Comcast Takes Heat For Injecting Messages Into Internet Traffic
from the meddling-and-fiddling dept
Since around 2013 or so, Comcast has been injecting warning messages into user traffic streams. Sometimes these warnings are used to notify a customer that their computer may have been hacked and is part of a botnet. Other times, the warning messages inform users that they've (purportedly) downloaded copyrighted material as per Comcast's cooperation in the entertainment industry's "six strikes" Copyright Alert System (CAS), a program that pesters accused pirates until they acknowledge their villainy and receipt of "educational" materials on copyright.More recently, Comcast has used the system to urge customers to upgrade to a newer modem, or to warn users in capped markets that they're about to reach their monthly usage allotment and will soon be paying overage fees:
But in addition to being annoying and a bad precedent, many think Comcast's efforts on this front open the door to privacy and security risks. iOS developer Chris Dzombak, for example, penned a blog post last week explaining how getting broadband users used to this level of popup pestering by their ISP opens the door to hackers to abuse that expectation and trust via man-in-the-middle attacks:
"This might seem like a customer-friendly feature, but it’s extremely dangerous for Comcast’s users. This practice will train customers to expect that their ISP sends them critical messages by injecting them into random webpages as they browse. Moreover, these notifications can plausibly contain important calls to action which involve logging into the customer’s Comcast account and which might ask for financial information.Each time this subject pops up, Comcast's engineering folks are quick to point out that this is all perfectly ok because the company filed an informational RFC (6108) back in 2011 explaining what the company was up to. Usually this results in media outlets quieting down for a while until somebody new discovers the popups. But Dzombak is quick to correctly note that filing an RFC isn't some kind of get out of jail free card for dumb ideas:
Any website could present its users an in-page dialog which looks similar to these Comcast alerts. The notification’s content could be entirely controlled by criminals hoping to harvest users’ Comcast account login information. This would give an attacker access to users’ email, which is a gateway to reset the user’s passwords on most other sites — remember, most password recovery mechanisms revolve around access to an email account.
"Comcast has submitted an informational RFC (6108) to the IETF documenting how this content injection system works. This appears to be a shady effort to capitalize on the perceived legitimacy that pointing to an RFC gives you.In short, that puts the onus on customers to know that these popup notifications should not ask for login information. But most users simply aren't going to know that, and would be easily fooled by a phony popup that mirrors this dialogue but redirects users to a malicious third-party website asking for their user credentials. This is just a snippet of HTML on an unencrypted website; there's no magic bullet way of being sure the web notification you're viewing "is from a valid and trusted party." Comcast told Dzombak his points are fair on Twitter last month, but still hasn't seriously addressed the problem.
First, let me point out that just publishing a memo that says you plan to do something, doesn’t mean that the thing you’re doing is acceptable.
Second, RFC6108 does not address this concern whatsoever. There’s a short section about security considerations, which largely boils down to this guidance: “…the notification must not ask for login credentials, and must not ask a user to follow a link in order to change their password, since these are common phishing techniques. Finally, care should be taken to provide confidence that the web notification is valid and from a trusted party, and/or that the user has an alternate method of checking the validity of the web notification. …"
Comcast has your e-mail address for notifications. There's really no reason to fiddle with user traffic. It's a horrible precedent that's not only annoying, but a potential privacy risk. Fortunately the problem may self-resolve as Comcast can't inject the messages into encrypted streams -- and encryption use overall is on the rise. Still, it's still not a particularly great precedent to let a company with a long, proud history of fighting net neutrality fiddle with data streams, however purportedly noble the intention.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dpi, message injection, net neutrality, packet injection
Companies: comcast
Reader Comments
Subscribe: RSS
View by: Time | Thread
This is just getting people used to this till they start injecting ads. Just wait.
[ link to this | view in chronology ]
The average person will have no way to tell the difference between malware popups from Comcast and malware popups from others. How long until the bad guys start formatting popups that resemble the Comcast popups?
[ link to this | view in chronology ]
It's all okay, because we posted a public notice
[ link to this | view in chronology ]
Re: It's all okay, because we posted a public notice
All the documents were posted for public display in the basement of the local planning office.
(Caution: Stairs inoperative.)
(Warning: No Lights)
(Beware of the leopard.)
[ link to this | view in chronology ]
Re: Re: It's all okay, because we posted a public notice
[ link to this | view in chronology ]
It's obvious that it "exceeds authorized access", if I can not opt out of such notifications. If I want to go to the local county website, and it's blocking information, that's directly related to the government requirements.
Now the CFAA is really broad and should be fixed, but the DOJ should swing both ways if they want to prosecute others for it.
The main issue though is that it's just bad practice, and encourages others to use these notifications to hack into people's accounts. We've already seen this with SSO on Facebook, Google, et al logins and XSS attacks.
[ link to this | view in chronology ]
Re:
Silly analogy and everyone posting here probably knows the many things wrong with that argument, but I'd bet that's how it's presented.
[ link to this | view in chronology ]
Re: Re:
In what world does this make sense? Adding, changing, removing, or even just LOOKING is interference at a technical level. Hell, there is interference from the natural world that is already a problem we have to deal with in networking, lets not add fucking more!
Doing anything other than passing the data along like a good network device is interference!
[ link to this | view in chronology ]
Re: Re: Re:
"Doing anything other than passing the data along like a good network device is interference!"
But, not "wrong" if you're the one in control. They *are* adamantly against being classed as common carriers and dead set against net neutrality...
[ link to this | view in chronology ]
Re: Re:
Would you be happy if they injected a voice into your phone calls to warn you that you were about to run out of purchased minutes?
[ link to this | view in chronology ]
Re: Re: Re:
Didn't they used to do that on pay phones? (People still remember pay phones, right? I used one maybe twice in my life as a kid, so I might remember wrong.)
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Actually they are. If they are interjecting traffic in HTTP, at minimum they have to read the frame header and recalculate the length, and THEN they have to inject plain text into the the actual HTML, which would require reading, at the very least the first few lines of the document.
So it is a direct interception and modification of a document transmitted between two parties, who may not have any contractual relations with Comcast whatsoever. (as in a house guest, or minor) It is not significantly different than intercepting a fax transmission, modifying it and retransmitting it. From a technological perspective, these two things are only marginally different. The fact that they identify themselves, doesn't preclude it from being a crime.
But the bigger issue, is that if they can do line rate modification at this level they have specifically built network infrastructure to do line rate modification for other reasons. This activity is not a feature that came with the network hardware.
What makes this work is infrastructure (expensive infrastructure) built specifically for intercepting consumer traffic, and MIM'ing it on demand. Which is to say, a stupid popup is not what justified the capital layout to build an overlay network for intercepting consumer traffic.
So what else is it being used for? My expectation, is that they are using it for state, and privately sponsored computer intrusion. Which makes them an agency of state, for all practical intents and purposes.
[ link to this | view in chronology ]
Re: Re: Re: Re:
It depends on how the law sees it, and the law and technical reality don't often see eye to eye. All I know is that the recipient has agreed to get their data delivered by Comcast, and the TOS probably has a clause allowing them to do this. I don't believe the sender of information has any say if the recipient has agreed to tampering or monitoring, but I could be wrong.
If you think this is criminal activity, go ahead and get their customers to sue. But, I think it'll be a long uphill battle and likely to be judged a civil violation at best.
"So what else is it being used for?"
Could be anything, the problem again here being that lack of competition means that Comcast know their customers have few places to go even if they completely lose all trust in them.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
No, the recipient hasn't in all cases. Home WIFI is often used by parties who have no contract with Comcast. So the closest thing to authorization, would be if the TOS requires the customer to act as agent, and indemnify Comcast for violations of the rights of the house guest.
But of course that is B.S. because as a monopoly market provider, (in most cases) the TOS is not a contract. A contract requires mutual consideration. If service is denied based on refusal of the terms in the TOS, then the 1st amendment rights of the consumer are effectively held hostage, due to the lack of availability of a suitable replacement. This makes the TOS an agreement under duress, and therefore no agreement at all.
And really there should be some thought given to whether this is precisely the intent of the monopoly regulations written by the various states. Do monopoly telecom relations derive from simple graft? Or is the purpose of these regulations, to effect upon the citizens a state of duress, and a mechanism of control for interfering with the citizens Constitutional rights, making these regulations a tool of tyranny as well?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Well, that depends on what you class as "recipient". I'm sure that Comcast would consider it to be the router that logs into their network, not the individual devices connected to it. They're altering the packets that go between their servers and the device logged into their network, not the internal network controlled by the router.
Put it this way - my apartment building receives mail to the security desk, and the local security staff take responsibility for distributing it to the correct mailboxes across the complex. I'm sure that the postal service would consider the security desk the end of their responsibility, not the person who opens the envelope.
Again, you can argue whether this attitude is moral or even legal, but I'm sure that's how it's set up. Until such ideas are battled in court, all I'm saying is that saying that Comcast are criminally liable for inserting messages as they do is something of a stretch as I understand the situation.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
The computer is not an entity legally able to contract. Only the sender, and recipient are. The TOS is presumed to be a contract for rendering of services, but it isn't since the services are natural law rights. The TOS can no more deny you the right to privacy, and the right to communicate privately and free from molestation, than it can deny you the right to breathable air.
As far as the technical means of interception; it is not articulated in computer crimes law in my state, only the act of interception is. The demarcation point of the communication is not generally relevant.
The only way that I can conceive of the demarcation point being legally relevant, is if the consumer was not in a monopoly market. In such a case it could be reasonably argued that the TOS articulated a contracted service, rather than an attempt to defraud the consumer by portraying a public utility as one.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
*Selective Enforcement*
You don't really the laws to be enforced on those who paid for them, do you?
[ link to this | view in chronology ]
Wiretap
[ link to this | view in chronology ]
Re: Wiretap
I'm pretty sure they're interfering with the normal operation of your computer to cause it to display their message instead of what you intended. Not all that different from the website defacements the DOJ has prosecuted people for under the CFAA.
> but it IS a violation of the Wiretap Act.
That too, then. That's probably how the DOJ would stack the charges against a peon.
[ link to this | view in chronology ]
Re: Re: Wiretap
No, they're not. The browser is displaying what it's instructed to display, as normal. It's just that the instructions to display this message have been altered between sender and recipient.
"Not all that different from the website defacements the DOJ has prosecuted people for under the CFAA."
Well, I'm not sure of a specific case but I'm sure that defacement would have been prosecuted as altering the code on the server. Nobody's accessing the server in this case. Nothing's being changed on any computer here, in fact, it's a change during transit.
As for wiretap act, I'm sure that's more applicable, but again it depends on how the law and court sees it. If Comcast's TOS allows them to do this and they're not currently injecting malware, I'm not sure it's actually criminal activity (however much you wish it may be). Comcast customers are welcome to take them to court and prove me wrong, however.
[ link to this | view in chronology ]
Re: Re: Re: Wiretap
So, as long as a computer is following instructions, no crime has been committed, even if those instructions have been altered without authorization. Interesting theory, but one wholly without any legal basis whatsoever that I can see.
Umm, so? Aaron Swartz didn't change anything on MIT's computers either. I suggest anyone unfamiliar with the story go look it up.
[ link to this | view in chronology ]
Re: Re: Re: Re: Wiretap
That's why I've repeatedly said you should wait for someone to sue and follow the court case. I'm simply, as a layman, explaining how I think Comcast can justify this not being illegal. I notice that people are just trying to shoot down me and my ideas without evidence or explanations of how it actually is in violation of the suggested laws.
The point is - if you're trying to apply laws that refer specifically to hacking a computer to this, you're on the wrong track and it's pretty dumb to think that Comcast haven't already consulted lawyers to see if they can get away with it. It's also dangerous to start applying those laws to such things if they're not the best tool. Wiretapping laws, more likely but it really depends on who is considered the originator and requester, and how the TOS and other agreements apply. That will take lawsuits and time in court.
"Aaron Swartz didn't change anything on MIT's computers either."
No, but he gained access to them in a manner that was deemed unauthorised, whether or not you agree with that assessment or the result (I don't, of course). The point is, the data is being changed *after* it has left the originating server and so the CFAA's rule about unauthorised computer access doesn't apply, no matter how strongly you feel it should compare to Swartz or any other victim of that act.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Wiretap
We're talking about criminal law, not civil.
People have provided examples of how the law has been interpreted and applied in the past as way of explanation. I don't know why you are ignoring that.
Comcast knows that they can get away it with because of who they are, not because what they did couldn't be prosecuted if done by someone less powerful. That's the point being made.
And Comcast is gaining unauthorized to the destination computer to display their messages. Let me ask you this, do you really think that if, for example, someone were to hack into the FBI's computers to cause them to start displaying unauthorized on-screen messages that they wouldn't be charged under the CFAA? Or is it all different, depending on who's computer it is? Again, that's the point people are making: unequal application of the law.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Wiretap
As am I, only people are bitching at me for trying to provide ideas as to why they're not being prosecuted for it.
"People have provided examples of how the law has been interpreted and applied in the past as way of explanation. I don't know why you are ignoring that."
I'm not, I just haven't seen anything relevant. Most claims have not been followed with citations or examples. The only one definitely mentioned is the Swartz case, which is irrelevant because it involved ACCESS to the originating SERVER. Which did NOT happen here. It's not being prosecuted under the CFAA because it's not relevant - unless someone can be bothered to give me a citation rather than whining. Get it yet?
"Comcast knows that they can get away it with because of who they are, not because what they did couldn't be prosecuted if done by someone less powerful. That's the point being made."
I agree, but nothing I've said changes that. I merely answered the person stating "I still don't see how this isn't violating the CFAA." - and nothing said to me had altered what I said. Absent an explanation of how the CFAA applies here, the examples given are utterly different cases to the one discussed here
"And Comcast is gaining unauthorized to the destination computer to display their messages."
How? They are changing information in transit, between its own servers and those controlled by the requesting customer. They are NOT changing any data on the originating server, only data as it passes through the network they own, en route to the computer that requested the original information. Therefore, how EXACTLY are they gaining unauthorised access to the originating server?
[ link to this | view in chronology ]
So an authentic looking Comcast popup with a link to the Comcast password reset page with an iframe that injects a keylogger.
[ link to this | view in chronology ]
Re:
Even worse than that, the security guideline you cite would only be useful if users already knew that these notifications shouldn't ask for login credentials. Users don't know that; how could they? They haven't read this RFC.
So most people won't even think it's suspicious for a plausible-looking Comcast notification to ask them to login directly.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
What happens when the user "clicks here" on that dialog to upgrade their service? Does that upgrade really go through without them having to log in?
Can a web page's javascript read the Comcast dialog box and push the buttons itself?
Where's the content for this dialog box coming from? Does everyone get an iframe referring to the same server? That could be interesting—by compromising one web server you could compromise most of Comcast's customer base.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: opens the door to hackers
IMHO the fact that they are even touching the frame at or above OSI layer 4, is an intrusion into a communication between two parties who may or may not have contractual relationships with the carrier. And even if they do have a contract, the customer is probably in a monopoly market. So performance of the contract is under duress against the users 1st amendment rights, and therefore void.
IOW, it is criminal wiretapping. This is equivalent to the post office, opening your mail because they don't like the style of the writing, reading the contents, and leaving a comment INSIDE the envelope.
A lot of this shit derives from false advertising practices. They advertise shared capacity instead of CIR, or SLA based rates for individual users, and then fuck the users on overages for using the capacity the carrier advertised. And to do this, they have to actually use MORE equipment to keep track of who they are fucking over.
So now they are monitoring traffic, they never technically needed to monitor, and the MPAA, RIAA and the FED start making demands of the monitoring capacity, and they start billing for consumer surveillance, turning it into a product.
This doesn't get solved until the carriers are separated from the content providers. It is just going to get worse with IOT.
So what is going to happen, is the fed will start wailing: "OMG, the Internet is falling! Whatever shall we do", and the carriers will step up and say: "Sure, WE'LL take care of that for you" which will put them in a position to implement regulatory capture over the IOT industry.
And Congress will high five, and return to being malevolently ignorant about the relationship between modern technology, and the Constitution.
[ link to this | view in chronology ]
Until Comcast forces all of its users to use a Comcast rented modem that they completely control.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
not just Comcast
Once, & only once, when I was trying to switch back to my old modem/ router hybrid, IIRC, because the new router I bought didn't work properly & put up massive security flags for wanting online access JUST TO CHANGE THE SETTINGS (have since gotten a different router that lets me in offline, & am using Charter's free modem, to limit liability for connection problems), I saw a similar message about the connection (don't remember what it said), assumed it was suspicious & called Charter to question it.
Next time, since I just have internet & there's no need for them to require anything of me to supply it, I might demand some kind of opt-out. I may also question it's legality.
Luckily, I never provided them with my E-mail & don't have one with them. It's a wire into my place, all they should need is payment of the bill. However, I think I had to confirm my name. Wasn't comfortable with that already being in the message (not sure if it was part of the original popup or a page I clicked something to open).
[ link to this | view in chronology ]
Fuck that noise... They've trusted random strangers to walk up to the house and cut the corner off their station wagon to fix damage... and paid them in advance because "they didn't have the right paint" (vanished with the money), they've fallen for curb painting scams, after Dad died, Mom let some asshole talk her out of an antique, concert-grade double bass worth 8 grand at it's last valuation... (in the mid 80's... ) for $3k. (After she told me how happy she was to sell it, I had to point out she had just been screwed out of $10-15k,)
I have enough trouble keeping my flaky family from screwing themselves over as it is, they do NOT need to be acclimated to accepting random windows that pop up.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I'm using a Australian proxy now (I think), but I tried 10 different countries proxy servers. All moderated. I couldn't get one post through regardless of the server. I did a bit of research and found out that they can use flash to bypass the proxy. I thought it was bullshit, so i tried it. I turn flash on and I get moderated, I turn it off and my posts went through fine.
Don't be a dick PaulT, I'm only following logic here. If there is a reasonable explanation for it then fine, hit me with it. I'll admit I'm wrong if that's the case. But I've been testing it all morning, that data doesn't lie.
[ link to this | view in chronology ]
Re: Re: Re:
What is the content of the posts moderated, have you posted a lot that day, copied a lot of links, been flagged a lot by the community, etc?
I'm not saying it's absolutely not happening, but there are many other factors. The only times I've ever been held for moderation is when I've forgotten to log in and I'm posting from a new location with a bunch of links. That's a spam filter, not a grand conspiracy. It might just be that you've been flagged so many times on your proxied IPs that your own comments are what's causing them to be moderated.
"Don't be a dick PaulT, I'm only following logic here"
I hope you'll forgive me, but I find that whining about being flagged and moderated usually comes from people who have it happen because they're trolling or similar, not because of the software they're using. If that's not the case for you, I hope you get it sorted out
Although I admit, the first thing that comes to mind here is "why are you so intent on using a proxy to hide your IP to post anonymously on this particular site?". My second thought is that you're acting suspiciously, so of course your comments will be moderated as such. My third is what these comments actually are that you're so desperate to get through and if they do indeed deserve moderation.
"that data doesn't lie"
However, sadly, a lot of ACs posting here do. If TD are indeed using extra protections to detect and restrict the trolls whose mission it is to derail every conversation here with fiction, I can't blame them.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
But you know what; I've been lurking this site for 10 years or so. I've had some knock down drag out's with people, but never targeted for moderation like this. I was hurt at first, now I'm just disappointed. I wasn't cussing anyone, I was arguing the hell out of my point and bam... moderated. On that particular subject, I'm very Right leaning, I hope that wasn't the reason but it sure as hell looks like it.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Again, perhaps it's what you were saying (or the community's reaction to it) during those arguments that's caused you to get flagged.
"I was arguing the hell out of my point and bam... moderated"
Oh, there it is. Since you insist on commenting anonymously (quick hint - in my experience, logged in accounts are subject to far less moderation), we can't verify the argument without you linking to it. But, at a guess - you were flagged as a troll so you were moderated. You continued the same argument on different IPs, got flagged again on those, and now your entire pool of IPs has been flagged. So, the filter correctly causes flagged IPs to be moderated. No client-side coding required.
There could be another explanation, but I find that people here whining about censorship and unequal treatment are usually those who are just being flagged as trolls. Whether you agree with that label or not, I fear that's the reality.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
So you agree they are censoring based anonymity? Way to make my point ass hole.
Your such a piece of shit. You don't know the first thing about what your talking about or the VPN service I use so your just tossing out insults and guesses. I have a lot more than a handful of IP's to choose from you retard. Take your arrogance and your complete lack of understand of what the fuck your talking about and shove them both up your ass.
"But, at a guess - you were flagged as a troll so you were moderated."
That's all you can do? Fucking guess? Nice contribution to the discussion.
"There could be another explanation, but I find that people here whining about censorship and unequal treatment are usually those who are just being flagged as trolls."
Unlike yourself, I'm not guessing. I spent quite a bit of time testing my theory against their website.
I suggest you learn a little about how this shit works before you open your pie hole and confirm the fact that your an idiot.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
No, I'm saying that without any verification of who you are, they can only filter based on your IP. If your IP is regularly flagged, it gets moderated. If it's been flagged in the past, but your account wasn't flagged at that time, then it can be presumed that it wasn't your comments that caused the flag. If the Ip stops being flagged, it doesn't get moderated no matter how anonymous or otherwise the author is.
It's not discrimination or censorship if you've chosen not to provide the data to distinguish you.
It's not hard to make the distinctions here, but you have to base your response on facts.
"Way to make my point ass hole."
Oh, so you're one of those fools who devolves into name calling when they can't argue on facts. It's not really a mystery why you're getting flagged by the community, is it?
"That's all you can do? Fucking guess? Nice contribution to the discussion."
While you're continuing your descent into whining swearing toddler tantrum, you might wish to consider that this is all you've been doing as well.
"Unlike yourself, I'm not guessing. I spent quite a bit of time testing my theory against their website"
No, you tested a single criteria, and all you managed to prove is that the IPs you use on your proxy have flagged for moderation. Probably due to behaviour similar to that displayed here. Did you consider not acting like this, at all?
"I suggest you learn a little about how this shit works before you open your pie hole and confirm the fact that your an idiot"
Sorry, I don't talk to children while they're making a scene. Come back when you pass puberty.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Yes. Java and Javascript are completely different technologies with different uses and implementations. Mixing the two up means you have no idea what you're talking about. I apologise for exposing your ignorance, but this is why I questioned your claim to begin with. Java doesn't get used for things like the action you claim, which makes your claim wrong..
"Your the worst kind of troll"
Stating facts is not trolling. I'm sorry that you lack the knowledge you claim to have, but that's not my problem.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
I'd laugh if I hadn't spent the last few months watching people like this get elected to prominent positions that will shape the next decade of my life, at bare minimum, and probably much more than that.
[ link to this | view in chronology ]
Can you imagine?
[ link to this | view in chronology ]
Re: Can you imagine?
[ link to this | view in chronology ]
How big of an issue is this with HTTPS? (TLS)
I can understand how Comcast can inject anything into an HTTP result. But what about when you are using TLS?
Aren't more and more sites secure against this type of attack? And Comcast's injection of anything IS an attack! At least in its implementation, even if the motivation is different.
Even traffic in other protocols, how much is in plain text these days?
Any useful or informative information?
[ link to this | view in chronology ]
Re: How big of an issue is this with HTTPS? (TLS)
[ link to this | view in chronology ]
Re: Re: How big of an issue is this with HTTPS? (TLS)
[ link to this | view in chronology ]
Re: Re: How big of an issue is this with HTTPS? (TLS)
[ link to this | view in chronology ]
Canadian ISPs have been doing it for years.
Listen to us talk about it with Lee Brotherston... http://traffic.libsyn.com/brakeingsecurity/2015-006_ISP_MiTM-Lee-Brotherston.mp3
[ link to this | view in chronology ]
Re: Canadian ISPs have been doing it for years.
[ link to this | view in chronology ]
Re: Re: Canadian ISPs have been doing it for years.
Rogers actually still do this, they're just less obvious about it now. But their warnings about going over your bandwidth usage, for example, use this technique.
Last time I checked they were using the PerfTech platform, but that could have changed since.
As Bryan mentioned I did a little research project and talk on this. If you're interested here's some links to what I found:
mini-summary: https://blog.squarelemon.com/2014/11/corporation-in-the-middle-blog-edition/
bsides talk:
https://www.youtube.com/watch?v=_YeaYIPM-QI
me chatting with Bryan about this: http://traffic.libsyn.com/brakeingsecurity/2015-006_ISP_MiTM-Lee-Brotherston.mp3
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Dear XFINITY Executive,
XFINITY significant other. Further f**ing will
incur f**ing usage overage charges on your account.
To avoid overage charges and sign up for the
Unlimited F**ing option, click here.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Nonton Film Online
[ link to this | view in chronology ]
Judi Poker Online
Bonus terbanyak dari seluruh poker yang ada ...
http://hgpoker1.com
http://nontonmovie.com
http://salmonpoker.com
http://hokibet.online
http://12goal .com
http://jamhoki.com
[ link to this | view in chronology ]
Situs nonton film online subtitle Indonesia
and visit our other website.
http://hokisport1.com - for sportsbook
http://bukatogel - for togel online
[ link to this | view in chronology ]
Thanks for the Information
[ link to this | view in chronology ]
Comcast - rape is ok when you know it's coming
-"It's ok to rape you because I told you I was going to rape you" - Comcast
-"It's okay to steal from you because the government got a notice that we were about to rob you and they did nothing to stop us"
Should I keep going with how Comcast excuses sound like?
Slow clap for Comcast, and no it's still not ok
As much as I love the internet, I will laugh pretty hard when a solar flare fries all the cables. =) Comcast you are terrible.
[ link to this | view in chronology ]
Creepy Comcast.
[ link to this | view in chronology ]
Poker terpercaya
http://semuaduit.com
http://venustoto2.net
http://mainpokerqq.biz
http://arenatoto.n et
[ link to this | view in chronology ]
Website Taruhan Judi Bola Online Sbobet Terpercaya
Situs Website Bandar Agen Taruhan Judi Bola Online bandar agen taruhan judi bola online dilengkapi dengan server kecepatan dan enkripsi tingkat tinggi menjamin keamanan data dari member kami, juga memberikan Anda kenyamanan dan keamanan untuk melakukan taruhan online.
link "https://dewasport.net
[ link to this | view in chronology ]
agen poker
http://kodokdewa.com/
https://membertoto.org/
http://daftarlinkalternatif.c om/
[ link to this | view in chronology ]
Situs Judi Online Resmi
<a href="http://www.alexawin.org/">NagaBola</a>
<a href="http://67.225.207.107/">AsikQQ</a>
<a href="http://96.30.29.11/">Ceme Online</a>
[ link to this | view in chronology ]
daftara agen togel
Kumpulan Link Alternatif Situs Bandar Agen Judi Togel Online Hongkong Singapore sydney LahorePools ZairePools di Seluruh Indonesia
Kami Menghadirkan Kumpulan website link alternatif judi Togel Online di indonesia agar memudahkan anda untuk bermain di website kesayangan yang telah terblokir
Link Alternatif yang kami sajikan resmi langsung dari situs officialnya Anda Hanya perlu Mencari Situs kesayangan Anda disini
Kami Hanya Menyediakan Link Alternatif Situs judi Togel Online yang terpercaya dan Admin Didalamnya yang sebelumnya sudah kami uji terlebih dahulu
[ link to this | view in chronology ]