Comcast injects JavaScript into web pages

2015-11-20

Mike Gerwitz

It seems that Comcast has decided that it is a good idea to inject JavaScript into web pages visited by its customers in order to inform them of Copyright violations.

This is a huge violation of user privacy and trust. Further, it shows that an ISP (and probably others) feel that they have the authority to dictate what is served to the user on a free (as in speech) Internet. Why should we believe that they won’t start injecting other types of scripts that spy on the user or introduce advertising? What if a malicious actor compromises Comcast’s servers and serves exploits to users?

It is no surprise that Comcast is capable of doing this—they know the IP address of the customer, so they are able to intercept traffic and alter it in transit. But the fact that they can do this demonstrates something far more important: that they have spent the money on the infrastructure to do so!

Comcast isn’t the only ISP to have betrayed users by injecting data. One year ago, it was discovered that Verizon was injecting “perma-cookies” into requests to track users. This is only one example of the insidious abuses that unchecked ISPs can take.

So what can you do to protect yourself?

What Comcast is doing is called a man-in-the-middle (MITM) attack: Comcast sits in the middle of you and your connection to the website that you are visiting, proxying your request. Before relaying the website’s response to you, it modifies it.

In order to do this, Comcast needs to be able to read your communications, and must be able to modify them: the request must be read in order to determine how the JavaScript should be injected and what request it should be injected into; and it must be modified to perform the injection. It cannot (given a properly configured web server) do so if your connection is encrypted. In the case of web traffic, https URLs with the little lock icon in your web browser generally indicates that your communications are encrypted, making MITM attacks unlikely.

(We’re assuming that Comcast won’t ask you to install a root CA so that they can decrypt your traffic! But that would certainly be noticed, if they did so on a large enough scale.)

Not all websites use SSL. Another method is to use encrypted proxies, VPNs, or services like like Tor. This way, Comcast will not be able to read or modify the communications.

See also: HackerNews discussion; original Reddit discussion.