> This attack entirely breaks tab ordering, deeming the internet unusable for people requiring software assistance to provide accessibility to the World Wide Web. Additionally, the “escape” key, which is often used to close dialogs, doesn’t close the Xfinity notice.
A few weeks (months?) back there was an article about ongoing litigation on if websites are required to have accessibility compliance under the ADA act. I would be very happy to see Xfinity sued for this practice under that precedent and hopefully any injection would be considered a violation.
Only tangentially related, but how is the ADA act looked upon by Americans? The only time I've heard about it as an European was when Stanford (?) was forced by litigation to take entire swathes of free online education offline because it didn't have subtitles. I'm all for making the web more accessible but it really soured me on the notion of such acts and if they are the best way to enforce said accessibility.
I believe this happened at UC Berkeley as well. For what it's worth, neither institution was 'forced' to remove the content. They were obligated to offer the content equally to all users and they chose to not do so because it cost money to create accessible content. While I feel it's unfortunate access to information was lost, I respect and still stand behind the sentiment of the law. Just because you're doing something 'good' doesn't mean you can ignore access needs of protected classes. Especially considering these are institutions with billions of dollars of endowment, funding, and tuition, I'm certainly on the side of the those with disability.
> ...I'm certainly on the side of the those with disability.
In your mind, is it possible to be on the side of those with the disability and yet still against the ADA?
Put another way, given the two concrete examples mentioned (UCB and Stanford) did actual people with actual disabilities gain greater access to the content that was taken offline (in order to comply with the ADA)? Lots of laws have good intentions and bad effects. I think we should judge them by their effects, not their intentions.
If ADA compliant content requires more resources to produce, allowing something to remain in violation because it’s free seems like a great way to price ADA compliant content out of existence.
That said, perhaps an improvement to the ADA would be budget to help producers of free content to become ADA compliant.
Most everyday Americans probably know very little about its particulars, though they all know the name. Business owners, especially small business owners, are well aware of its abuse on several fronts, from labeling pets as "emotional support" (fortunately this has been clearly rejected by statute, but people try it anyway), to suing business owners because their wheelchair ramps are the wrong angle, to examples such as the one you mention (which to me was a violation of free speech as well).
I am all for web accessibility, and I think companies and developers should consider it a priority, but I do not think a law like the ADA is a good fit for this issue. The parts of the ADA that are good are the prohibition on actively discriminating against people with disabilities and requiring reasonable changes in policies. Requiring buildings to be rebuilt and taking down websites are excessive infringements on freedom and would best be addressed by the free market.
It would be one of many possible features firms could compete on. Developing more accessible apps would result in an increased userbase leading to greater revenue (and potentially take you from a perfect competition to monopolistic competition secnario, reducing the elasticity of demand for your product, allowing you to raise the price).
> Developing more accessible apps would result in an increased userbase leading to greater revenue
Only if the marginal cost of developing them is less than the revenue attained by developing them, which is also limited by the amount of funds that disabled people have.
Disabled people existed before ADA, and the reason ADA was popular was because it didn’t make business sense to serve the disabled population. There’s no way construction costs of ADA accessible features of a building will ever be recouped by sales to disabled people needing it.
A free market solution would require the government to give sufficient cash to disabled people, enough to make businesses want to compete for them. But that is also wrought with possibilities for corruption.
My HOA was sued for some slightly uneven sidewalks and the fact that some people had parked cars that jutted out of their driveways. Plaintiff doesn't live here, has pretty much made a living by such lawsuits. So while I agree with the tenets of the ADA, it's just one more example of how legislated morality will be abused by a small percentage for their own gain. If it were repealed tomorrow I would shrug.
I hear plenty of stories like this out of California. Their enforcement of the ADA is somewhat unique. Instead of having inspections and compliance officers, any wronged party can file a claim and receive ~$4k in compensation. There are plenty of people who make a considerable amount of money as 'freelance' code enforcement.
My issue with this system is the animosity it causes. Panzagl had one interaction with this method and it was enough for them to be ambivalent about the ADA.
A friend of mine does public outreach for an organization for the blind in Seattle, and 99% of ADA non-compliance that they see stems from ignorance and is solved by education.
This is very convenient and self serving logic. Everything will be abused by a small percentage for their own gain. Dismissing the entire ADA because of a few anecdotal examples that were irritating to _you_ is completely nuts when weighed against the massive improvement in quality of life the ADA has created for the millions of disabled Americans.
When you say you'd shrug what you are really saying is that you care about your HOA and don't give a crap about people with disabilities. If you did care you'd be proposing ways to close loopholes like the one Plaintiff was exploiting.
Just because someone is entering a seemingly frivolous lawsuit, is it fair that the HOAs sidewalks are inaccessible in general? I feel like it feels wrong because someone is profiting on it but society is more equitable as a result and I don't feel that is an abuse of the legislation.
In fact, if profit drives more people to fight for what's right, then it becomes easier to make the world a better place.
Profit is just one form of incentive that we can align for increasing compliance with directives with a positive social benefit. All incentives are abusable if you design them incorrectly, so I see no reason to vilify profit over other kinds of incentives.
I used to live in a neighborhood that frequently had un-shoveled/un-salted sidewalks and cars parked across the sidewalk. As someone who walks a dog, it's fucking obnoxious to have to wander around in two feet of snow because someone didn't want to park on the street, or slip and fall on an unsafe sidewalk.
The disabled aren't the only people who care. Take care of your sidewalk, it's your legal fucking responsibility.
In America, due to a distrust of bureaucracy and the fact that enforcement or lack thereof can be up to the willpower of the executive, establishing liability via the judicial system is an effective enforcing mechanism.
Absent liability, the other alternatives are some sort of executive branch enforcer (which does things to the whim of the executive) or some kind of onerous licensing/certification scheme (e.g. doctors), and both are IMO worse outcomes.
All tools can be used for good or ill. The ADA has made the US a whole lot more accessible for many folks from wheelchair ramps everywhere to disability accommodations at fun parks.
The litigation is over. The Supreme Court declined to hear the case a few weeks ago. The "Petition DENIED" at the bottom of that status page is referring to the petition for cert.
The Supreme Court declined to overturn the Ninth Circuit, because there was no circuit split or other issue of such urgency to require the Supreme Court to weigh in.
The US Court of Appeals for the Ninth Circuit ruled (somewhat) in favor of the plaintiffs, and remanded the matter to the district court having reversed the lower court on some questions of law.
I think it is still a live controversy in the district court, but it seems likely that the plaintiffs will win on the merits or obtain a settlement.
You wrote "That is inaccurate", but you didn't cite a single inaccuracy in the gp comment. You wrote some other sentences, but they don't appear to contradict anything gp wrote.
The GP claimed litigation was over. The parent claims it isn't over. Oftentimes higher courts decide a specific question pertaining to a case, not the whole case. Just because a higher court clarifies something doesn't mean litigation is over - it means the lower courts can continue with that point now clarified and/or corrected.
The litigation is on going. The Supreme Court declined to hear the petition to essentially throw the case out, in effect paving the way for trial between the plantiff and Dominoes.
...the owner of copyright under this title has
the exclusive rights to do and to authorize
any of the following:
(2) to prepare derivative works based upon
the copyrighted work;
Instead of conveying the authorized copy from the webserver to its intended recipient, Comcast is intercepting the original copy of the file and making a derivative version of the work. Unless they received special permission from each website owner (which is unlikely), Comcast is infringing the someone's copyright every time they make a modified copy without permission.
How many HTML files have they willfully[1] modified?
[1] why willful? They published the technical details of how they modify the original work in an RFC.
Copyright concerns copies. When Comcast injects their code in a page before delivering it to me, they have distributed a copy which is subject to copyright laws.
When I download a page and modify it for myself without distributing the modified copy, it is not subject to copyright laws.
I'm not sure they are equivalent. One is being done by someone else perhaps without your knowledge (most people are not tech savvy and won't even understand what Comcast has done). The other is being done by you explicitly to your own "copy" of the work. I don't think the ad-blocker argument would hold up in court.
But this line of reasoning got me thinking...I've seen some pretty loose interpretations of the CFAA over the years. I'm not sure what the law says about Comcast's privileged position as an ISP, but I would think that in most cases, specifically altering data between two networks counts as unauthorized access, no?
In this case, one could argue that adblocking is like using a marker to blackout sentences you don't want to read in your personal copy of a book or newspaper.
The same as using a blue light filter on your computer (modifying the output of every program, copyrighted work, website, and text) vs wearing blue-blocker (yellow) sunglasses to the movie theater or library.
Not really the same thing at all. Comcast is modifying content, and profiting off a service that delivers that derivative content. That is clear willful infringement. User modifying their own content locally is not infringement, since the content is not redelivered or sold.
You're free to tear up your copy of Harry Potter once you buy it from the bookstore, but you're not free to (as the bookstore) add a prologue to every book and sell it as Harry Potter by Comcast.
1. Can it be considered "modified enough" to be considered derivative if it's the original file, plus some Javascript to provide a pop-up notification?
2. These MITM alerts are typically customer-beneficial and customer-relationship-oriented; the purpose is to alert that the user is getting close to a bandwidth cap. Similarly, there's current talk of somehow making ISPs or service providers deliver EAS alerts. Comcast already has to do this for EAS alerts on its television service. Does Comcast violate copyright when it interrupts a television program to show a federally required EAS alert?
3. Captive portals are a well-established instance where a page requested is not what's delivered. No one is accusing them of copyright infringement.
The fact that you can easily describe what their modifications do as a new feature (w notification) that wasn't part of the original work is stro9ng evidence that their modifications were transforative.
> These MITM alerts are typically customer-beneficial and customer-relationship-oriented;
That doesn't give them the right to make a derivative work based on my webpage. I'm not their customer!
> the purpose is to alert that the user is getting close to a bandwidth cap
So what? Communicating with their customers doesn't require violating the copyrights of many 3rd parties. 3rd parties shouldn't even be involved.
Instead of vandalizing a lot of webpages, they could:
* Simply send only their own page instead of appending of trying to mix it into other people's copyright protected works. This is how captive portals worked ever since they were invented.
* Instead of trying to notify their customers in-band with the service they provide, send any necessary warnings to the phone number (or other contract information) listed on the customer's account. This is what many businesses did in the past, and many still do.
* (re: bandwidth limits) They could stop trying to impose artificial scarcity and use a business model with more honest pricing.
* They could add a small message display and alert light (and buzzer?) to the modem/router.
> 1. Can it be considered "modified enough" to be considered derivative if it's the original file, plus some Javascript to provide a pop-up notification?
They're altering the functionality of it, fairly substantially imo. I would argue that copyright should protect your IP from being subverted to serve additional, annoying pop-ups.
> Does Comcast violate copyright when it interrupts a television program to show a federally required EAS alert?
In that case Comcast is not altering the contents of the work, it is replacing the content with other content. I don't think that's a violation of copyright at all.
> 3. Captive portals are a well-established instance where a page requested is not what's delivered. No one is accusing them of copyright infringement.
Again, they are not modifying the returned content, they are refusing to display the requested content and returning alternative content.
One of the problems with this is the same as any other bad behaviours companies often do that are indistinguishable from an attack, such as asking for your PIN on the phone, or sending account-related e-mails with links: They condition the user to expect this is "legitimate".
As the article points out, an attacker could do something on an unrelated web server that injects this same notice (using the same code [1] as a basis), with a link that says something like "Extend your limit for free by 1GB", which loads a fake "Xfinity login" in a pop-up to phish their Xfinity account credentials. Because the link was presented using the familiar UI, it could easily trick someone and it would be nearly impossible for most users to realize it's not legitimately Xfinity.
I have first-hand knowledge about how Comcast's content injection happens. (they'd prefer to call it "User Messaging") I'm sure you'll find the same ability from several ISPs because they all purchased a network appliance that does the content injection.
One question people are asking here: does it work over HTTPS. No it does't work over HTTPS, but if the page requests content via HTTP it is possible.
Interestingly enough, the technique is very similar to what Edward Snowden revealed as Quantum Insert, where HTTP requests monitored by the ISP and are intercepted and another web server (the network appliance in question) is able to respond more quickly. It starts with a very fast response that leads to a 302 redirect. The network appliance will then serve up a modified version of a file (usually a JS asset). The injected JS will then query the network appliance for "messages" and show them if the user is "eligible" to receive them.
What is the appliance called? Do all HTTP requests flow through it and anything else bypasses it? Does it store or log any of the requests or responses?
I'm hesitant to name the device, because thus far the company who makes it has escaped scrutiny, and I'm not the one who's going to change that right now. There was an Ars Technica article a few years ago that made reference to Xfinity doing this to notify people that they were using a hotspot. They had a follow-up article that nobody read where they pointed to the company that made the device, but they slightly misidentified them. Mostly people were upset at Comcast. The appliance is used at Cox, Shaw, and many other major ISPs all over the world: Europe, Latin America, The Middle East, Asia. There are basically two major companies operating in this space, as far as I know.
It is capable of monitoring ALL http requests, which is only about <5% of traffic going through an ISP. The more traffic you have, the more devices you need, but one can take care of a LOT of traffic, and I believe it can run as a VM. I'm not sure how it works as a VM exactly, because it also contains a custom Ethernet driver.
The same device directs people to the captive portal (if i'm not mistaken) used for logging into xfinity, or other public wifi from other providers.
Because performance is a high priority, the logging is minimal, but it keeps track of who's been served a message and doesn't collect any PII. The device is capable of serving any content, even causing a request from a third-party. So, it's possible that the content that gets ultimately injected is able to do whatever... anything a malicious advertisement would be capable of doing.
Your message eligibility is highly configurable, and can include metrics such as whether you visit certain sites, and possibly even your physical location.
There's a couple phases. First the network appliance injects so light code, using the Man-On-The-Side 302 redirect method. Once that's done, the injected code is probably going to request additional content after checking if you qualify for a message.
All the information a person could want is available if you know where to look. I'm providing well-documented information. If more information becomes public I can talk about it, otherwise, I simply can't. Let's just leave it at that.
I'm not sure if it still works like this or not, but up here in Canada with Shaw cable for the longest time, it just started out of nowhere one day, I'd always get redirected to a Shaw landing page or have Shaw ads injected into pages when I was browsing. I finally really noticed it one day so I did some searching at the time and found out Shaw has an option in their account page(enabled by default),
I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites. There was no description of this option in the account settings, they were buried 3 or 4 layers deep, there was no mention of this 'feature' from any of Shaw's customer service people, the only way I discovered this was through some random forum conversation I found.
There was also people mentioning (this never happened to me)that despite switching the option off, they would find it turned back on again a day or two later and have to repeat the process. I have no idea if this is still the case, this would have been quite a while ago now, but I was pretty unimpressed when I figured it out and realized what was going on.
I'm not sure if I described it clearly, with this mode on, all of your traffic was being redirected to a Shaw server before being routed to where it was supposed to go. It was like being connected to a vpn that existed solely to serve me ads. They were blocking ads on websites and replacing them with their own from their servers, I would get popup ads from them that were not being stopped by adblock, every misspelled or dead URL would take me to their landing page full of ads for their services. Not only were they interfering with my traffic, but they were interfering with the monetization of website. As much as I dislike ads, I'd rather the site owners get the ad revenue for my browsing than a company I'm already paying for internet.
> 'm not sure if it still works like this or not, but up here in Canada with Shaw cable for the longest time, it just started out of nowhere one day, I'd always get redirected to a Shaw landing page or have Shaw ads injected into pages when I was browsing.
> I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites.
Stuff like this makes me wish it were a criminal offense to dishonestly describe a feature as an "enhancement" or "improvement" when 9/10 users would not see it that way.
I am currently trying to find this feature you mentioned. Are you still a Shaw customer able to look again to where exactly in the account it is because I can not find it or mention of it online? Thanks
On a broader level this is why the FCC is IMHO wrong in not considering broadband a telecommunication service. As ISPs inject their content (including advertising) into third party content, they essentially take over said content. E.g., if someone requests access to my content via their service, besides any corruption of functionality, artistic work and even intended meaning, any revenue generated by this is directly drawn from my content without license. From my perspective as a potential content provider, this is clearly a violation. It may be even a violation of existing contracts, e.g., if there's a no third parties clause involved in an existing advertising contract the content provider has agreed to.
From which quite naturally follows, if broadband providers in the US consider themselves content services rather than telecommunication services, they have to acquire licenses for the content they provide, as well. (Xfinity, may have your billing address?)
As a content provider this is why you need HTTPS, and it's why you should ensure you certificate is in the transparency logs, and that your site requires CT entries.
However, this is more like "better have a lock so that thieves have a harder time breaking the door". If the US are making IP violations legal, they put themselves in danger to be treated like other countries who are considered notoriously ignoring IP as part of their overall business model.
The sad thing is that with many kinds of cybercrime, it's easier to fix the security vulnerability, than it is to track down the criminals and make them stop :)
In this case, the vulnerability is using HTTP, not HTTPS.
Well, HTTPS could still be man-in-the-middled, right? I am not really informed, but I would not be surprised if some ISPs are even recognized as certificate authorities.
MITMing TLS requires either (1) a falsely issued certificate, which would be "a big deal" when (not if) found and would lead to the issuer losing their status as accepted in browsers, or (2) the user to install a certificate generated by the person doing the MITM, this is often done in corporate environments.
> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.
Are we sure that there won't be an exception installed to this in favor of broadband providers, considering the paths already taken?
Terms and conditions of this comment: This comment is provided for free to <https://news.ycombinator.com> AKA "Hacker News", including any redistribution to be considered under the clause of fair use. Any other redistribution, including injection of third party content or surrounding content, chrome, or any other HTML element(s), be it in static or generated code, is considered a violation of the terms of this contribution.
Your browser and OS quickly delist any certificate found to have forged a certificate for a website they don't own. They're unapologetic about it too - and don't care who they piss off.
However, browsers have played along with US legislation previously. (E.g., when long key encryption was restricted to US versions only.) I'm not sure, if Mozilla would be playing along nowadays, but you can't be too sure, either. Moreover, you could consider certificates installed by antivirus software as some kind of prior art to this. (While considered a security risk, at least by some, they are not delisted.)
This is exactly why I cancelled my Comcast service a few years ago and switched to Sonic, even though it had orders of magnitude less bandwidth. I even offered to stay on as a customer, and pay whatever 'overage' fees they charged, if they implemented some way to make exceptions and never inject the data cap warning on my account, but they claimed that was impossible. When I returned the rental equipment, I made it absolutely clear that I considered this practice immoral and reprehensible.
If anyone else considers cancelling their service, but has trouble getting Comcast to let them actually do it, just remove your payment method from the account, and let them know that if they attempt charging to it again, you'll sue them for fraud; that'll get your account closed real quick!
The suburb (outside of Seattle city limits) that I live in is a suburban area, density is easily high enough.
My choices are Comcast (up to 1gbit down / 30 mbit up IIRC) or rotting exposed copper POTS (from Clink?) that has VDSL at something around 10mbit down / 1 mbit up.
Thus, I have only one choice of broadband provider and due to lack of competition as well as lack of regulation, no broadband providers that offer unlimited service* (technically Comcast will happily charge me 600 extra dollars a year for no increased speed but no caps; however they shouldn't even bother with caps on their highest tier packages).
I used Sonic (DSL) for five years while I lived in the south bay and I was extremely happy with the service and the company.
Where I live now comcast is the only broadband available and although the service is theoretically faster and somewhat less expensive, I'd pay twice the price for sonic. Comcast is unreliable, intermittently very slow, and the company is impossible to deal with.
They could measure the size of the JS payload, and subtract that from the size of the web page, before adding that number to the number of bytes used in a billing period. That way they could "more-fairly" measure bandwidth usage even with their MITM "value-add" and "informative" content.
Though, seriously, I have a hard time understanding the reasoning for data caps on DOCSIS infrastructure. On LTE, yes. WISP, yeah - kinda. DOCSIS, DSL and GPON? Absolutely no!
Not to mention the horrifying realization of most uninformed people that their ISP can and will intercept, log, modify or restrict access to content that the user has requested, even though the user has the right to such content, having paid the monthly subscription fee for the connection. But hey, I don't work at a large cable ISP, I couldn't possibly understand their reasoning and advanced calculations. /s
It’s my impression that the bottleneck isn’t the last mile technology (wireless, copper or fiber), but the interconnects between ISPs and the rest of the internet. This is why Netflix can be crawling in the evening while you’re getting the full speed on a speedtest (that’s not fast.com)
They typically don't count traffic within their network towards the data cap (e.g. streaming Xfinity TV), so I don't think it is safe to make an assumption about the banner one way or another.
Huh? I happen to run my own intercepting proxy which rewrites HTML pages, and if I wanted to, I could easily track exactly how many bytes came in and how many bytes went out.
I just got this as well. I’m appalled at the complete lack of thought put into this. I’ve had numerous emails & push notifications telling me I’m over my data cap; I don’t need injected content into my page in addition.
Honest question: If I own the copyright to a webpage (say my personal blog) and Comcast modifies my page to insert this "helpful" warning message, is it likely I'd have a case to sue them for creating an unauthorized derivative work of my content?
Regarding actual damages, popups about data limits that appear to come from my page can easily damage my reputation or give the false impression that I have so9me kind of relationship with Comcast.
Since they are making a new derivative work without the authorization of the copyright holder, they are probably guilty of copyright infringement. The remedy for that could include statutory damages for each work they infringed of "a sum of not less than $750 or more than $30,000 as the court considers just"[1]. However, since the infringement was patently willful (they published an RFC explaining their intentions and methods), "the court in its discretion may increase the award of statutory damages to a sum of not more than $150,000."[2]
Slower pages are clearly linked to lost revenue (even a few milliseconds has been shown to affect conversion rates). This would be an easy case, I think.
I used to live in Fort Collins and I was _floored_ the first time that an xfinity data limit popup appeared on a random website. Colorado needs a better provider.
I have GB fiber from CenturyLink for $85 until the city broadband, the city has had FTTH for at least 10 years or so, so anything new this should be doable.
Where in Fort Collins have they deployed FTTH, and when? I know FRII deployed some fiber, but based on some conversations I had with them they had largely abandoned it because of the burden of doing fiber locates. I don't know of anyone who has FTTH. The best my house lists on the Century Link site is 40Mbps. But, the city ran their conduit by my house 2 weeks ago, so hopefully we have fiber by the end of the year...
Oddly when I first moved in they said also 40Mbps, then 200, then finally GB. I think they were upgrading the upstream equipment because I had fiber the whole time. I don't know how to find out other than calling, although they do send mailings to our street as well.
This is sadly common: I’ve run Sentry (https://github.com/getsentry/onpremise) for years to collect JavaScript errors on the sites I run. If you haven’t done so, it’s eye-opening how noisy the JavaScript environment is for many people: ISPs, browse extensions, anti-virus software, etc. all injecting tons of marginally-tested code, most of it written at a level which would have been shameful back in 1998, and apparently little awareness of how to avoid polluting the global namespace.
A similar bit of malware had a surprising twist: many ISPs, especially mobile, used an image compressor which made things look terrible but, unexpectedly, it honored Cache-Control: no-transform. See https://stackoverflow.com/a/4113511/59984.
I’m curious whether Comcast does that – it would be surprising but also possible as a way to reduce the risk of lawsuits.
At least Xfinity is giving you information /s. Optimum Online does this and serves me advertisements for new channels or movies available through VOD [1]
So much of the tone of this article is vaguely alarmist, which is a little annoying... seeing as the issue described is already extremely alarming
It didn't need the theatrics and intentionally misleading garnishments (like quoting Comcast's own RFC that's describing their own recommended behavior for themselves, then pointing out you can phish people, and then awkwardly trying to glue those tangential points together)
The bad behavior is bad enough that it'd stand on it's own, and if it instead focused on things like accessibility up front, it'd be much stronger of an article (and people would be more likely to read it all the way through)
I'm curious about this as well. When I worked on content-based billing in Canada years ago, we zero-rated content that was served by us, so it wouldn't contribute towards data usage. That was a different time though and likely a different implementation.
First time I saw one of these 4 years ago was when it popped into a Steam sale advertising window. Really creeped me out. A sure sign Comcast is pretty much 100% infected with Bovine Spongiform Encephelopathy. Still they offer Internet that is 10 times faster than the competition. Ah, the tyranny of the last mile. I went with Comcast Business, and they don't have data caps...
I did the numbers with the AT&T sales rep here in South Texas, which has a similar plan and cap. If my math is anywhere close to correct (questionable), actually pulling 1000 Mbps would would exhaust the 1 TB cap in about 2.3 hours.
Yes, hours. That cap cannot sustain the advertised speed for even one full day before hitting overage charges.
Needless to say, we went with a different service provider. We are fortunate here to have an option (alas, still a cable company) that has no data cap, but not everyone is so lucky.
Further incentivizing the use of HTTPS everywhere, imo. It's such a cheap standard now. Correct me if I'm wrong, but I don't see any good reasons for a site to be running HTTP any longer, other than laziness.
I'll give it a shot. If you put up your site behind HTTPS you are breaking the web for older web clients. Many sites have already deprecated TLS v1.1 so even 10 year old devices may no longer be able to access the web. HTTPS is great but it has a cost.
> even 10 year old devices may no longer be able to access the web
I think you mean 10 year old software, which is a much smaller bucket than 10 year old devices. And if you're browsing the web with 10 year old software, you have much bigger problems including but not limited to committing security-suicide.
I found some old Macs belonging to a non-profit to be apparently useless (for their purposes) because you couldn't upgrade the system software enough to let a browser operate properly with secure sites. Sure, there's Linux, but they appeared to be useless as Macs.
Well the TLS change breaks software (FF 26) (2015) and affects android versions <= 19 (2014). Kind of a bummer if you have old smartphone. But I agree, it's a tiny bucket and it's best to upgrade when you can.
Only if you have a cert that the browser trusts for that domain. If a CA was found to be illicitly minting certs, browsers and operating systems would untrust them. All their certs would stop working. Their business would be ruined.
That's interesting. Can someone elaborate on this? My understanding is once the session is established, that's it. just encrypted traffic. How to inject something into ecrypted traffic?
Of course, to distinguish HTTP traffic from non-HTTP traffic and to intelligently insert the code snippet only where it won't disrupt e.g. API call response or a file download, some basic level of DPI is required.
The attacker needs to generate a new cert that the client trusts. This is easy on a corporate network where you can force users to trust a private CA. Unlikely to happen with a US ISP, but possible if someone hacks the CA (eg DigiNotar) or the CA hands out unconstrained certificates to someone who acts badly (eg CNNIC).
Speaking of which, is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.
Mozilla and Microsoft publish their lists. Chrome uses the OS's root store. I've seen other open source software use Mozilla's list, but I've never seen a list of what software does that.
Technically, yes, but the only way I know possible is having direct access to the target device to force it to trust fake certs, and is usually used to unwrap encrypted traffic being sent from applications on your own devices. I don't know of a way for the ISP to do this, unless they conspire with a certificate authority. I'd like think this isn't happening.
Only if the victim trusts the attacker's certs, right?
That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).
Mozilla would kick Comcast out of the root CA list pretty fast.
Finally, there is certificate transparency logs, you can set CT headers on your site to require the certificate to be in CT logs.
Then you can monitor if anyone's creates certificates for your domain. And updated clients can validate that certificates is in the CT logs.
HTTPS is pretty robust these days. There's still a few corner cases around SNI, but that only leaks what host your visiting, wouldn't allow injection -- and specs are slowly closing those holes too.
Is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.
> That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).
The moment that was discovered, the CA would stop being a trusted CA.
There's a lot more appetite these days for enforcing requirements on CAs, ever since CT started going down the road towards mandatory, and ever since misbehaving CAs started getting forced to implement it immediately. Intentionally MITMing TLS on the broader Internet the way this thread is talking about would be a fairly quick death sentence.
Also, given the existence of Let's Encrypt, there's much less reason to be using a paid CA, and planned migration to a new CA provider isn't too much to ask. There'd likely be some work within browsers to provide clear error messages, and sites would need some amount of time to migrate, but I think we're talking days-to-weeks before there's a warning banner on the sites and months at most before the CA is dead.
>but you'd have to get a pretty nice VPN to not impact your experience by 250ms/req.
Eh? I was thinking the opposite, that's such a ludicrous latency overhead that it would be trivial to go to any VPS provider even sort of nearby and spin up a $5 instance with Algo. The only concern normally for some of them is the super cheap simple managed instances often have data caps too (though some provides are bandwidth limits only), but in this use case even that doesn't matter because the limits are still higher than Comcast's regardless. There are datacenters in Denver, but even if you had to go all the way to SF and it's a worst case adding 1800 miles RTT that should still only be around 10-14ms or so right? The article seems a little silly to go on so much about a few kb of data out of tens of gigabytes or a TB or whatever Comcast's caps are, but 250ms is wild, even without all the other breakage.
Although I've always heard that if you're ever forced to go Comcast, the average HN type would be best off seeking a Comcast Business connection that has actual support and customers that use the internet fully.
Agreed. I used to run all my traffic through a VPN I ran, and found that the average latency was lower than routing it to the default gateway.
This was possible because my server was well connected and very low latency talking to Comcast, and also very low latency talking to the rest of the Internet via Level-3, Time Warner, QWest and InterNAP. Where directly routed traffic would run over the Comcast network most of the way across the country.
One problem with this approach is many streaming content providers identify known VPN egress points, consider them methods for subverting region-restrictions, and thus won't serve ANY data to you. Netflix does this w/ PIA (and probably others) for instance.
I also have Xfinity and began to experience this a few years ago. When it started I configured my router (pfSense running on an APU2) to forward all outgoing connections on port 80 (and a selection of other commonly unencrypted ports) through a VPN - but leave all other ports, especially 443, alone.
I’ve been doing that ever since. It works great, and for me is a good trade-off over using a VPN for literally everything.
We need a service which tests web pages from different points on the internet, including foreign countries, at regular intervals, and compares the results to a known good version of that page, and its code.
It should answer such questions as:
1) Did the website load?
2) How long did it take to load?
3) Was the content tampered with in any way, was anything added to, or deleted from the content, including any code, such as its javascript?
So, be able to perform those tests, from a variety of points on the Internet, from a variety of IP addresses, at regular intervals, and report back.
Noting any and all discrepancies, and storing all anomalous web page data retrieved (including code) for further analysis...
I'm intrigued by why you created a one off account just to post this. To address something that stuck in my craw though -
"Big govt bureacracy is terrible, but a private one (etc)"
You're implying big government bureaucracy is the only option here. How about, you know, regulating internet as a utility? The thing we've been wanting since forever? Unless there's actively a shortage of water or power, I can get those and use them as I feel like, paying extremely low fees. I don't care if my internet is pay for use, provided it's priced close to the actual cost.
This is orthogonal to data caps. We could debate separately if people should be allowed to have contracts with those limits, but the actual problem here is that the ISP is modifying the traffic I requested before they deliver it. In this case it was for data cap notices, but next time it might be for ads or malware or anything else they want to inject.
And if there is a data cap, it should be proportionate to the data bw plan I am paying for. I had a 100mb/s plan with a 1TB cap. I moved to a 400mb/s plan and I still have a 1TB cap. So I can burst faster, but my overall usage is expected to stay the same.
That said, I do most of my downloading on VPS provider, then what I finally want to keep, I compress and pull it down over my VPN. This still doesn't help for things like streaming movies, game updates, etc...
Disagree. Paying per byte is a critical part of making people realize they are part of botnets and to create the only incentives that have a shot at working naturally like pressure against poorly secured smart devices. Unlimited bandwidth just forces everyone behind Cloudflare and breaks the internet.
Pay per byte is a fleecing scheme, nothing more. You already pay more for more bandwidth. ISPs get more than enough doing that without any monthly data caps.
Oh so if I use a gig, I only pay for a gig? That doesn’t sound like a date cap, that sounds like a going rate for data. They still charge you for all the data you never consumed, which makes no sense as a transaction.
Oh please,this is not new. They've been doing this for at least 5 years that I know of. If you pirate,they dmca alert you with MITM'd divs in the html pages you visit. I mean the fact they inject http headers is one thing but they don't even care to do a 301 or mess with DNS responses,they will inject code in your browser tab!
Lawyers on HN, how is this not a violation of CFAA? If I sat at a coffee shop and did the same thing (say a "harmless" js "alert('Hi everyone!');") that is punishable with penalty up to 5 years imprisonment. So you're saying if I was the ISP that's ok? Why is the FBI/DOJ not criminally prosecuting comcast's CEO? Preferential treatment or prosecutorial discretion? Will comcast start pushing back on dragnet sutveillance cooperation?
The whole thing is so crooked! How can we bring this to the attention of lawnakers and media?? If the post office put notes in your mail (outside of a law enforcement request) would it not be a big deal?
Have you read your ISP’s terms of service? Do you really think Comcast didn’t include language giving them the right to do almost anything to your traffic?
An agreement is invalid if it is unlawful. Think of it this way, a packet in transit belongs both to the sender and receiver but never to the intetmediary. Even if a comcast customer agreed to a ToS stating all their traffic solely belongs to Comcast, the servers sending the traffic to the Comcast customer never gave that permission,they never allowed comcast to present altered content to their customer. The only way that reasoning holds up is if comcast and comcast's customers are one legal entity(you're essentially their subject much like an employee but even then employees are distinct)
How is this unlawful without robust network neutrality legislation? They’re not claiming ownership or redistributing it, and I’m sure they’d argue that this shouldn’t have any side effects.
I’m far from a fan of Comcast but this doesn’t seem like something we have a good legal angle for addressing.
Because they're manipupating content, CFAA is a law that exists to mitigate unauthorized access and obstruction of computer systems...that's how,the same law any ordinary person would face.
Whose systems do you think they’re accessing? They’re not hacking the web server to add that warning: instead, they’re waiting for it to send a reply to you and modifying it as it passes through their systems as permitted by the legal agreement you signed. This is like trying to say DoorDash should be tried for trespassing if they put a flier in your delivery.
Again, this should be illegal but I think we need strong network neutrality laws to make that so. Wishful thinking won’t save us the trouble of passing them.
More like if doordash put extra salt or spice on my food, the restaurant owner's expectation of the food's quality and integrity were violated.
With comcast,the expected privacy of the traffic by the server is violated, until delivered the content belongs to the sender. An intetmediary transports content but does not own it,has no right to manipupate it. Vandalizing other people's property is a crime everywhere,the question is does it apply to network packets in transit?
Does changing your DNS modify this behavior? I had some similar issues with Cox in DC, and switching to run everything through 8.8.8.8 resolved the issues. It also resolved a problem with CenturyLink in Seattle where for whatever reason I couldn't speedtest through fast.com.
Nope, they physically open your packets, change the content of the HTML, and send the packets along the way.
Even if you access the IP directly, it still injects code via MITM attack.
I saw the MITM injection from Comcast exactly once and it served as a reminder to go and change the DNS settings on my routers. Never seen the injection since, and I've been on Comcast for years.
Maybe you're right and me not seeing injections could be explained that a lot more traffic goes through SSL/TLS by default, or I'm just not getting close to my monthly quotas any more.
This is related but what is the best trade-off for security vs privacy? Personally, I'd love the ability to inspect what goes over my network and devices. I should be able to choose to intercept/log unencrypted content. (I guess this is actually the NSA-lite argument) With key pinning and HSTS it makes seeing what the content of a packet is really hard. On android you actually have to hack apk's to replace the keys.
It used to be very easy to put everything through a proxy server or mitmproxy and install a certificate on a device. While I value privacy and security it seems like everyone tech company moves to "protect users" is really a way to keep their adware and spyware running on their walled gardens.
doesnt fort collins have municipal internet now? reading here: https://www.fcgov.com/connexion/ i guess i didnt realize all of fort collins wasnt yet covered.
Even if that is a case for this specific user, that doesn't really resolve the underlying uses that is also affecting spaces that have a regional monopoly (e.g. me).
EDIT: I understand that's not your point. And I whole heartedly support people leaving and supporting municipal ISP.
i understand your perspective. i live in denver and xfinity and whatever comcast lets centurylink have are my choices. i was initially reacting to the sentence in the post that mentioned that xfinity was the only available option and that struck me as wrong. i did a bit of research before firing off a post and discovered that my thought was incorrect and based off of incomplete information, but i left it there in case anyone else was under the same impression as me.
1. Grab a cheap VPS with a decent monthly b/w quota and datacentres near you (Linode or Scaleway come to mind)
2. Buy whatever meets your criteria on https://openwrt.org/toh/start and install OpenWRT on it (I use a Mikrotik RB750GR3 with a Ubiquiti UAP-AC-LITE for wifi)
I made a complaint to the FCC about this when they started to do this to me. A month later I got a cookie-cutter response from Comcast, but it felt good to at least cost them some tiny amount of time to need to respond. I ended up moving house to get away.
ISP options are now my #1 factor in deciding where to live, and if Comcast is the only viable option then I'm happy to tell apartment managers I'll look elsewhere.
Their data cap notice interstitials are seriously obnoxious, I ran into the same problems. I'd end up with "stuck" pages where it would just randomly appear even after I clicked close.
What I eventually had to do was open a browser tab with no adblock (perhaps Chrome Incognito), close the notice, restart my router and modem to flush DNS, then flush locally to be sure it's gone. That usually worked.
I noticed this type of notification injection on a mobile phone in the EU for my own personal websites. It strongly pushed me towards implementing LetsEncrypt and redirecting my users to HTTPs. ISPs can't inject anything into the HTML if you force a secure connection (unless they've gotten the end user to install their CA and inject generated certs).
Cox does this as well. I was recently staying a hotel and they were doing something similar prompting me to rate my experience. I started thinking about standards to make this kind of thing impossible... Ultimately TLS solves this issue. We should be bullish on making TLS standard.
I agree it is "pretty much standard" but the ISPs and other network providers are not doing this with TLS traffic. They are only injecting the scripts in HTTP requests without TLS, at least in my experience.
So the decision then becomes which do you trust more, your ISP, or your VPN provider? I choose to only give my money to businesses which perform in good faith to their customers, regardless of competitive advantages in other areas.
This is happening with BSNL ISP in India. They re direct non https pages to phishing sites that claim my computer has virus. It is just shocking that ISP will re direct me to known phishing site.
Did you just upload Comcast’s code to your site, made it publicity available, and glue a GPL license to it? I wouldn’t be surprised if Comcast will try to sue you for that.
I have Cox Internet and they do the same thing when you reach 85% usage. I probably don't see it very often though because most of the sites I'm on are https.
Take a screenshot of your website with this notification injected and send Comcast a standard DMCA take-down request. They are distributing illegally modified copies of your website.
One of the things I tried really hard to do is make the HTML _really_ clean for things like this.
Is reader mode "really good" or do you think it loads very nicely because of the work we put in to make the HTML nice?
I think it's a mix of both. Honestly I vastly prefer Reader mode's presentation than any other layout, and especially any layout which changes if I interact with it (resize window, move mouse, click mouse button, press key, send window to background, whatever).
I have seen some sites that completely break when using Reader mode. I have seen sites that are very well done in Reader mode complete even with pictures.
I have Xfinity and they’ve done this to me. It only happened to my wife when she was browsing. My data Cap has hit 90% this month but I haven’t seen the message. 4K Netflix is no joke and can easily make me hit 1TB.
Safari is my main browser and I recently stopped using Chrome. I believe my wife uses Chrome. Maybe this doesn’t work on Safari?
Purposely sidestepping the entire spirit of the issue is not going to help whatever this is you're doing in the name of The Users With Actually Serious Problems.
The argument is weak, but it's also desperate. These days trying to influence companies often comes down to some argument based on objective costs. "You are modifying my content against my wishes and adding latency to my Internet browsing experience" isn't objective.
Personally I think it is morally wrong, and it also is definitely impacting a person's Internet experience. 1/4 of a second is an eternity if you're sensitive to latency. So yeah it is "that bad", it is ugly, it is intrusive, and it speaks volumes about Comcast.
Pretty sure the Xfinity data cap is 1TB. I just checked, and I've used just over 1.3TB this month (yay streaming TV), no notice, no MTM, maybe I'm .... lucky?
Update: I used 1.6TB the month prior - also no notices. Maybe it's because I have Xfinity at my office too? No idea why they aren't harassing me.
I believe they give you 2 months of going over before they start charging you as a 'warning' that you're over the data limit. Not sure if they warn you if you go over in those two months or not.
The injections where particularly annoying for me because I was planning on getting the capped removed, but wanted to use those two months before doing so. I started getting those warnings about 2-3 weeks in for both months.
In my experience, they do warn you during the 2 months where the overage fee is warned. The injected message might be slightly different to indicate that it is one of your 2 months where the fee is waived.
Egad. If you see my updated comment I went well over last month (1.6TB), and now this month as well. We'll see what they say. Like most people, Xfinity is my only high speed Internet option.
I looked back, and over the summer I used well over 1TB for several months. Not a peep from Comcast. I'm going to shut up now, before Murphy's law applies.
i wonder if the data cap is just at the router level or if they charge you for whenever you use any of the other xfinity hotspots that they set up on their customers' routers.
If you've gone over before, they will charge you $10/50GB of additional data, capping at $200 more a month.
You can pay them an extra $50/mo to remove the data cap.
This is coming from someone who unknowingly got a $200 bill one month because of Comcast.
I left them and don't regret a second of it. Terrible customer service all around, and just an evil company from the top down, especially after having read Farrow's recent book Catch and Kill.
When I moved to Daly City my options were either Comcast or DSL. I picked DSL (w/ Sonic), at significantly slower speeds. Sonic's DSL is just resold AT&T DSL, which I also hate, but I hate Comcast more.
If my only options were Comcast or dial-up, I'd probably still pick dial-up.
I would love to see the news story about Comcast having fewer remaining subscribers than the DSL provider...
still wouldn't make them change their practices, I believe they are too far corrupted to ever 'heal', but it would be hilarious if they gave up serving an area because it wasn't economically viable anymore.
Also, the cap is still 1 TB even if you're paying them $127/mo for the 1000 Mbps service, so you may as well just consider that +$50 an extra hidden fee for anything over 250 or 500 Mbps, assuming you're actually using it.
AFAIK, if you have a plan that comes with the Xfinity router, you don't have a data cap. Otherwise, you need to pay for unlimited data (which is pretty hard to explain to the call center people who really want to sell you cable and/or a landline).
> The way this code was implemented, the code blocks the page from loading for 250ms, resulting in a much slower internet experience.
Of all the things to complain about that load on almost every web page you visit this seems like the least of your worries.
I agree this is in poor taste, pretty annoying, and could be leveraged to dupe unsuspecting people into coughing up their Xfinity credentials, but complaining about it slowing down page load is like complaining about the heat in hell.
That’s what I’m saying! I must have really hit a sour nerve, my comment was apparently so bad that it got flagged and my post history was torn through to add tons of downvotes.
This is a valid work around for an invalid problem.
If your ISP is tampering with packets, that is the anti-pattern that needs to be remediated ASAP.
In my opinion, the only packet change behavior that an ISP should be involved in is adhering to QoS headers. 0x08, it's bulk. 0x04 reliability, 0x10 low latency. And if they want to charge me more for 0x04, that is fine if it's clearly spelled out in the contract.
How is the problem invalid? I mean, seriously - those guys spend a lot of money greasing the wheels of your local town council, and they gotta' put food on their plates like everybuddy else.
A few weeks (months?) back there was an article about ongoing litigation on if websites are required to have accessibility compliance under the ADA act. I would be very happy to see Xfinity sued for this practice under that precedent and hopefully any injection would be considered a violation.
Status of supreme court case: https://www.scotusblog.com/case-files/cases/dominos-pizza-ll...