Thoughts and ramblings (mikegerwitz.com)
 
 
 
 
 
 
Go to file
Mike Gerwitz 38081104ef
Comcast injects JavaScript into web pages
It seems that Comcast has decided that it is a good idea to [inject
JavaScript into web pages][js] visited by its customers in order to inform
them of Copyright violations.

This is a huge violation of user privacy and trust.  Further, it shows that
an ISP (and probably others) feel that they have the authority to dictate
what is served to the user on a free (as in speech) Internet.  Why should we
believe that they won't start injecting other types of scripts that spy on
the user or introduce advertising?  What if a malicious actor compromises
Comcast's servers and serves exploits to users?

It is no surprise that Comcast is capable of doing this---they know the IP
address of the customer, so they are able to intercept traffic and alter it
in transit.  But the fact that they _can_ do this demonstrates something far
more important: _that they have spent the money on the infrastructure to do
so_!

Comcast isn't the only ISP to have betrayed users by injecting data.  One
year ago, it was discovered that [Verizon was injecting "perma-cookies" into
requests to track users][verizon].  This is only one example of the
insidious abuses that unchecked ISPs can take.

So what can you do to protect yourself?

What Comcast is doing is called a [man-in-the-middle (MITM) attack][mitm]:
Comcast sits in the middle of you and your connection to the website that
you are visiting, proxying your request.  Before relaying the website's
response to you, it modifies it.

In order to do this, Comcast needs to be able to read your communications,
and must be able to modify them: the request must be read in order to
determine how the JavaScript should be injected and what request it should
be injected into; and it must be modified to perform the injection.  It
cannot (given a properly configured web server) do so if your connection is
encrypted.  In the case of web traffic, `https` URLs with the little lock
icon in your web browser generally indicates that your communications are
encrypted, making MITM attacks
unlikely.

(We're assuming that Comcast won't ask you to install a root CA so that they
can decrypt your traffic!  But that would certainly be noticed, if they did
so on a large enough scale.)

Not all websites use SSL.  Another method is to use encrypted proxies, VPNs,
or services like like [Tor][tor].  This way, Comcast will not be able to
read or modify the communications.

See also: [HackerNews discussion][hn]; [original Reddit discussion][reddit].

[js]: https://gist.github.com/Jarred-Sumner/90362639f96807b8315b
[verizon]: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
[hn]: https://news.ycombinator.com/item?id=10592775
[reddit]: https://www.reddit.com/r/HuntsvilleAlabama/comments/35v4sn/comcast_is_injecting_bad_javascript_to_your/
[tor]: https://tor.org/
2015-11-20 23:11:58 -05:00
docs :Resume phone number minor obfuscation 2015-10-14 21:58:42 -04:00
fonts Open Sans font 2015-05-22 01:25:39 -04:00
images :GitLab logo update 2015-07-18 08:18:12 -04:00
tools :Footer of certain pages updated to reflect CC-BY-SA licensing 2015-07-16 00:18:30 -04:00
tpl :GitLab logo update 2015-07-18 08:18:12 -04:00
.gitignore :Résumé added 2015-07-23 00:33:11 -04:00
.gitmodules Added coope 2013-06-03 22:28:13 -04:00
.mailmap :.mailmap to normalize e-mail addresses 2015-05-22 01:48:18 -04:00
COPYING :Added attribution for ``A Big GNU Head'' by Aurelio A. Heckert for ``GNU Inside!'' page fold 2014-01-11 12:23:16 -05:00
COPYING.CCBYSA All creative content (e.g. thoughts) now licensed under CC BY-SA 2013-06-16 20:35:22 -04:00
COPYING.GPLv3 All creative content (e.g. thoughts) now licensed under CC BY-SA 2013-06-16 20:35:22 -04:00
Makefile :Résumé added 2015-07-23 00:33:11 -04:00
README Added intial pages 2013-06-02 12:27:02 -04:00
asciidoc.conf mg.css fully merged into core style; consistency between article and repo2html formats 2013-05-25 11:51:41 -04:00
style.css Author and email display on articles/thoughts 2015-05-22 01:25:39 -04:00

README

The miscellaneous thoughts and ramblings of a free software hacker.

This website is processed with repo2html.

http://mikegerwitz.com/