The alert embedded into my site.

Comcast Hijacking non-SSL sites to “inform” me

When I opened my browser this evening, I was greeted with popup from my ISP about my data limit. I looked at the code and sure enough, Comcast intercepted the site I was viewing and sneakily inserted javascript to serve the popup to me. From a technical perspective I can see why they did this. It is a surefire way to alert customers because there is no authentication required. You just intercept the private web site the anonymous user it wanting to view, look through the code, and insert whatever you want. Like, tracking information, malware, subtle censorship, or a friendly reminder that Comcast has the ability and the will to edit the content of the the private web pages you view however they see fit. Unless you are going to a site that uses SSL, of course. It is just unsettling and shows that Comcast is willing to Hijack your private Internet traffic. Just because a door is unlocked, it’s not ethical to walk around in someone’s home and leave a creepy note on the kitchen table saying “You left your light on.”

If you see the locked padlock in your URL bar, then they can’t change the content at all because the content is encrypted from your device all the way back to the web server the page is hosted on. That is, if you trust the integrity of the certificate issuer. I’m looking at you, Symantec. I really need to enable SSL on this and lots of other sites I take care of. It is absolutely something that needs to happen in 2017 and with sites like Let’s Encrypt, it’s even free! Although, if your “secure” connection ends/ended up at a server that is/was a part of the NSA PRISM program then you’re out of luck anyway because they just look at your info after it is decrypted at the head end. Good lord, that was a bit of a tangent. I’m on a list now.

Leave a Reply

Your email address will not be published. Required fields are marked *