Interesting People mailing list archives
Re Comcast is injecting 400+ lines of JavaScript into web pages
From: "Dave Farber" <farber () gmail com>
Date: Sun, 10 Dec 2017 20:43:58 -0500
Begin forwarded message: From: "Livingood, Jason" <Jason_Livingood () comcast com> Subject: Re: [IP] Fwd: Comcast is injecting 400+ lines of JavaScript into web pages Date: December 10, 2017 at 7:46:20 PM EST To: "dave () farber net" <dave () farber net>, ip <ip () listbox com>, "gumby () henkel-wallace org" <gumby () henkel-wallace org> Dave – For IP if you like. The Comcast web notification system has been in place for nearly a decade and seems to be discovered anew every 6 – 12 months. It was initially used for malware notifications (see 2009 story athttps://www.cnet.com/news/comcast-pop-ups-alert-customers-to-pc-infections/) <https://www.cnet.com/news/comcast-pop-ups-alert-customers-to-pc-infections/)> and since then has been used for other service-critical notifications. These have been a particularly effective communication channel in response to malware infection, such as following the FBI’s takedown of the DNS-changing Alureon botnet in 2012 to urge customers to take action to prevent the loss of their Internet service and to remove the malware. The issue that the customer is concerned about in this instance is a notice used to inform customers of the need to replace a cable modem that is end-of-life / end-of-service (e.g. prior to disconnect) or cannot support the speed of their service tier. In many cases, these are DOCSIS 2.0 devices that may not have had a software update in 5 – 8+ years and for which the vendor no longer provides support – DOCSIS technology that dates to the era of Windows XP. IIRC, that particular web notification is sent only after the customer has not acted upon several prior email communications. The system was documented as transparently as possible in RFC 6108 athttps://tools.ietf.org/html/rfc6108 <https://tools.ietf.org/html/rfc6108> (prior to launching it we briefed several outside organizations and solicited their feedback). That informational document explains how it works and alternatives considered. The primary alternatives at the time were pervasive in-line DPI and using a walled garden for the notification (which would cut off all Internet access until a customer took action), neither of which seem that great in comparison. For many years – in fact since the inception of the system – we have said that it is imperfect and have been trying to work to find better alternatives. On this front, the IETF recently created a new Captive Portal Interaction working group (https://datatracker.ietf.org/wg/capport/about/) <https://datatracker.ietf.org/wg/capport/about/)>, in which we are involved and that I’m hopeful will develop better and more standardized methods that we might use in the future. - Jason P.S. for David who forwarded this to your list – My response in our user forums in my view was meant to be informational. I certainly did not intend it to be tone deaf and self-righteous and am concerned that it would be interpreted as such. I’m open to direct feedback on how you think I could have replied differently; I’m always learning. You have my email now – feel free to reply directly to share any advice. I’ll reach out via LinkedIn as well. On 12/10/17, 6:14 PM, "Dave Farber" <dave () farber net <mailto:dave () farber net>> wrote: ---------- Forwarded message --------- From: DV Henkel-Wallace <gumby () henkel-wallace org <mailto:gumby () henkel-wallace org>> Date: Sun, Dec 10, 2017 at 10:53 AM Subject: Comcast is injecting 400+ lines of JavaScript into web pages To: David Farber <dave () farber net <mailto:dave () farber net>> Apparently Comcast feels it gets to decide what I should see on the web pages I choose. Injecting random *executable content* is no different from providing other editorial “improvements”. The response from Jason Livingood, who should know better, is particularly tone deaf and self righteous. Unfortunately where I live my “choices” are Comcast and sub-384kb AT&T DSL (despite being less than a mile from the CO and the PAIX for that matter). A snippet from http://forums.xfinity.com/t5/Customer-Service/Are-you-aware-Comcast-is-injecting-400-lines-of-JavaScript-into/td-p/3009551 <http://forums.xfinity.com/t5/Customer-Service/Are-you-aware-Comcast-is-injecting-400-lines-of-JavaScript-into/td-p/3009551> (code is included downthread).Are you aware? Comcast is injecting 400+ lines of JavaScript into web pages. I just learned of this dispicable Comcast practice today and I am livid. Comcast began injecting 400+ lines of JavaScript code in to pages I requested on the internet so that when the browser renders the web page, the JavaScript generates a pop up trying to up-sell me a new modem. When you call the number in the popup, they're quick to tell you that you need a new modem, which in my case is not true. I later verified with level-2 support that my modem is pefectly fine and I don't need to upgrade. As deceptive as that is however, my major complaint is that Comcast is intercepting web pages and then altering them by filling them with hundreds of lines of code. Even worse is that I've had to speak to 7 different supervisors from all areas of Comcast and they have either never heard of the process, or those who were aware of the practice don't know how to turn it off.Sent from my iPad This message was sent to the list address and trashed, but can be found online. <https://www.listbox.com/login/messages/view/20171210194629:B7610914-DE0C-11E7-88B1-96275678BBE7/>
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20171210204407:C4C2CB62-DE14-11E7-AAAD-B8E98D242E52 Powered by Listbox: http://www.listbox.com
Current thread:
- Re Comcast is injecting 400+ lines of JavaScript into web pages Dave Farber (Dec 10)