303 comments

[ 4.3 ms ] story [ 294 ms ] thread
Yeah, they've been doing this for years. It sucks.
Totally aware it's old news... and I was hoping to paint a better picture than the previous artists.
Yeah, I'm not hating at all. Just signalling frustration with you.
> They injected 581 lines of JavaScript code, resulting in a total of 48.5kb data resulting in additional data towards my data cap, as well as my page becoming interactive ~250ms slower. This means that even though my internet is faster than before, my computer performs worse when utilizing Xfinity internet.

I get the complaints, it sucks, it degrades the internet experience. But come on. This is the most contrived complaint I can think of. You get at least, what, 40GB of data a month? Please tell me about how using 0.0000048% of your data cap is affecting you. You used more data writing this blog post than that javascript code would use in 10 years.

It sucks, but stop contriving bullshit about it. It's not that bad, it's just ugly and intrusive. Take your stand on that hill, not this one.

Pretty sure the Xfinity data cap is 1TB. I just checked, and I've used just over 1.3TB this month (yay streaming TV), no notice, no MTM, maybe I'm .... lucky?

Update: I used 1.6TB the month prior - also no notices. Maybe it's because I have Xfinity at my office too? No idea why they aren't harassing me.

Interesting data point. Would also be good to know that your bill doesn't reflect your overage either.
They won't be able to to MITM encrypted connections.
I believe they give you 2 months of going over before they start charging you as a 'warning' that you're over the data limit. Not sure if they warn you if you go over in those two months or not.
Egad. If you see my updated comment I went well over last month (1.6TB), and now this month as well. We'll see what they say. Like most people, Xfinity is my only high speed Internet option.
They will likely encourage you to upgrade to the unlimited plan (+$50 each month)
I looked back, and over the summer I used well over 1TB for several months. Not a peep from Comcast. I'm going to shut up now, before Murphy's law applies.
The injections where particularly annoying for me because I was planning on getting the capped removed, but wanted to use those two months before doing so. I started getting those warnings about 2-3 weeks in for both months.
i wonder if the data cap is just at the router level or if they charge you for whenever you use any of the other xfinity hotspots that they set up on their customers' routers.
In my experience, they do warn you during the 2 months where the overage fee is warned. The injected message might be slightly different to indicate that it is one of your 2 months where the fee is waived.
AFAIK, if you have a plan that comes with the Xfinity router, you don't have a data cap. Otherwise, you need to pay for unlimited data (which is pretty hard to explain to the call center people who really want to sell you cable and/or a landline).
It's only the XFi router that gives the "free" unlimited service, and even that I believe may only be in certain areas.
I lease my modem from Comcast (not Xfinity combo) and have exceeded my cap repeatedly since switching to steaming TV without any notice.
If you've gone over before, they will charge you $10/50GB of additional data, capping at $200 more a month.

You can pay them an extra $50/mo to remove the data cap.

This is coming from someone who unknowingly got a $200 bill one month because of Comcast.

I left them and don't regret a second of it. Terrible customer service all around, and just an evil company from the top down, especially after having read Farrow's recent book Catch and Kill.

The issue is that most people can't change off of it due to a lack of competing service providers.
When I moved to Daly City my options were either Comcast or DSL. I picked DSL (w/ Sonic), at significantly slower speeds. Sonic's DSL is just resold AT&T DSL, which I also hate, but I hate Comcast more.

If my only options were Comcast or dial-up, I'd probably still pick dial-up.

I would love to see the news story about Comcast having fewer remaining subscribers than the DSL provider...

still wouldn't make them change their practices, I believe they are too far corrupted to ever 'heal', but it would be hilarious if they gave up serving an area because it wasn't economically viable anymore.

Also, the cap is still 1 TB even if you're paying them $127/mo for the 1000 Mbps service, so you may as well just consider that +$50 an extra hidden fee for anything over 250 or 500 Mbps, assuming you're actually using it.
Not all areas have data caps, it seems to be localized to specific regions.
Because it’s happens with every single request. But also that doesn’t matter it’s just wrong.
250ms is a lot. 50kb isn't a lot on it's own... but when it happens consistently then it adds up quickly.

Also, it's just plain wrong to charge me for what I didn't ask for.

The argument is weak, but it's also desperate. These days trying to influence companies often comes down to some argument based on objective costs. "You are modifying my content against my wishes and adding latency to my Internet browsing experience" isn't objective.

Personally I think it is morally wrong, and it also is definitely impacting a person's Internet experience. 1/4 of a second is an eternity if you're sensitive to latency. So yeah it is "that bad", it is ugly, it is intrusive, and it speaks volumes about Comcast.

Agreed.

> The way this code was implemented, the code blocks the page from loading for 250ms, resulting in a much slower internet experience.

Of all the things to complain about that load on almost every web page you visit this seems like the least of your worries.

I agree this is in poor taste, pretty annoying, and could be leveraged to dupe unsuspecting people into coughing up their Xfinity credentials, but complaining about it slowing down page load is like complaining about the heat in hell.

That’s what I’m saying! I must have really hit a sour nerve, my comment was apparently so bad that it got flagged and my post history was torn through to add tons of downvotes.
How do you know that their (Xfinity) JavaScript code counts against your data cap?
I'm curious about this as well. When I worked on content-based billing in Canada years ago, we zero-rated content that was served by us, so it wouldn't contribute towards data usage. That was a different time though and likely a different implementation.
So much of the tone of this article is vaguely alarmist, which is a little annoying... seeing as the issue described is already extremely alarming

It didn't need the theatrics and intentionally misleading garnishments (like quoting Comcast's own RFC that's describing their own recommended behavior for themselves, then pointing out you can phish people, and then awkwardly trying to glue those tangential points together)

The bad behavior is bad enough that it'd stand on it's own, and if it instead focused on things like accessibility up front, it'd be much stronger of an article (and people would be more likely to read it all the way through)

I am also curious! I want to know how the author got to their conclusion.
Even if it does, that's way overnight on the article. A few 50KB here and there aren't your problem if you're blowing past a 250Gb or 1TB data cap.
doesnt fort collins have municipal internet now? reading here: https://www.fcgov.com/connexion/ i guess i didnt realize all of fort collins wasnt yet covered.
Out where I am we don't have fiber yet :( We'll be switching ASAP when it's available.
i love fort collins so much and it gets even better the further north and/or west you get.
Even if that is a case for this specific user, that doesn't really resolve the underlying uses that is also affecting spaces that have a regional monopoly (e.g. me).

EDIT: I understand that's not your point. And I whole heartedly support people leaving and supporting municipal ISP.

i understand your perspective. i live in denver and xfinity and whatever comcast lets centurylink have are my choices. i was initially reacting to the sentence in the post that mentioned that xfinity was the only available option and that struck me as wrong. i did a bit of research before firing off a post and discovered that my thought was incorrect and based off of incomplete information, but i left it there in case anyone else was under the same impression as me.
Yeah very few houses actually have been signed up so far. They're doing it on a street-by-street basis starting in the old town area.
I think the school has the fiber too.
They can do this on any site including secured ones? I don't think the link makes this clear.
I don't think this would affect requests over an https connection.
You can MITM https.
How? Excluding cases where the attacker already has some sort of secret
That's interesting. Can someone elaborate on this? My understanding is once the session is established, that's it. just encrypted traffic. How to inject something into ecrypted traffic?
DPI units can unwrap and re-wrap SSL
Comcast's RFC (6108) states that it designed the system described therein specifically to not need to use DPI.

Not saying Comcast definitely doesn't use it; rather, that it'd be hilarious to see Comcast lie to everyone's faces yet again.

Of course, to distinguish HTTP traffic from non-HTTP traffic and to intelligently insert the code snippet only where it won't disrupt e.g. API call response or a file download, some basic level of DPI is required.
Do you have a link to anything on this? I'm still not clear on how to MITM a TLS transmission sans CA cert.
The attacker needs to generate a new cert that the client trusts. This is easy on a corporate network where you can force users to trust a private CA. Unlikely to happen with a US ISP, but possible if someone hacks the CA (eg DigiNotar) or the CA hands out unconstrained certificates to someone who acts badly (eg CNNIC).
What you are describing doesn't seem to be a MITM attack on https traffic, but something else, which is why I stated "sans CA cert".
They're describing what would be required to MITM HTTPS traffic. You're correct that they essentially need to get the cert.
Speaking of which, is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.
Without a root CA? And without showing up in certificate transparency logs?

Good luck :)

You don't re-wrap. You just downgrade to HTTP.

This is why TLS1.3 and HSTS exists.

Only if the victim trusts the attacker's certs, right?

That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).

> That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).

The moment that was discovered, the CA would stop being a trusted CA.

Only if it was a barely used CA. If killing it would break lots of sites, it would take years to kill if ever.
There's a lot more appetite these days for enforcing requirements on CAs, ever since CT started going down the road towards mandatory, and ever since misbehaving CAs started getting forced to implement it immediately. Intentionally MITMing TLS on the broader Internet the way this thread is talking about would be a fairly quick death sentence.

Also, given the existence of Let's Encrypt, there's much less reason to be using a paid CA, and planned migration to a new CA provider isn't too much to ask. There'd likely be some work within browsers to provide clear error messages, and sites would need some amount of time to migrate, but I think we're talking days-to-weeks before there's a warning banner on the sites and months at most before the CA is dead.

Mozilla would kick Comcast out of the root CA list pretty fast.

Finally, there is certificate transparency logs, you can set CT headers on your site to require the certificate to be in CT logs. Then you can monitor if anyone's creates certificates for your domain. And updated clients can validate that certificates is in the CT logs.

HTTPS is pretty robust these days. There's still a few corner cases around SNI, but that only leaks what host your visiting, wouldn't allow injection -- and specs are slowly closing those holes too.

Is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.
Mozilla maintains a list of root CAs that are distributed with Firefox, and used by most other vendors too.

But really, if you don't trust what installed on your machine it's game over.

Only if you have a cert that the browser trusts for that domain. If a CA was found to be illicitly minting certs, browsers and operating systems would untrust them. All their certs would stop working. Their business would be ruined.
Technically, yes, but the only way I know possible is having direct access to the target device to force it to trust fake certs, and is usually used to unwrap encrypted traffic being sent from applications on your own devices. I don't know of a way for the ISP to do this, unless they conspire with a certificate authority. I'd like think this isn't happening.
Have your customers install internet "accelerator" software.
Fortunately, iOS devices won’t allow this.
Further incentivizing the use of HTTPS everywhere, imo. It's such a cheap standard now. Correct me if I'm wrong, but I don't see any good reasons for a site to be running HTTP any longer, other than laziness.
I'll give it a shot. If you put up your site behind HTTPS you are breaking the web for older web clients. Many sites have already deprecated TLS v1.1 so even 10 year old devices may no longer be able to access the web. HTTPS is great but it has a cost.
> even 10 year old devices may no longer be able to access the web

I think you mean 10 year old software, which is a much smaller bucket than 10 year old devices. And if you're browsing the web with 10 year old software, you have much bigger problems including but not limited to committing security-suicide.

Well the TLS change breaks software (FF 26) (2015) and affects android versions <= 19 (2014). Kind of a bummer if you have old smartphone. But I agree, it's a tiny bucket and it's best to upgrade when you can.
Not too many attacks these days target Amiga software
I found some old Macs belonging to a non-profit to be apparently useless (for their purposes) because you couldn't upgrade the system software enough to let a browser operate properly with secure sites. Sure, there's Linux, but they appeared to be useless as Macs.
Right, and presumably using a VPN would stop this as well, but you'd have to get a pretty nice VPN to not impact your experience by 250ms/req.
When i have seen this. It normally shows as slow loads on nest web cams. Turning on the VPN and poof it goes away
>but you'd have to get a pretty nice VPN to not impact your experience by 250ms/req.

Eh? I was thinking the opposite, that's such a ludicrous latency overhead that it would be trivial to go to any VPS provider even sort of nearby and spin up a $5 instance with Algo. The only concern normally for some of them is the super cheap simple managed instances often have data caps too (though some provides are bandwidth limits only), but in this use case even that doesn't matter because the limits are still higher than Comcast's regardless. There are datacenters in Denver, but even if you had to go all the way to SF and it's a worst case adding 1800 miles RTT that should still only be around 10-14ms or so right? The article seems a little silly to go on so much about a few kb of data out of tens of gigabytes or a TB or whatever Comcast's caps are, but 250ms is wild, even without all the other breakage.

Although I've always heard that if you're ever forced to go Comcast, the average HN type would be best off seeking a Comcast Business connection that has actual support and customers that use the internet fully.

Agreed. I used to run all my traffic through a VPN I ran, and found that the average latency was lower than routing it to the default gateway.

This was possible because my server was well connected and very low latency talking to Comcast, and also very low latency talking to the rest of the Internet via Level-3, Time Warner, QWest and InterNAP. Where directly routed traffic would run over the Comcast network most of the way across the country.

One problem with this approach is many streaming content providers identify known VPN egress points, consider them methods for subverting region-restrictions, and thus won't serve ANY data to you. Netflix does this w/ PIA (and probably others) for instance.
Does changing your DNS modify this behavior? I had some similar issues with Cox in DC, and switching to run everything through 8.8.8.8 resolved the issues. It also resolved a problem with CenturyLink in Seattle where for whatever reason I couldn't speedtest through fast.com.
Current Comcast user here, I can confirm that it does not.
Nope, they physically open your packets, change the content of the HTML, and send the packets along the way. Even if you access the IP directly, it still injects code via MITM attack.
I saw the MITM injection from Comcast exactly once and it served as a reminder to go and change the DNS settings on my routers. Never seen the injection since, and I've been on Comcast for years.
That is odd, I recently got a MITM injection even while running everything on openDNS.
Maybe you're right and me not seeing injections could be explained that a lot more traffic goes through SSL/TLS by default, or I'm just not getting close to my monthly quotas any more.
I still get it with Cloudflare, Quad9, and Google as dns.
If you're using a Comcast router they don't even let you change your DNS on the router and any client DNS settings will be completely ignored.

It's kind of insane that they get away with charging customers $10-15/month for the privilege of a router without any privileges.

"any client DNS settings will be completely ignored" - how are they accomplishing this? I wouldn't think this would be possible...
They perform a MITM attack on your DNS packets, since DNS protocol is unsecured.

It is another reason they're flagrantly against encrypting DNS and attempting to get laws passed against it.

Giving google your DNS requests isn't really better either...
I used to live in Fort Collins and I was _floored_ the first time that an xfinity data limit popup appeared on a random website. Colorado needs a better provider.
FoCo is getting giga fiber!
To people who live in Fort Collins actually call it FoCo?
I don't any more but when I was there I called it FoCo
Yes. To the extent that many of the surrounding areas call themselves NoCo for North Colorado.
I have GB fiber from CenturyLink for $85 until the city broadband, the city has had FTTH for at least 10 years or so, so anything new this should be doable.
Where in Fort Collins have they deployed FTTH, and when? I know FRII deployed some fiber, but based on some conversations I had with them they had largely abandoned it because of the burden of doing fiber locates. I don't know of anyone who has FTTH. The best my house lists on the Century Link site is 40Mbps. But, the city ran their conduit by my house 2 weeks ago, so hopefully we have fiber by the end of the year...
Oddly when I first moved in they said also 40Mbps, then 200, then finally GB. I think they were upgrading the upstream equipment because I had fiber the whole time. I don't know how to find out other than calling, although they do send mailings to our street as well.
I just got this as well. I’m appalled at the complete lack of thought put into this. I’ve had numerous emails & push notifications telling me I’m over my data cap; I don’t need injected content into my page in addition.
They have my #. They have my email. They have my address.

Those are the ways I want to be contacted.

Wonder where this falls under the Computer Missuse act?
First time I saw one of these 4 years ago was when it popped into a Steam sale advertising window. Really creeped me out. A sure sign Comcast is pretty much 100% infected with Bovine Spongiform Encephelopathy. Still they offer Internet that is 10 times faster than the competition. Ah, the tyranny of the last mile. I went with Comcast Business, and they don't have data caps...
Post author, what website were you visiting that was served over http:// allowing a data injection to occur?

Have you contacted them to warn them that Xfinity is injecting JS into their site, and asked them to implement HTTPS+HSTS to protect against that?

I have Xfinity and they’ve done this to me. It only happened to my wife when she was browsing. My data Cap has hit 90% this month but I haven’t seen the message. 4K Netflix is no joke and can easily make me hit 1TB.

Safari is my main browser and I recently stopped using Chrome. I believe my wife uses Chrome. Maybe this doesn’t work on Safari?

How are they Communistcast? Clearly the represent the worst of capitalism unless I am missing something.
(comment deleted)
Ugh:

  <style>
  body {
  display: none;
  }
  </style>
To read the article without JS, disable also CSS.
Does your browser not load <noscript>?
It doesn't, which is admittedly pretty unusual.

Never mind. Sorry for the noise.

Oh okay! I just wanted to make sure there wasn't anything I could do to make this a better experience for you! Enjoy.
Better solution: use Firefox and just prepend `about:reader?url=` to any URL you load. This article loads very nicely in Reader mode.

about:reader?url=https://rietta.com/blog/comcast-insecure-injection/

One of the things I tried really hard to do is make the HTML _really_ clean for things like this. Is reader mode "really good" or do you think it loads very nicely because of the work we put in to make the HTML nice?
I think it's a mix of both. Honestly I vastly prefer Reader mode's presentation than any other layout, and especially any layout which changes if I interact with it (resize window, move mouse, click mouse button, press key, send window to background, whatever).

I have seen some sites that completely break when using Reader mode. I have seen sites that are very well done in Reader mode complete even with pictures.

This is why regulatory capture matters: https://en.m.wikipedia.org/wiki/Regulatory_capture

Big govt bureaucracy is terrible, but a private one (which is confident they won’t face any trouble or practical consequences) is still trouble.

There hopefully won’t be “mask off” moments for these providers & get really gnarly but this kind of behavior can screw over regular Joe’s & Janes

I'm intrigued by why you created a one off account just to post this. To address something that stuck in my craw though -

"Big govt bureacracy is terrible, but a private one (etc)"

You're implying big government bureaucracy is the only option here. How about, you know, regulating internet as a utility? The thing we've been wanting since forever? Unless there's actively a shortage of water or power, I can get those and use them as I feel like, paying extremely low fees. I don't care if my internet is pay for use, provided it's priced close to the actual cost.

> This attack entirely breaks tab ordering, deeming the internet unusable for people requiring software assistance to provide accessibility to the World Wide Web. Additionally, the “escape” key, which is often used to close dialogs, doesn’t close the Xfinity notice.

A few weeks (months?) back there was an article about ongoing litigation on if websites are required to have accessibility compliance under the ADA act. I would be very happy to see Xfinity sued for this practice under that precedent and hopefully any injection would be considered a violation.

Status of supreme court case: https://www.scotusblog.com/case-files/cases/dominos-pizza-ll...

The litigation is over. The Supreme Court declined to hear the case a few weeks ago. The "Petition DENIED" at the bottom of that status page is referring to the petition for cert.
That is inaccurate for many reasons.

The Supreme Court declined to overturn the Ninth Circuit, because there was no circuit split or other issue of such urgency to require the Supreme Court to weigh in.

The US Court of Appeals for the Ninth Circuit ruled (somewhat) in favor of the plaintiffs, and remanded the matter to the district court having reversed the lower court on some questions of law.

I think it is still a live controversy in the district court, but it seems likely that the plaintiffs will win on the merits or obtain a settlement.

https://cdn.ca9.uscourts.gov/datastore/opinions/2019/01/15/1...

You wrote "That is inaccurate", but you didn't cite a single inaccuracy in the gp comment. You wrote some other sentences, but they don't appear to contradict anything gp wrote.
The GP claimed litigation was over. The parent claims it isn't over. Oftentimes higher courts decide a specific question pertaining to a case, not the whole case. Just because a higher court clarifies something doesn't mean litigation is over - it means the lower courts can continue with that point now clarified and/or corrected.
Thank you for the further explanation. I see what you mean.
The litigation is on going. The Supreme Court declined to hear the petition to essentially throw the case out, in effect paving the way for trial between the plantiff and Dominoes.
Only tangentially related, but how is the ADA act looked upon by Americans? The only time I've heard about it as an European was when Stanford (?) was forced by litigation to take entire swathes of free online education offline because it didn't have subtitles. I'm all for making the web more accessible but it really soured me on the notion of such acts and if they are the best way to enforce said accessibility.
All tools can be used for good or ill. The ADA has made the US a whole lot more accessible for many folks from wheelchair ramps everywhere to disability accommodations at fun parks.
Most everyday Americans probably know very little about its particulars, though they all know the name. Business owners, especially small business owners, are well aware of its abuse on several fronts, from labeling pets as "emotional support" (fortunately this has been clearly rejected by statute, but people try it anyway), to suing business owners because their wheelchair ramps are the wrong angle, to examples such as the one you mention (which to me was a violation of free speech as well).

I am all for web accessibility, and I think companies and developers should consider it a priority, but I do not think a law like the ADA is a good fit for this issue. The parts of the ADA that are good are the prohibition on actively discriminating against people with disabilities and requiring reasonable changes in policies. Requiring buildings to be rebuilt and taking down websites are excessive infringements on freedom and would best be addressed by the free market.

Here are some links you might find interesting: https://www.the-american-interest.com/2013/06/11/the-disabli... https://attorneyatlawmagazine.com/ada-trolls-and-unintended-... https://www.city-journal.org/beyonce-lawsuit-ada https://www.phoenixnewtimes.com/news/parking-lot-trolls-laws... https://adadefense.net/

How would the free market help increase web accessibility?
It would be one of many possible features firms could compete on. Developing more accessible apps would result in an increased userbase leading to greater revenue (and potentially take you from a perfect competition to monopolistic competition secnario, reducing the elasticity of demand for your product, allowing you to raise the price).
> Developing more accessible apps would result in an increased userbase leading to greater revenue

Only if the marginal cost of developing them is less than the revenue attained by developing them, which is also limited by the amount of funds that disabled people have.

Disabled people existed before ADA, and the reason ADA was popular was because it didn’t make business sense to serve the disabled population. There’s no way construction costs of ADA accessible features of a building will ever be recouped by sales to disabled people needing it.

A free market solution would require the government to give sufficient cash to disabled people, enough to make businesses want to compete for them. But that is also wrought with possibilities for corruption.

My HOA was sued for some slightly uneven sidewalks and the fact that some people had parked cars that jutted out of their driveways. Plaintiff doesn't live here, has pretty much made a living by such lawsuits. So while I agree with the tenets of the ADA, it's just one more example of how legislated morality will be abused by a small percentage for their own gain. If it were repealed tomorrow I would shrug.
Just because someone is entering a seemingly frivolous lawsuit, is it fair that the HOAs sidewalks are inaccessible in general? I feel like it feels wrong because someone is profiting on it but society is more equitable as a result and I don't feel that is an abuse of the legislation.
In fact, if profit drives more people to fight for what's right, then it becomes easier to make the world a better place.

Profit is just one form of incentive that we can align for increasing compliance with directives with a positive social benefit. All incentives are abusable if you design them incorrectly, so I see no reason to vilify profit over other kinds of incentives.

This is very convenient and self serving logic. Everything will be abused by a small percentage for their own gain. Dismissing the entire ADA because of a few anecdotal examples that were irritating to _you_ is completely nuts when weighed against the massive improvement in quality of life the ADA has created for the millions of disabled Americans.

When you say you'd shrug what you are really saying is that you care about your HOA and don't give a crap about people with disabilities. If you did care you'd be proposing ways to close loopholes like the one Plaintiff was exploiting.

I hear plenty of stories like this out of California. Their enforcement of the ADA is somewhat unique. Instead of having inspections and compliance officers, any wronged party can file a claim and receive ~$4k in compensation. There are plenty of people who make a considerable amount of money as 'freelance' code enforcement.

My issue with this system is the animosity it causes. Panzagl had one interaction with this method and it was enough for them to be ambivalent about the ADA.

A friend of mine does public outreach for an organization for the blind in Seattle, and 99% of ADA non-compliance that they see stems from ignorance and is solved by education.

I used to live in a neighborhood that frequently had un-shoveled/un-salted sidewalks and cars parked across the sidewalk. As someone who walks a dog, it's fucking obnoxious to have to wander around in two feet of snow because someone didn't want to park on the street, or slip and fall on an unsafe sidewalk.

The disabled aren't the only people who care. Take care of your sidewalk, it's your legal fucking responsibility.

(comment deleted)
(comment deleted)
I believe this happened at UC Berkeley as well. For what it's worth, neither institution was 'forced' to remove the content. They were obligated to offer the content equally to all users and they chose to not do so because it cost money to create accessible content. While I feel it's unfortunate access to information was lost, I respect and still stand behind the sentiment of the law. Just because you're doing something 'good' doesn't mean you can ignore access needs of protected classes. Especially considering these are institutions with billions of dollars of endowment, funding, and tuition, I'm certainly on the side of the those with disability.
> ...I'm certainly on the side of the those with disability.

In your mind, is it possible to be on the side of those with the disability and yet still against the ADA?

Put another way, given the two concrete examples mentioned (UCB and Stanford) did actual people with actual disabilities gain greater access to the content that was taken offline (in order to comply with the ADA)? Lots of laws have good intentions and bad effects. I think we should judge them by their effects, not their intentions.

If ADA compliant content requires more resources to produce, allowing something to remain in violation because it’s free seems like a great way to price ADA compliant content out of existence.

That said, perhaps an improvement to the ADA would be budget to help producers of free content to become ADA compliant.

In America, due to a distrust of bureaucracy and the fact that enforcement or lack thereof can be up to the willpower of the executive, establishing liability via the judicial system is an effective enforcing mechanism.

Absent liability, the other alternatives are some sort of executive branch enforcer (which does things to the whim of the executive) or some kind of onerous licensing/certification scheme (e.g. doctors), and both are IMO worse outcomes.

This is a criminal case, I for one cannot accept a financiap repercussion for this.
Our industry was attempted to be shaken down by hacks filing frivolous lawsuits against single owners.
Can we get technical details here? What JavaScript is being injected? What destinations are they adding?

Edit: I missed it: https://rietta.com/blog/comcast-insecure-injection/injection...

Javascript is in the blog post
how was it being injected? was it all pages http? could it be a plugin you have? did you try multiple browsers?
On a broader level this is why the FCC is IMHO wrong in not considering broadband a telecommunication service. As ISPs inject their content (including advertising) into third party content, they essentially take over said content. E.g., if someone requests access to my content via their service, besides any corruption of functionality, artistic work and even intended meaning, any revenue generated by this is directly drawn from my content without license. From my perspective as a potential content provider, this is clearly a violation. It may be even a violation of existing contracts, e.g., if there's a no third parties clause involved in an existing advertising contract the content provider has agreed to.
From which quite naturally follows, if broadband providers in the US consider themselves content services rather than telecommunication services, they have to acquire licenses for the content they provide, as well. (Xfinity, may have your billing address?)
As a content provider this is why you need HTTPS, and it's why you should ensure you certificate is in the transparency logs, and that your site requires CT entries.
However, this is more like "better have a lock so that thieves have a harder time breaking the door". If the US are making IP violations legal, they put themselves in danger to be treated like other countries who are considered notoriously ignoring IP as part of their overall business model.
True..

The sad thing is that with many kinds of cybercrime, it's easier to fix the security vulnerability, than it is to track down the criminals and make them stop :)

In this case, the vulnerability is using HTTP, not HTTPS.

Still, if we do not take care of bad actors, bad actors are what we get (and probably what we deserve).

Edit: Also, what stops those ISPs from impersonating the requested host by means of their own root certificate, just like antivirus software does it?

Then my browser would throw a certificate warning unless I added my ISPs root cert.
As pointed out by another comment already, "you" maybe as well the ISP's installer software.
Well, HTTPS could still be man-in-the-middled, right? I am not really informed, but I would not be surprised if some ISPs are even recognized as certificate authorities.
MITMing TLS requires either (1) a falsely issued certificate, which would be "a big deal" when (not if) found and would lead to the issuer losing their status as accepted in browsers, or (2) the user to install a certificate generated by the person doing the MITM, this is often done in corporate environments.
Are we sure that there won't be an exception installed to this in favor of broadband providers, considering the paths already taken?

Terms and conditions of this comment: This comment is provided for free to <https://news.ycombinator.com> AKA "Hacker News", including any redistribution to be considered under the clause of fair use. Any other redistribution, including injection of third party content or surrounding content, chrome, or any other HTML element(s), be it in static or generated code, is considered a violation of the terms of this contribution.

Your browser and OS quickly delist any certificate found to have forged a certificate for a website they don't own. They're unapologetic about it too - and don't care who they piss off.
However, browsers have played along with US legislation previously. (E.g., when long key encryption was restricted to US versions only.) I'm not sure, if Mozilla would be playing along nowadays, but you can't be too sure, either. Moreover, you could consider certificates installed by antivirus software as some kind of prior art to this. (While considered a security risk, at least by some, they are not delisted.)
Antivirus ones generate the root certificate on your machine.
As may do installer software shipped by the ISP (mandatory or incentivized by cloud storage, etc.)
> or (2) the user to install a certificate generated by the person doing the MITM

You mean like that "setup software" Comcast spent ages trying to pretend I had to install just to get things running?

I ran Linux in those days, which always meant a little extra support time but I never had to install jack.

That's quite possible, but many apps and browsers pin certificates and this would probably be reported quickly?
https://chromium.googlesource.com/chromium/src/+/master/docs...

> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.

Encrypt all the things.
Why not get a $5/mo VPS and use VPN?
I'm paying plenty for internet. It's simple really, transmit my packet from point a to point b. Don't mutate it.
Doing this doesn't change the fact that comcast is messing with http packets.
This is a valid work around for an invalid problem.

If your ISP is tampering with packets, that is the anti-pattern that needs to be remediated ASAP.

In my opinion, the only packet change behavior that an ISP should be involved in is adhering to QoS headers. 0x08, it's bulk. 0x04 reliability, 0x10 low latency. And if they want to charge me more for 0x04, that is fine if it's clearly spelled out in the contract.

How is the problem invalid? I mean, seriously - those guys spend a lot of money greasing the wheels of your local town council, and they gotta' put food on their plates like everybuddy else.
The problem is invalid, because it is not a "problem". It is an "incident". Specifically a security incident that needs remediation.
One of the problems with this is the same as any other bad behaviours companies often do that are indistinguishable from an attack, such as asking for your PIN on the phone, or sending account-related e-mails with links: They condition the user to expect this is "legitimate".

As the article points out, an attacker could do something on an unrelated web server that injects this same notice (using the same code [1] as a basis), with a link that says something like "Extend your limit for free by 1GB", which loads a fake "Xfinity login" in a pop-up to phish their Xfinity account credentials. Because the link was presented using the familiar UI, it could easily trick someone and it would be nearly impossible for most users to realize it's not legitimately Xfinity.

[1] https://rietta.com/blog/comcast-insecure-injection/injection...

Can someone tell me for sure if XFinity is managing to inject this in Https pages? And, if they are, how are they doing it?
I'm not sure if it still works like this or not, but up here in Canada with Shaw cable for the longest time, it just started out of nowhere one day, I'd always get redirected to a Shaw landing page or have Shaw ads injected into pages when I was browsing. I finally really noticed it one day so I did some searching at the time and found out Shaw has an option in their account page(enabled by default),

I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites. There was no description of this option in the account settings, they were buried 3 or 4 layers deep, there was no mention of this 'feature' from any of Shaw's customer service people, the only way I discovered this was through some random forum conversation I found.

There was also people mentioning (this never happened to me)that despite switching the option off, they would find it turned back on again a day or two later and have to repeat the process. I have no idea if this is still the case, this would have been quite a while ago now, but I was pretty unimpressed when I figured it out and realized what was going on.

IMHO getting redirected would be WIDELY more acceptable than injecting content.
I mean I suppose, but even that seems wildly inappropriate.
I agree, but I still think it's "better"
> 'm not sure if it still works like this or not, but up here in Canada with Shaw cable for the longest time, it just started out of nowhere one day, I'd always get redirected to a Shaw landing page or have Shaw ads injected into pages when I was browsing.
I'm not sure if I described it clearly, with this mode on, all of your traffic was being redirected to a Shaw server before being routed to where it was supposed to go. It was like being connected to a vpn that existed solely to serve me ads. They were blocking ads on websites and replacing them with their own from their servers, I would get popup ads from them that were not being stopped by adblock, every misspelled or dead URL would take me to their landing page full of ads for their services. Not only were they interfering with my traffic, but they were interfering with the monetization of website. As much as I dislike ads, I'd rather the site owners get the ad revenue for my browsing than a company I'm already paying for internet.
How do you redirect without injecting content?
I am currently trying to find this feature you mentioned. Are you still a Shaw customer able to look again to where exactly in the account it is because I can not find it or mention of it online? Thanks
I've been a Shaw customer for more than three or four years and have never seen (or heard of) anything like this.

I have a feeling, if this ever happened, it was closer to a decade ago.

> I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites.

Stuff like this makes me wish it were a criminal offense to dishonestly describe a feature as an "enhancement" or "improvement" when 9/10 users would not see it that way.

States should ban data caps. That's the only way to deal with those ISP crooks.
This is orthogonal to data caps. We could debate separately if people should be allowed to have contracts with those limits, but the actual problem here is that the ISP is modifying the traffic I requested before they deliver it. In this case it was for data cap notices, but next time it might be for ads or malware or anything else they want to inject.
Disagree. Paying per byte is a critical part of making people realize they are part of botnets and to create the only incentives that have a shot at working naturally like pressure against poorly secured smart devices. Unlimited bandwidth just forces everyone behind Cloudflare and breaks the internet.
Oh so if I use a gig, I only pay for a gig? That doesn’t sound like a date cap, that sounds like a going rate for data. They still charge you for all the data you never consumed, which makes no sense as a transaction.
Pay per byte is a fleecing scheme, nothing more. You already pay more for more bandwidth. ISPs get more than enough doing that without any monthly data caps.
And if there is a data cap, it should be proportionate to the data bw plan I am paying for. I had a 100mb/s plan with a 1TB cap. I moved to a 400mb/s plan and I still have a 1TB cap. So I can burst faster, but my overall usage is expected to stay the same.

That said, I do most of my downloading on VPS provider, then what I finally want to keep, I compress and pull it down over my VPN. This still doesn't help for things like streaming movies, game updates, etc...

Cox does this as well. I was recently staying a hotel and they were doing something similar prompting me to rate my experience. I started thinking about standards to make this kind of thing impossible... Ultimately TLS solves this issue. We should be bullish on making TLS standard.
TLS is pretty much standard. Unless you mean in some other way I am not paying attention to.
I agree it is "pretty much standard" but the ISPs and other network providers are not doing this with TLS traffic. They are only injecting the scripts in HTTP requests without TLS, at least in my experience.
Cox is absolutely MITM this too. HTTP/HTTPS it doesn’t matter. Terminate the tunnel, forge a cert and QED.