Comcast is the honey badger of ISPs – injects pop-ups into browsers, doesn't give a fsck

As an ostensible courtesy to internet customers now facing 1TB monthly data caps, Comcast has begun notifying those approaching their quotas through popup browser windows.

But the way it delivers those messages – injecting web code into the customer's browsing session – undermines online security, said iOS developer Chris Dzombak in a blog post on Tuesday.

In November, Comcast expanded the areas in the US where it implements data caps for internet customers to 28 states, a practice it has been experimenting with for several years. The notifications provide a practical way for Comcast to keep customers apprised of dwindling data rations, and have previously been used for malware warnings.

Dzombak points out that Comcast described its injection technique in an informational RFC (6108) to the IETF in 2011. He suggests that Comcast submitted the RFC to legitimize its practice, which he likens to man-in-the-middle attack.

"This practice will train customers to expect that their ISP sends them critical messages by injecting them into random webpages as they browse," said Dzombak. "Moreover, these notifications can plausibly contain important calls to action which involve logging into the customer's Comcast account and which might ask for financial information."

Dzombak argues that Comcast's notification format could easily be co-opted and spoofed by an online attacker. Comcast customers, accustomed to interacting with such popup windows, would presumably be more trusting of such interaction and thus more susceptible to social engineering.

"Unfortunately, when such a notification appears on a non-Comcast web page, it's very difficult for an internet user to ascertain whether the notification is legitimately from Comcast," said Dzombak in an email.

In response to a query about the practice, a Comcast spokesperson via email told The Register, "This has come up in the past and is not new."

@cdzombak FWIW we've done a lot of those over the years, mostly 2 warn of poss. malware infection. But ur points are fair. (see next tweet)

— Jason Livingood (@jlivingood) October 7, 2016

Last month, Jason Livingood, Comcast's VP of tech policy and standards and one of the coauthors of the RFC, offered a less dismissive response. In a Twitter thread, he acknowledged Dzombak's concerns, saying "[your] points are fair."

In any event, Comcast's days of injecting web content appear to be numbered. As Dzombak observes, content injection doesn't work with HTTPS websites and, thanks to Google, Mozilla, and other tech companies, more and more websites are supporting HTTPS. Using a VPN will also keep Comcast out of your broadband's connections. ®