This is a huge violation of user privacy and trust. Further, it shows that an ISP (and probably others) feel that they have the authority to dictate what is served to the user on a free (as in speech) Internet. Why should we believe that they won’t start injecting other types of scripts that spy on the user or introduce advertising? What if a malicious actor compromises Comcast’s servers and serves exploits to users?
It is no surprise that Comcast is capable of doing this—they know the IP address of the customer, so they are able to intercept traffic and alter it in transit. But the fact that they can do this demonstrates something far more important: that they have spent the money on the infrastructure to do so!
Comcast isn’t the only ISP to have betrayed users by injecting data. One year ago, it was discovered that Verizon was injecting “perma-cookies” into requests to track users. This is only one example of the insidious abuses that unchecked ISPs can take.
So what can you do to protect yourself?
What Comcast is doing is called a man-in-the-middle (MITM) attack: Comcast sits in the middle of you and your connection to the website that you are visiting, proxying your request. Before relaying the website’s response to you, it modifies it.
https URLs with the little lock icon in your web browser generally indicates that your communications are encrypted, making MITM attacks unlikely.
(We’re assuming that Comcast won’t ask you to install a root CA so that they can decrypt your traffic! But that would certainly be noticed, if they did so on a large enough scale.)
Not all websites use SSL. Another method is to use encrypted proxies, VPNs, or services like like Tor. This way, Comcast will not be able to read or modify the communications.