Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Comcast is proxying all unencrypted content

0
0

I originally posted this on the originally unsecure platform, facebook . I should edit this for grammar, but I just wanted to bang it out, because you know... job/work.

I cannot stand #comcast, no one that knows me finds this surprising, I'm forever ranting about them. The fact that Comcast is the only option for so many people is ridiculously sad. My job requires me to be on the internet constantly, I do a lot of security research and general research.

Today, I found the most horrific thing a security nerd can find. Comcast is FORCING all unencrypted traffic through Comcast proxy servers. I don't have a choice, I wasn't asked, or notified (I'm sure the TOS that's 938429 pages long mentioned it). This enables Comcast to inject anything they want into your unencrypted web browsing.

If you want to see technical details about what these jackholes are doing, see here: https://gist.github.com/bdmorin/7bd16b34cf75c0f6dd56155301793c4d

I tested a popular website, tvmaze.com (a http only website) with and without a VPN on, and the difference in HTML delivered was comcast HTML injection, which included 3rd party asset calls, analytics tracking, etc.

I want to protect my entire network (including all those people in my home) against this kind of absolutely unacceptable spying, however it gets fugly, because as cord cutters, we use streaming services, and Netflix and Hulu are NOT VPN friendly. These services actively block VPNs because viewers can appear to be in a different geological location (ODIN FORBID YOU NOT BEING AN AUTHORIZED AREA), so if I run my whole house through a VPN, then we won't be able to use streaming services.

I've been considering deploying a local forced proxy for any port 80 traffic to be forced through a VPN connection at MY gateway and not comcast's. Nearly every streaming service uses HTTPs, so this wouldn't diddle with streaming services.

The point of this rant is to SHAME comcast, not that they care in the least about consumers. You may constantly see ads for VPNs as you browse online, and these are the reasons why, you absolutely CANNOT trust your local service provider when it hijacks your content and modifies it before it gets to you. Ask China what it's like to have all your traffic monitored and modified before it gets to you. Comcast could potentially change anything before you have a chance to read the original version. If Comcast obtains a CA that browers accept, they would then be able to hijack your HTTPS connections, which is ABSOLUTELY concievable at this point.

Websites that use web application firewall services like Cloudflare are also subjected to this kind of risk. Cloudflare inspects all traffic to and from source servers, so it's a single point that could modify, track, and potentially block content. If a BlackHat were to compromise Cloudflare, thousands of ecommerce businesses could be at risk of having traffic snooped. Same with Comcast, if (AND WHEN) they are compromised, they could modify YOUR traffic so that you're seeing what someone else wants you to see.

Trust no one. Especially worthless corporations like Comcast.


Viewing all articles
Browse latest Browse all 12749