dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1755
share rss forum feed

axus

join:2001-06-18
Washington, DC
Reviews:
·Comcast

[Rant] Comcast inserting Javascript into webpages?

I saw this link on Hacker News, apparently Comcast is inserting things into web traffic now?

»gist.github.com/ryankearney/4146814

From this blog it looks like old news:
»blog.ryankearney.com/2013/01/com···traffic/

I don't follow the Comcast forum, but maybe y'all can update me?



jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

Old news. See »tools.ietf.org/html/rfc6108
--
JL
Comcast



FifthE1ement
Tech Nut

join:2005-03-16
Fort Lauderdale, FL
reply to axus

Yeah Comcast has been doing this for a long time now. I heard they will be doing it with the 6 strikes crap too soon. So they wil do it if you get a notice for copyright infringement. Not cool but it's Comcrapstic!

jlivingood, you stole my avatar, lol!
--
"The relationship between what we see and what we know is never settled..."



Streetlight

join:2005-11-07
Colorado Springs, CO
reply to jlivingood

said by jlivingood:

Old news. See »tools.ietf.org/html/rfc6108

Maybe we're all listening to Steve Gibson at twit.tv and his and Leo's Security Now netcast episode 398.

The scary thing is Steve alleges the code is extremely poorly written wherein all the Javascript variables are global and the code does not use Closure. The suggestion here is that because of that the code is insecure because of the global variables and might be useful to introduce malware into subscriber's computers. Not sure about this.

The purpose of this code is apparently to monitor user's bandwidth usage so as to notify if a user is approaching a bandwidth cap. It is also alleged that the the user's system phones home every 5 seconds.

Since bandwidth caps have been suspended for the vast majority of CC HSI subscribers, it seems the code is unnecessary and it use should also be suspended. Actually it seems bandwidth caps should be permanently removed.
--
There is nothing more deceptive than an obvious fact.

Sherlock Holmes in
The Boscombe Valley Mystery
A. C. Doyle
Strand Magazine, October 1891

jagged

join:2003-07-01
Boynton Beach, FL
reply to axus

would one get this message if they're using a router and OpenDNS servers?



Ryan Kearney

@adelphia.net

said by jagged:

would one get this message if they're using a router and OpenDNS servers?

Yes, you would. They intercept HTTP requests after they've left your home. The only way to protect yourself against this is to only visit HTTPS sites, or use a VPN. You can read more about how it works in the RFC spec link posted above.

-Ryan

madbavarian

join:2013-03-05
Fremont, CA

I'm surprised their lawyers let them do this. What happens the first time someone's computer can't automatically download emergency security updates because the HTTP requests are hijacked?



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

said by madbavarian:

I'm surprised their lawyers let them do this. What happens the first time someone's computer can't automatically download emergency security updates because the HTTP requests are hijacked?

No need to worry about that scenario; if you can't connect to the Internet, your chances of getting infected are greatly reduced. And even if you got infected, there is a good chance that Comcast's other HTML injection program called Constant Guard, would then send you an HTML message to inform you that you were infected.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to madbavarian

said by madbavarian:

I'm surprised their lawyers let them do this. What happens the first time someone's computer can't automatically download emergency security updates because the HTTP requests are hijacked?

Did you read the AUP and TOS? Their lawyers assume you have. Since you agreed to this by accepting the terms of service, their lawyers have nothing to worry about.
--
My place : »www.schettino.us


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to jlivingood

said by jlivingood:

Old news. See »tools.ietf.org/html/rfc6108

This is news to me after having previously read your RFC. See section 3.1.1


"Must Only Be Used for Critical Service Notifications
Additional Background: The system must only provide
critical notifications, rather than trivial notifications.
An example of a critical, non-trivial notification, which
is also the primary motivation of this system, is to advise
the user that their computer is infected with malware, that
their security is at severe risk and/or has already been
compromised, and that it is recommended that they take
immediate, corrective action NOW."


I would ask on which planets are bandwidth warnings not considered trivial notifications but I'm afraid of the answer.