Charter Spectrum Business HTTP MITM

[Mark Felder <feld () feld me>]

Hello,

You probably don't need to be told otherwise, but do not trust Charter
(or any ISP) with your HTTP traffic even if you're paying for a business
connection and expect internet without tampering or analysis. I recently
started receiving redirects to a Terms & Conditions page on IPv4 HTTP
traffic. My tests indicate they don't do it with IPv6 through their 6rd
Border Relay and of course they can't do it with HTTPS. Surprisingly
most of my traffic avoids IPv4 HTTP so I am not sure how long this has
been going on.

They insert RST packets and then redirect you to a page to present you
new T&C they want you to accept. The URL looks like this:

http://tandc-browsermessaging.charter.net/?sub=ctgcw67P4wwQS1UWxrkXpw%7CzDWlBWA5zOMe_UlM2CDTNrvyOKhDVmmHD7FsEYdrkAGchiHqZj0U-x7_udYQ1hOM3hHa-exjfm0I0aU0rNGXvOwNLaMhjs6DcqDCqHFaaNPd_oJPhAW98gaC05D_bhpF-mss5gQIkstxEUxEOpezjQ&originalURL=http%3A//seclists.org/fulldisclosure/&ack=24.217.29.129

I've attached a packet dump of this in action.


Stay safe

Attachment: charter.pcapng
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/