> They injected 581 lines of JavaScript code, resulting in a total of 48.5kb data resulting in additional data towards my data cap, as well as my page becoming interactive ~250ms slower. This means that even though my internet is faster than before, my computer performs worse when utilizing Xfinity internet.
I get the complaints, it sucks, it degrades the internet experience. But come on. This is the most contrived complaint I can think of. You get at least, what, 40GB of data a month? Please tell me about how using 0.0000048% of your data cap is affecting you. You used more data writing this blog post than that javascript code would use in 10 years.
It sucks, but stop contriving bullshit about it. It's not that bad, it's just ugly and intrusive. Take your stand on that hill, not this one.
Pretty sure the Xfinity data cap is 1TB. I just checked, and I've used just over 1.3TB this month (yay streaming TV), no notice, no MTM, maybe I'm .... lucky?
Update: I used 1.6TB the month prior - also no notices. Maybe it's because I have Xfinity at my office too? No idea why they aren't harassing me.
I believe they give you 2 months of going over before they start charging you as a 'warning' that you're over the data limit. Not sure if they warn you if you go over in those two months or not.
Egad. If you see my updated comment I went well over last month (1.6TB), and now this month as well. We'll see what they say. Like most people, Xfinity is my only high speed Internet option.
I looked back, and over the summer I used well over 1TB for several months. Not a peep from Comcast. I'm going to shut up now, before Murphy's law applies.
The injections where particularly annoying for me because I was planning on getting the capped removed, but wanted to use those two months before doing so. I started getting those warnings about 2-3 weeks in for both months.
i wonder if the data cap is just at the router level or if they charge you for whenever you use any of the other xfinity hotspots that they set up on their customers' routers.
In my experience, they do warn you during the 2 months where the overage fee is warned. The injected message might be slightly different to indicate that it is one of your 2 months where the fee is waived.
AFAIK, if you have a plan that comes with the Xfinity router, you don't have a data cap. Otherwise, you need to pay for unlimited data (which is pretty hard to explain to the call center people who really want to sell you cable and/or a landline).
If you've gone over before, they will charge you $10/50GB of additional data, capping at $200 more a month.
You can pay them an extra $50/mo to remove the data cap.
This is coming from someone who unknowingly got a $200 bill one month because of Comcast.
I left them and don't regret a second of it. Terrible customer service all around, and just an evil company from the top down, especially after having read Farrow's recent book Catch and Kill.
When I moved to Daly City my options were either Comcast or DSL. I picked DSL (w/ Sonic), at significantly slower speeds. Sonic's DSL is just resold AT&T DSL, which I also hate, but I hate Comcast more.
If my only options were Comcast or dial-up, I'd probably still pick dial-up.
I would love to see the news story about Comcast having fewer remaining subscribers than the DSL provider...
still wouldn't make them change their practices, I believe they are too far corrupted to ever 'heal', but it would be hilarious if they gave up serving an area because it wasn't economically viable anymore.
Also, the cap is still 1 TB even if you're paying them $127/mo for the 1000 Mbps service, so you may as well just consider that +$50 an extra hidden fee for anything over 250 or 500 Mbps, assuming you're actually using it.
The argument is weak, but it's also desperate. These days trying to influence companies often comes down to some argument based on objective costs. "You are modifying my content against my wishes and adding latency to my Internet browsing experience" isn't objective.
Personally I think it is morally wrong, and it also is definitely impacting a person's Internet experience. 1/4 of a second is an eternity if you're sensitive to latency. So yeah it is "that bad", it is ugly, it is intrusive, and it speaks volumes about Comcast.
> The way this code was implemented, the code blocks the page from loading for 250ms, resulting in a much slower internet experience.
Of all the things to complain about that load on almost every web page you visit this seems like the least of your worries.
I agree this is in poor taste, pretty annoying, and could be leveraged to dupe unsuspecting people into coughing up their Xfinity credentials, but complaining about it slowing down page load is like complaining about the heat in hell.
That’s what I’m saying! I must have really hit a sour nerve, my comment was apparently so bad that it got flagged and my post history was torn through to add tons of downvotes.
I'm curious about this as well. When I worked on content-based billing in Canada years ago, we zero-rated content that was served by us, so it wouldn't contribute towards data usage. That was a different time though and likely a different implementation.
So much of the tone of this article is vaguely alarmist, which is a little annoying... seeing as the issue described is already extremely alarming
It didn't need the theatrics and intentionally misleading garnishments (like quoting Comcast's own RFC that's describing their own recommended behavior for themselves, then pointing out you can phish people, and then awkwardly trying to glue those tangential points together)
The bad behavior is bad enough that it'd stand on it's own, and if it instead focused on things like accessibility up front, it'd be much stronger of an article (and people would be more likely to read it all the way through)
doesnt fort collins have municipal internet now? reading here: https://www.fcgov.com/connexion/ i guess i didnt realize all of fort collins wasnt yet covered.
Even if that is a case for this specific user, that doesn't really resolve the underlying uses that is also affecting spaces that have a regional monopoly (e.g. me).
EDIT: I understand that's not your point. And I whole heartedly support people leaving and supporting municipal ISP.
i understand your perspective. i live in denver and xfinity and whatever comcast lets centurylink have are my choices. i was initially reacting to the sentence in the post that mentioned that xfinity was the only available option and that struck me as wrong. i did a bit of research before firing off a post and discovered that my thought was incorrect and based off of incomplete information, but i left it there in case anyone else was under the same impression as me.
That's interesting. Can someone elaborate on this? My understanding is once the session is established, that's it. just encrypted traffic. How to inject something into ecrypted traffic?
Of course, to distinguish HTTP traffic from non-HTTP traffic and to intelligently insert the code snippet only where it won't disrupt e.g. API call response or a file download, some basic level of DPI is required.
The attacker needs to generate a new cert that the client trusts. This is easy on a corporate network where you can force users to trust a private CA. Unlikely to happen with a US ISP, but possible if someone hacks the CA (eg DigiNotar) or the CA hands out unconstrained certificates to someone who acts badly (eg CNNIC).
Speaking of which, is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.
Mozilla and Microsoft publish their lists. Chrome uses the OS's root store. I've seen other open source software use Mozilla's list, but I've never seen a list of what software does that.
Only if the victim trusts the attacker's certs, right?
That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).
> That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).
The moment that was discovered, the CA would stop being a trusted CA.
There's a lot more appetite these days for enforcing requirements on CAs, ever since CT started going down the road towards mandatory, and ever since misbehaving CAs started getting forced to implement it immediately. Intentionally MITMing TLS on the broader Internet the way this thread is talking about would be a fairly quick death sentence.
Also, given the existence of Let's Encrypt, there's much less reason to be using a paid CA, and planned migration to a new CA provider isn't too much to ask. There'd likely be some work within browsers to provide clear error messages, and sites would need some amount of time to migrate, but I think we're talking days-to-weeks before there's a warning banner on the sites and months at most before the CA is dead.
Mozilla would kick Comcast out of the root CA list pretty fast.
Finally, there is certificate transparency logs, you can set CT headers on your site to require the certificate to be in CT logs.
Then you can monitor if anyone's creates certificates for your domain. And updated clients can validate that certificates is in the CT logs.
HTTPS is pretty robust these days. There's still a few corner cases around SNI, but that only leaks what host your visiting, wouldn't allow injection -- and specs are slowly closing those holes too.
Is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.
Only if you have a cert that the browser trusts for that domain. If a CA was found to be illicitly minting certs, browsers and operating systems would untrust them. All their certs would stop working. Their business would be ruined.
Technically, yes, but the only way I know possible is having direct access to the target device to force it to trust fake certs, and is usually used to unwrap encrypted traffic being sent from applications on your own devices. I don't know of a way for the ISP to do this, unless they conspire with a certificate authority. I'd like think this isn't happening.
Further incentivizing the use of HTTPS everywhere, imo. It's such a cheap standard now. Correct me if I'm wrong, but I don't see any good reasons for a site to be running HTTP any longer, other than laziness.
I'll give it a shot. If you put up your site behind HTTPS you are breaking the web for older web clients. Many sites have already deprecated TLS v1.1 so even 10 year old devices may no longer be able to access the web. HTTPS is great but it has a cost.
> even 10 year old devices may no longer be able to access the web
I think you mean 10 year old software, which is a much smaller bucket than 10 year old devices. And if you're browsing the web with 10 year old software, you have much bigger problems including but not limited to committing security-suicide.
Well the TLS change breaks software (FF 26) (2015) and affects android versions <= 19 (2014). Kind of a bummer if you have old smartphone. But I agree, it's a tiny bucket and it's best to upgrade when you can.
I found some old Macs belonging to a non-profit to be apparently useless (for their purposes) because you couldn't upgrade the system software enough to let a browser operate properly with secure sites. Sure, there's Linux, but they appeared to be useless as Macs.
>but you'd have to get a pretty nice VPN to not impact your experience by 250ms/req.
Eh? I was thinking the opposite, that's such a ludicrous latency overhead that it would be trivial to go to any VPS provider even sort of nearby and spin up a $5 instance with Algo. The only concern normally for some of them is the super cheap simple managed instances often have data caps too (though some provides are bandwidth limits only), but in this use case even that doesn't matter because the limits are still higher than Comcast's regardless. There are datacenters in Denver, but even if you had to go all the way to SF and it's a worst case adding 1800 miles RTT that should still only be around 10-14ms or so right? The article seems a little silly to go on so much about a few kb of data out of tens of gigabytes or a TB or whatever Comcast's caps are, but 250ms is wild, even without all the other breakage.
Although I've always heard that if you're ever forced to go Comcast, the average HN type would be best off seeking a Comcast Business connection that has actual support and customers that use the internet fully.
Agreed. I used to run all my traffic through a VPN I ran, and found that the average latency was lower than routing it to the default gateway.
This was possible because my server was well connected and very low latency talking to Comcast, and also very low latency talking to the rest of the Internet via Level-3, Time Warner, QWest and InterNAP. Where directly routed traffic would run over the Comcast network most of the way across the country.
One problem with this approach is many streaming content providers identify known VPN egress points, consider them methods for subverting region-restrictions, and thus won't serve ANY data to you. Netflix does this w/ PIA (and probably others) for instance.
Does changing your DNS modify this behavior? I had some similar issues with Cox in DC, and switching to run everything through 8.8.8.8 resolved the issues. It also resolved a problem with CenturyLink in Seattle where for whatever reason I couldn't speedtest through fast.com.
Nope, they physically open your packets, change the content of the HTML, and send the packets along the way.
Even if you access the IP directly, it still injects code via MITM attack.
I saw the MITM injection from Comcast exactly once and it served as a reminder to go and change the DNS settings on my routers. Never seen the injection since, and I've been on Comcast for years.
Maybe you're right and me not seeing injections could be explained that a lot more traffic goes through SSL/TLS by default, or I'm just not getting close to my monthly quotas any more.
I used to live in Fort Collins and I was _floored_ the first time that an xfinity data limit popup appeared on a random website. Colorado needs a better provider.
I have GB fiber from CenturyLink for $85 until the city broadband, the city has had FTTH for at least 10 years or so, so anything new this should be doable.
Where in Fort Collins have they deployed FTTH, and when? I know FRII deployed some fiber, but based on some conversations I had with them they had largely abandoned it because of the burden of doing fiber locates. I don't know of anyone who has FTTH. The best my house lists on the Century Link site is 40Mbps. But, the city ran their conduit by my house 2 weeks ago, so hopefully we have fiber by the end of the year...
Oddly when I first moved in they said also 40Mbps, then 200, then finally GB. I think they were upgrading the upstream equipment because I had fiber the whole time. I don't know how to find out other than calling, although they do send mailings to our street as well.
I just got this as well. I’m appalled at the complete lack of thought put into this. I’ve had numerous emails & push notifications telling me I’m over my data cap; I don’t need injected content into my page in addition.
First time I saw one of these 4 years ago was when it popped into a Steam sale advertising window. Really creeped me out. A sure sign Comcast is pretty much 100% infected with Bovine Spongiform Encephelopathy. Still they offer Internet that is 10 times faster than the competition. Ah, the tyranny of the last mile. I went with Comcast Business, and they don't have data caps...
I have Xfinity and they’ve done this to me. It only happened to my wife when she was browsing. My data Cap has hit 90% this month but I haven’t seen the message. 4K Netflix is no joke and can easily make me hit 1TB.
Safari is my main browser and I recently stopped using Chrome. I believe my wife uses Chrome. Maybe this doesn’t work on Safari?
One of the things I tried really hard to do is make the HTML _really_ clean for things like this.
Is reader mode "really good" or do you think it loads very nicely because of the work we put in to make the HTML nice?
I think it's a mix of both. Honestly I vastly prefer Reader mode's presentation than any other layout, and especially any layout which changes if I interact with it (resize window, move mouse, click mouse button, press key, send window to background, whatever).
I have seen some sites that completely break when using Reader mode. I have seen sites that are very well done in Reader mode complete even with pictures.
I'm intrigued by why you created a one off account just to post this. To address something that stuck in my craw though -
"Big govt bureacracy is terrible, but a private one (etc)"
You're implying big government bureaucracy is the only option here. How about, you know, regulating internet as a utility? The thing we've been wanting since forever? Unless there's actively a shortage of water or power, I can get those and use them as I feel like, paying extremely low fees. I don't care if my internet is pay for use, provided it's priced close to the actual cost.
> This attack entirely breaks tab ordering, deeming the internet unusable for people requiring software assistance to provide accessibility to the World Wide Web. Additionally, the “escape” key, which is often used to close dialogs, doesn’t close the Xfinity notice.
A few weeks (months?) back there was an article about ongoing litigation on if websites are required to have accessibility compliance under the ADA act. I would be very happy to see Xfinity sued for this practice under that precedent and hopefully any injection would be considered a violation.
The litigation is over. The Supreme Court declined to hear the case a few weeks ago. The "Petition DENIED" at the bottom of that status page is referring to the petition for cert.
The Supreme Court declined to overturn the Ninth Circuit, because there was no circuit split or other issue of such urgency to require the Supreme Court to weigh in.
The US Court of Appeals for the Ninth Circuit ruled (somewhat) in favor of the plaintiffs, and remanded the matter to the district court having reversed the lower court on some questions of law.
I think it is still a live controversy in the district court, but it seems likely that the plaintiffs will win on the merits or obtain a settlement.
You wrote "That is inaccurate", but you didn't cite a single inaccuracy in the gp comment. You wrote some other sentences, but they don't appear to contradict anything gp wrote.
The GP claimed litigation was over. The parent claims it isn't over. Oftentimes higher courts decide a specific question pertaining to a case, not the whole case. Just because a higher court clarifies something doesn't mean litigation is over - it means the lower courts can continue with that point now clarified and/or corrected.
The litigation is on going. The Supreme Court declined to hear the petition to essentially throw the case out, in effect paving the way for trial between the plantiff and Dominoes.
Only tangentially related, but how is the ADA act looked upon by Americans? The only time I've heard about it as an European was when Stanford (?) was forced by litigation to take entire swathes of free online education offline because it didn't have subtitles. I'm all for making the web more accessible but it really soured me on the notion of such acts and if they are the best way to enforce said accessibility.
All tools can be used for good or ill. The ADA has made the US a whole lot more accessible for many folks from wheelchair ramps everywhere to disability accommodations at fun parks.
Most everyday Americans probably know very little about its particulars, though they all know the name. Business owners, especially small business owners, are well aware of its abuse on several fronts, from labeling pets as "emotional support" (fortunately this has been clearly rejected by statute, but people try it anyway), to suing business owners because their wheelchair ramps are the wrong angle, to examples such as the one you mention (which to me was a violation of free speech as well).
I am all for web accessibility, and I think companies and developers should consider it a priority, but I do not think a law like the ADA is a good fit for this issue. The parts of the ADA that are good are the prohibition on actively discriminating against people with disabilities and requiring reasonable changes in policies. Requiring buildings to be rebuilt and taking down websites are excessive infringements on freedom and would best be addressed by the free market.
It would be one of many possible features firms could compete on. Developing more accessible apps would result in an increased userbase leading to greater revenue (and potentially take you from a perfect competition to monopolistic competition secnario, reducing the elasticity of demand for your product, allowing you to raise the price).
> Developing more accessible apps would result in an increased userbase leading to greater revenue
Only if the marginal cost of developing them is less than the revenue attained by developing them, which is also limited by the amount of funds that disabled people have.
Disabled people existed before ADA, and the reason ADA was popular was because it didn’t make business sense to serve the disabled population. There’s no way construction costs of ADA accessible features of a building will ever be recouped by sales to disabled people needing it.
A free market solution would require the government to give sufficient cash to disabled people, enough to make businesses want to compete for them. But that is also wrought with possibilities for corruption.
My HOA was sued for some slightly uneven sidewalks and the fact that some people had parked cars that jutted out of their driveways. Plaintiff doesn't live here, has pretty much made a living by such lawsuits. So while I agree with the tenets of the ADA, it's just one more example of how legislated morality will be abused by a small percentage for their own gain. If it were repealed tomorrow I would shrug.
Just because someone is entering a seemingly frivolous lawsuit, is it fair that the HOAs sidewalks are inaccessible in general? I feel like it feels wrong because someone is profiting on it but society is more equitable as a result and I don't feel that is an abuse of the legislation.
In fact, if profit drives more people to fight for what's right, then it becomes easier to make the world a better place.
Profit is just one form of incentive that we can align for increasing compliance with directives with a positive social benefit. All incentives are abusable if you design them incorrectly, so I see no reason to vilify profit over other kinds of incentives.
This is very convenient and self serving logic. Everything will be abused by a small percentage for their own gain. Dismissing the entire ADA because of a few anecdotal examples that were irritating to _you_ is completely nuts when weighed against the massive improvement in quality of life the ADA has created for the millions of disabled Americans.
When you say you'd shrug what you are really saying is that you care about your HOA and don't give a crap about people with disabilities. If you did care you'd be proposing ways to close loopholes like the one Plaintiff was exploiting.
I hear plenty of stories like this out of California. Their enforcement of the ADA is somewhat unique. Instead of having inspections and compliance officers, any wronged party can file a claim and receive ~$4k in compensation. There are plenty of people who make a considerable amount of money as 'freelance' code enforcement.
My issue with this system is the animosity it causes. Panzagl had one interaction with this method and it was enough for them to be ambivalent about the ADA.
A friend of mine does public outreach for an organization for the blind in Seattle, and 99% of ADA non-compliance that they see stems from ignorance and is solved by education.
I used to live in a neighborhood that frequently had un-shoveled/un-salted sidewalks and cars parked across the sidewalk. As someone who walks a dog, it's fucking obnoxious to have to wander around in two feet of snow because someone didn't want to park on the street, or slip and fall on an unsafe sidewalk.
The disabled aren't the only people who care. Take care of your sidewalk, it's your legal fucking responsibility.
I believe this happened at UC Berkeley as well. For what it's worth, neither institution was 'forced' to remove the content. They were obligated to offer the content equally to all users and they chose to not do so because it cost money to create accessible content. While I feel it's unfortunate access to information was lost, I respect and still stand behind the sentiment of the law. Just because you're doing something 'good' doesn't mean you can ignore access needs of protected classes. Especially considering these are institutions with billions of dollars of endowment, funding, and tuition, I'm certainly on the side of the those with disability.
> ...I'm certainly on the side of the those with disability.
In your mind, is it possible to be on the side of those with the disability and yet still against the ADA?
Put another way, given the two concrete examples mentioned (UCB and Stanford) did actual people with actual disabilities gain greater access to the content that was taken offline (in order to comply with the ADA)? Lots of laws have good intentions and bad effects. I think we should judge them by their effects, not their intentions.
If ADA compliant content requires more resources to produce, allowing something to remain in violation because it’s free seems like a great way to price ADA compliant content out of existence.
That said, perhaps an improvement to the ADA would be budget to help producers of free content to become ADA compliant.
In America, due to a distrust of bureaucracy and the fact that enforcement or lack thereof can be up to the willpower of the executive, establishing liability via the judicial system is an effective enforcing mechanism.
Absent liability, the other alternatives are some sort of executive branch enforcer (which does things to the whim of the executive) or some kind of onerous licensing/certification scheme (e.g. doctors), and both are IMO worse outcomes.
On a broader level this is why the FCC is IMHO wrong in not considering broadband a telecommunication service. As ISPs inject their content (including advertising) into third party content, they essentially take over said content. E.g., if someone requests access to my content via their service, besides any corruption of functionality, artistic work and even intended meaning, any revenue generated by this is directly drawn from my content without license. From my perspective as a potential content provider, this is clearly a violation. It may be even a violation of existing contracts, e.g., if there's a no third parties clause involved in an existing advertising contract the content provider has agreed to.
From which quite naturally follows, if broadband providers in the US consider themselves content services rather than telecommunication services, they have to acquire licenses for the content they provide, as well. (Xfinity, may have your billing address?)
As a content provider this is why you need HTTPS, and it's why you should ensure you certificate is in the transparency logs, and that your site requires CT entries.
However, this is more like "better have a lock so that thieves have a harder time breaking the door". If the US are making IP violations legal, they put themselves in danger to be treated like other countries who are considered notoriously ignoring IP as part of their overall business model.
The sad thing is that with many kinds of cybercrime, it's easier to fix the security vulnerability, than it is to track down the criminals and make them stop :)
In this case, the vulnerability is using HTTP, not HTTPS.
Well, HTTPS could still be man-in-the-middled, right? I am not really informed, but I would not be surprised if some ISPs are even recognized as certificate authorities.
MITMing TLS requires either (1) a falsely issued certificate, which would be "a big deal" when (not if) found and would lead to the issuer losing their status as accepted in browsers, or (2) the user to install a certificate generated by the person doing the MITM, this is often done in corporate environments.
Are we sure that there won't be an exception installed to this in favor of broadband providers, considering the paths already taken?
Terms and conditions of this comment: This comment is provided for free to <https://news.ycombinator.com> AKA "Hacker News", including any redistribution to be considered under the clause of fair use. Any other redistribution, including injection of third party content or surrounding content, chrome, or any other HTML element(s), be it in static or generated code, is considered a violation of the terms of this contribution.
Your browser and OS quickly delist any certificate found to have forged a certificate for a website they don't own. They're unapologetic about it too - and don't care who they piss off.
However, browsers have played along with US legislation previously. (E.g., when long key encryption was restricted to US versions only.) I'm not sure, if Mozilla would be playing along nowadays, but you can't be too sure, either. Moreover, you could consider certificates installed by antivirus software as some kind of prior art to this. (While considered a security risk, at least by some, they are not delisted.)
> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.
This is a valid work around for an invalid problem.
If your ISP is tampering with packets, that is the anti-pattern that needs to be remediated ASAP.
In my opinion, the only packet change behavior that an ISP should be involved in is adhering to QoS headers. 0x08, it's bulk. 0x04 reliability, 0x10 low latency. And if they want to charge me more for 0x04, that is fine if it's clearly spelled out in the contract.
How is the problem invalid? I mean, seriously - those guys spend a lot of money greasing the wheels of your local town council, and they gotta' put food on their plates like everybuddy else.
One of the problems with this is the same as any other bad behaviours companies often do that are indistinguishable from an attack, such as asking for your PIN on the phone, or sending account-related e-mails with links: They condition the user to expect this is "legitimate".
As the article points out, an attacker could do something on an unrelated web server that injects this same notice (using the same code [1] as a basis), with a link that says something like "Extend your limit for free by 1GB", which loads a fake "Xfinity login" in a pop-up to phish their Xfinity account credentials. Because the link was presented using the familiar UI, it could easily trick someone and it would be nearly impossible for most users to realize it's not legitimately Xfinity.
I'm not sure if it still works like this or not, but up here in Canada with Shaw cable for the longest time, it just started out of nowhere one day, I'd always get redirected to a Shaw landing page or have Shaw ads injected into pages when I was browsing. I finally really noticed it one day so I did some searching at the time and found out Shaw has an option in their account page(enabled by default),
I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites. There was no description of this option in the account settings, they were buried 3 or 4 layers deep, there was no mention of this 'feature' from any of Shaw's customer service people, the only way I discovered this was through some random forum conversation I found.
There was also people mentioning (this never happened to me)that despite switching the option off, they would find it turned back on again a day or two later and have to repeat the process. I have no idea if this is still the case, this would have been quite a while ago now, but I was pretty unimpressed when I figured it out and realized what was going on.
> 'm not sure if it still works like this or not, but up here in Canada with Shaw cable for the longest time, it just started out of nowhere one day, I'd always get redirected to a Shaw landing page or have Shaw ads injected into pages when I was browsing.
I'm not sure if I described it clearly, with this mode on, all of your traffic was being redirected to a Shaw server before being routed to where it was supposed to go. It was like being connected to a vpn that existed solely to serve me ads. They were blocking ads on websites and replacing them with their own from their servers, I would get popup ads from them that were not being stopped by adblock, every misspelled or dead URL would take me to their landing page full of ads for their services. Not only were they interfering with my traffic, but they were interfering with the monetization of website. As much as I dislike ads, I'd rather the site owners get the ad revenue for my browsing than a company I'm already paying for internet.
I am currently trying to find this feature you mentioned. Are you still a Shaw customer able to look again to where exactly in the account it is because I can not find it or mention of it online? Thanks
> I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites.
Stuff like this makes me wish it were a criminal offense to dishonestly describe a feature as an "enhancement" or "improvement" when 9/10 users would not see it that way.
This is orthogonal to data caps. We could debate separately if people should be allowed to have contracts with those limits, but the actual problem here is that the ISP is modifying the traffic I requested before they deliver it. In this case it was for data cap notices, but next time it might be for ads or malware or anything else they want to inject.
Disagree. Paying per byte is a critical part of making people realize they are part of botnets and to create the only incentives that have a shot at working naturally like pressure against poorly secured smart devices. Unlimited bandwidth just forces everyone behind Cloudflare and breaks the internet.
Oh so if I use a gig, I only pay for a gig? That doesn’t sound like a date cap, that sounds like a going rate for data. They still charge you for all the data you never consumed, which makes no sense as a transaction.
Pay per byte is a fleecing scheme, nothing more. You already pay more for more bandwidth. ISPs get more than enough doing that without any monthly data caps.
And if there is a data cap, it should be proportionate to the data bw plan I am paying for. I had a 100mb/s plan with a 1TB cap. I moved to a 400mb/s plan and I still have a 1TB cap. So I can burst faster, but my overall usage is expected to stay the same.
That said, I do most of my downloading on VPS provider, then what I finally want to keep, I compress and pull it down over my VPN. This still doesn't help for things like streaming movies, game updates, etc...
Cox does this as well. I was recently staying a hotel and they were doing something similar prompting me to rate my experience. I started thinking about standards to make this kind of thing impossible... Ultimately TLS solves this issue. We should be bullish on making TLS standard.
I agree it is "pretty much standard" but the ISPs and other network providers are not doing this with TLS traffic. They are only injecting the scripts in HTTP requests without TLS, at least in my experience.
303 comments
[ 4.3 ms ] story [ 294 ms ] threadhttps://web.archive.org/web/20191029172726/https://rietta.co...
I get the complaints, it sucks, it degrades the internet experience. But come on. This is the most contrived complaint I can think of. You get at least, what, 40GB of data a month? Please tell me about how using 0.0000048% of your data cap is affecting you. You used more data writing this blog post than that javascript code would use in 10 years.
It sucks, but stop contriving bullshit about it. It's not that bad, it's just ugly and intrusive. Take your stand on that hill, not this one.
Update: I used 1.6TB the month prior - also no notices. Maybe it's because I have Xfinity at my office too? No idea why they aren't harassing me.
https://dataplan.xfinity.com/faq/
You can pay them an extra $50/mo to remove the data cap.
This is coming from someone who unknowingly got a $200 bill one month because of Comcast.
I left them and don't regret a second of it. Terrible customer service all around, and just an evil company from the top down, especially after having read Farrow's recent book Catch and Kill.
If my only options were Comcast or dial-up, I'd probably still pick dial-up.
still wouldn't make them change their practices, I believe they are too far corrupted to ever 'heal', but it would be hilarious if they gave up serving an area because it wasn't economically viable anymore.
Also, it's just plain wrong to charge me for what I didn't ask for.
Personally I think it is morally wrong, and it also is definitely impacting a person's Internet experience. 1/4 of a second is an eternity if you're sensitive to latency. So yeah it is "that bad", it is ugly, it is intrusive, and it speaks volumes about Comcast.
> The way this code was implemented, the code blocks the page from loading for 250ms, resulting in a much slower internet experience.
Of all the things to complain about that load on almost every web page you visit this seems like the least of your worries.
I agree this is in poor taste, pretty annoying, and could be leveraged to dupe unsuspecting people into coughing up their Xfinity credentials, but complaining about it slowing down page load is like complaining about the heat in hell.
It didn't need the theatrics and intentionally misleading garnishments (like quoting Comcast's own RFC that's describing their own recommended behavior for themselves, then pointing out you can phish people, and then awkwardly trying to glue those tangential points together)
The bad behavior is bad enough that it'd stand on it's own, and if it instead focused on things like accessibility up front, it'd be much stronger of an article (and people would be more likely to read it all the way through)
EDIT: I understand that's not your point. And I whole heartedly support people leaving and supporting municipal ISP.
Not saying Comcast definitely doesn't use it; rather, that it'd be hilarious to see Comcast lie to everyone's faces yet again.
https://wiki.mozilla.org/CA/Included_Certificates https://docs.microsoft.com/en-us/security/trusted-root/parti...
Good luck :)
This is why TLS1.3 and HSTS exists.
That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).
The moment that was discovered, the CA would stop being a trusted CA.
Also, given the existence of Let's Encrypt, there's much less reason to be using a paid CA, and planned migration to a new CA provider isn't too much to ask. There'd likely be some work within browsers to provide clear error messages, and sites would need some amount of time to migrate, but I think we're talking days-to-weeks before there's a warning banner on the sites and months at most before the CA is dead.
Finally, there is certificate transparency logs, you can set CT headers on your site to require the certificate to be in CT logs. Then you can monitor if anyone's creates certificates for your domain. And updated clients can validate that certificates is in the CT logs.
HTTPS is pretty robust these days. There's still a few corner cases around SNI, but that only leaks what host your visiting, wouldn't allow injection -- and specs are slowly closing those holes too.
But really, if you don't trust what installed on your machine it's game over.
I think you mean 10 year old software, which is a much smaller bucket than 10 year old devices. And if you're browsing the web with 10 year old software, you have much bigger problems including but not limited to committing security-suicide.
Eh? I was thinking the opposite, that's such a ludicrous latency overhead that it would be trivial to go to any VPS provider even sort of nearby and spin up a $5 instance with Algo. The only concern normally for some of them is the super cheap simple managed instances often have data caps too (though some provides are bandwidth limits only), but in this use case even that doesn't matter because the limits are still higher than Comcast's regardless. There are datacenters in Denver, but even if you had to go all the way to SF and it's a worst case adding 1800 miles RTT that should still only be around 10-14ms or so right? The article seems a little silly to go on so much about a few kb of data out of tens of gigabytes or a TB or whatever Comcast's caps are, but 250ms is wild, even without all the other breakage.
Although I've always heard that if you're ever forced to go Comcast, the average HN type would be best off seeking a Comcast Business connection that has actual support and customers that use the internet fully.
This was possible because my server was well connected and very low latency talking to Comcast, and also very low latency talking to the rest of the Internet via Level-3, Time Warner, QWest and InterNAP. Where directly routed traffic would run over the Comcast network most of the way across the country.
[1] https://bgp.he.net/AS2906#_prefixes
It's kind of insane that they get away with charging customers $10-15/month for the privilege of a router without any privileges.
It is another reason they're flagrantly against encrypting DNS and attempting to get laws passed against it.
Those are the ways I want to be contacted.
Have you contacted them to warn them that Xfinity is injecting JS into their site, and asked them to implement HTTPS+HSTS to protect against that?
Safari is my main browser and I recently stopped using Chrome. I believe my wife uses Chrome. Maybe this doesn’t work on Safari?
Never mind. Sorry for the noise.
about:reader?url=https://rietta.com/blog/comcast-insecure-injection/
I have seen some sites that completely break when using Reader mode. I have seen sites that are very well done in Reader mode complete even with pictures.
Big govt bureaucracy is terrible, but a private one (which is confident they won’t face any trouble or practical consequences) is still trouble.
There hopefully won’t be “mask off” moments for these providers & get really gnarly but this kind of behavior can screw over regular Joe’s & Janes
"Big govt bureacracy is terrible, but a private one (etc)"
You're implying big government bureaucracy is the only option here. How about, you know, regulating internet as a utility? The thing we've been wanting since forever? Unless there's actively a shortage of water or power, I can get those and use them as I feel like, paying extremely low fees. I don't care if my internet is pay for use, provided it's priced close to the actual cost.
A few weeks (months?) back there was an article about ongoing litigation on if websites are required to have accessibility compliance under the ADA act. I would be very happy to see Xfinity sued for this practice under that precedent and hopefully any injection would be considered a violation.
Status of supreme court case: https://www.scotusblog.com/case-files/cases/dominos-pizza-ll...
The Supreme Court declined to overturn the Ninth Circuit, because there was no circuit split or other issue of such urgency to require the Supreme Court to weigh in.
The US Court of Appeals for the Ninth Circuit ruled (somewhat) in favor of the plaintiffs, and remanded the matter to the district court having reversed the lower court on some questions of law.
I think it is still a live controversy in the district court, but it seems likely that the plaintiffs will win on the merits or obtain a settlement.
https://cdn.ca9.uscourts.gov/datastore/opinions/2019/01/15/1...
I am all for web accessibility, and I think companies and developers should consider it a priority, but I do not think a law like the ADA is a good fit for this issue. The parts of the ADA that are good are the prohibition on actively discriminating against people with disabilities and requiring reasonable changes in policies. Requiring buildings to be rebuilt and taking down websites are excessive infringements on freedom and would best be addressed by the free market.
Here are some links you might find interesting: https://www.the-american-interest.com/2013/06/11/the-disabli... https://attorneyatlawmagazine.com/ada-trolls-and-unintended-... https://www.city-journal.org/beyonce-lawsuit-ada https://www.phoenixnewtimes.com/news/parking-lot-trolls-laws... https://adadefense.net/
Only if the marginal cost of developing them is less than the revenue attained by developing them, which is also limited by the amount of funds that disabled people have.
Disabled people existed before ADA, and the reason ADA was popular was because it didn’t make business sense to serve the disabled population. There’s no way construction costs of ADA accessible features of a building will ever be recouped by sales to disabled people needing it.
A free market solution would require the government to give sufficient cash to disabled people, enough to make businesses want to compete for them. But that is also wrought with possibilities for corruption.
Profit is just one form of incentive that we can align for increasing compliance with directives with a positive social benefit. All incentives are abusable if you design them incorrectly, so I see no reason to vilify profit over other kinds of incentives.
When you say you'd shrug what you are really saying is that you care about your HOA and don't give a crap about people with disabilities. If you did care you'd be proposing ways to close loopholes like the one Plaintiff was exploiting.
My issue with this system is the animosity it causes. Panzagl had one interaction with this method and it was enough for them to be ambivalent about the ADA.
A friend of mine does public outreach for an organization for the blind in Seattle, and 99% of ADA non-compliance that they see stems from ignorance and is solved by education.
The disabled aren't the only people who care. Take care of your sidewalk, it's your legal fucking responsibility.
In your mind, is it possible to be on the side of those with the disability and yet still against the ADA?
Put another way, given the two concrete examples mentioned (UCB and Stanford) did actual people with actual disabilities gain greater access to the content that was taken offline (in order to comply with the ADA)? Lots of laws have good intentions and bad effects. I think we should judge them by their effects, not their intentions.
That said, perhaps an improvement to the ADA would be budget to help producers of free content to become ADA compliant.
Absent liability, the other alternatives are some sort of executive branch enforcer (which does things to the whim of the executive) or some kind of onerous licensing/certification scheme (e.g. doctors), and both are IMO worse outcomes.
Edit: I missed it: https://rietta.com/blog/comcast-insecure-injection/injection...
The sad thing is that with many kinds of cybercrime, it's easier to fix the security vulnerability, than it is to track down the criminals and make them stop :)
In this case, the vulnerability is using HTTP, not HTTPS.
Edit: Also, what stops those ISPs from impersonating the requested host by means of their own root certificate, just like antivirus software does it?
Terms and conditions of this comment: This comment is provided for free to <https://news.ycombinator.com> AKA "Hacker News", including any redistribution to be considered under the clause of fair use. Any other redistribution, including injection of third party content or surrounding content, chrome, or any other HTML element(s), be it in static or generated code, is considered a violation of the terms of this contribution.
You mean like that "setup software" Comcast spent ages trying to pretend I had to install just to get things running?
I ran Linux in those days, which always meant a little extra support time but I never had to install jack.
> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.
> Late on December 24, Chrome detected and blocked an unauthorized digital certificate for the "*.google.com" domain.
https://security.googleblog.com/2013/01/enhancing-digital-ce...
If your ISP is tampering with packets, that is the anti-pattern that needs to be remediated ASAP.
In my opinion, the only packet change behavior that an ISP should be involved in is adhering to QoS headers. 0x08, it's bulk. 0x04 reliability, 0x10 low latency. And if they want to charge me more for 0x04, that is fine if it's clearly spelled out in the contract.
As the article points out, an attacker could do something on an unrelated web server that injects this same notice (using the same code [1] as a basis), with a link that says something like "Extend your limit for free by 1GB", which loads a fake "Xfinity login" in a pop-up to phish their Xfinity account credentials. Because the link was presented using the familiar UI, it could easily trick someone and it would be nearly impossible for most users to realize it's not legitimately Xfinity.
[1] https://rietta.com/blog/comcast-insecure-injection/injection...
I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites. There was no description of this option in the account settings, they were buried 3 or 4 layers deep, there was no mention of this 'feature' from any of Shaw's customer service people, the only way I discovered this was through some random forum conversation I found.
There was also people mentioning (this never happened to me)that despite switching the option off, they would find it turned back on again a day or two later and have to repeat the process. I have no idea if this is still the case, this would have been quite a while ago now, but I was pretty unimpressed when I figured it out and realized what was going on.
Edit:i did find this discussion on hacker news about Shaw's hijacking from 2014.
https://news.ycombinator.com/item?id=6993831
I have a feeling, if this ever happened, it was closer to a decade ago.
Stuff like this makes me wish it were a criminal offense to dishonestly describe a feature as an "enhancement" or "improvement" when 9/10 users would not see it that way.
That said, I do most of my downloading on VPS provider, then what I finally want to keep, I compress and pull it down over my VPN. This still doesn't help for things like streaming movies, game updates, etc...