needs to be able to read your communications,
and must be able to modify them: the request must be read in order to
determine how the JavaScript should be injected and what request it should
be injected into; and it must be modified to perform the injection. It
cannot (given a properly configured web server) do so if your connection is
encrypted. In the case of web traffic, `https` URLs with the little lock
icon in your web browser generally indicates that your communications are
encrypted, making MITM attacks
unlikely.
(We're assuming that Comcast won't ask you to install a root CA so that they
can decrypt your traffic! But that would certainly be noticed, if they did
so on a large enough scale.)
Not all websites use SSL. Another method is to use encrypted proxies, VPNs,
or services like like [Tor][tor]. This way, Comcast will not be able to
read or modify the communications.
See also: [HackerNews discussion][hn]; [original Reddit discussion][reddit].
[verizon]: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
[hn]: https://news.ycombinator.com/item?id=10592775
[reddit]: https://www.reddit.com/r/HuntsvilleAlabama/comments/35v4sn/comcast_is_injecting_bad_javascript_to_your/
[tor]: https://tor.org/