Slashdot Mirror
Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots
An anonymous reader writes: For some time now, Comcast has setting up public Wi-Fi hotspots, some of which are run on the routers of paying subscribers. The public hotspots are free, but not without cost: Comcast uses JavaScript to inject self-promotional ads into the pages served to users. "Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted. ... Even if Comcast doesn't have any malicious intent, and even if hackers don't access the JavaScript, the interaction of the JavaScript with websites could "create" security vulnerabilities in websites, [EFF technologist Seth Schoen] said. "Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn't have them," Schoen said."
Yet another reason to disable JavaScript from your computing devices.
Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.
On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.
Don't use random hot spots. It's like safe sex, only for your computer. Stay away from sketchy connections.
there are 3 kinds of people:
* those who can count
* those who can't
I don't see why Comcast can't block everything that cannot be injected or block contents to you unless you allow them to separately launch ads using JavaScript.
then take 'em to court.
Did anyone catch the promise in the FrontPorch video ad that customers could use the technology to "gather valuable business intelligence"? Guess it doesn't only deliver ads... it ransacks the device!!!
Those are my principles, and if you don't like them... well, I have others.
I'm sure the terms and conditions you agree to when using their hotspots explicitly grant them permission to do so.
It would be interesting to see what would happen if you browsed a website with Content Security Policy headers on a Comcast public Wi-Fi hotspot.
The technology is new enough that the injection technology might not handle it and thus the browser would block the ad. But if they did, by changing the CSP headers, the website might have a stronger case for suing Comcast since they would be explicitly bypassing a security technology.
This must be illegal, since it modifies copyrighted content before delivery to the consumer. If this happens to your site, sue them for violating copyright. Can you imagine what it would do to a ad-free website's reputation to have some ads injected into it? This is an attack on web publishers.
So now the Internet is complaining that the wifi access points they're totally not going to use because comcast is morally wrong to share your broadband without your permission is injecting ads into the experience. How do you know?
Yes, definitely. Also, it violates the policies of ad-free sites to not subject their visitors to ads. Websites will not be able to maintain their terms of service. For example: if you pay the website for an ad-free subscription, and Comcast then injects ads, your customers are screwed.
An ad-blocker is for personal use -- kind of like marking a page in a book that you're reading or removing a picture because you don't want to see it. Systematic modification of copyrighted content before delivery to customers is definitely criminal.
That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript. Maybe Privacy Badger or Ghostery can block it.
Comcast are serving ads with Doubleclick? Start a campaign to put pressure on Google to disallow the practice. DNS highjacking is another serious problem. T-Mobile and MetroPCS are going that at the moment. I get a page of T-Mobile ads when I try to search Google on my phone.
That should go over really well for internet banking and other security sensitive uses.
Well, since I write a system that uses HTTP:80 calls to send JSON and XML to AJAX handlers, if these systems piss ads into that stream, we'll have a problem...
Always make sure your session cookies are tagged with HttpOnly, so Javascript code has no access to them.
From a user of a wifi hotspot's point of view, use a VPN or only browse HTTPS sites.
Just that the fine print for the Hotspot portal associated with the "agree" can contain a lot more than you can ever imagine. We are lucky they didn't include stuff like "by using this service you agree to let us modify everything of the operating system of your device(s)."
Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.
Generically, for instance, if the ads injected were coming from ads.comcast.net one could simply add a line to the hosts file:
0.0.0.0 ads.comcast.net
Wouldn't this prevent the ads from loading to begin with? I mean sure it's a little more difficult on phones and tablets but regular PCs it should be at all difficult to make this edit.
Since I'm apparently in a generous mood, for windows users, open an "administrator command prompt" and paste in the following line. You should be able to save the changes. If not the you might have take off the read-only flag. Sorry, it's been a while since I set it up on a fresh install.
notepad c:\Windows\System32\drivers\etc\hosts
Or do like a real geek and pipe all network traffic coming in to windows through a (properly configured) pfSense virtual machine.
"UNIX is very simple, it just needs a genius to understand its simplicity." -Dennis Ritchie
Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.
You're not the only one who uses hosts files like this. When Flash ads first appeared on Slashdot, I started blocking servers that send Flash ads. (I'll never buy Splunk because it was the first thing I ever saw advertised in a Flash ad.) I've since switched to click-to-play plug-ins for that, but I have written a few thoughts on how to make hosts file parsing more efficient than it currently is.
Alex P. Kowalski (APK) has long been an advocate of using hosts files for DNS blacklisting and acceleration, and his tool for Windows aggregates multiple sources over a million lines long. It also looks up the IP addresses for commonly accessed sites and caches them locally. He claims that his tool is more efficient than DNS because the operating system's hosts file parser allegedly runs in kernel space (fewer context switches) and the most commonly accessed sites (good or bad) are at the top of the list.
But lately, Windows Defender has been reverting the hosts file so that malware can't use the hosts file to redirect Facebook and the major webmails and "steal" users' credentials that way. You have to opt out of hosts file protection if you want to continue using APKware.
Sometimes when I log into Yahoo mail (https log-in page), the secure icon in Firefox changes from padlock to exclamation mark. Same problem on Twitter, the https turns into an exclamation mark. This is a permanent problem on Google Image search. The worst thing about this problem is in Yahoo. When I press tab and am about to fill in my password, the caret jumps from password field to username field, which means part of my username now has appended to it part of my password. I only notice that after hitting Enter and the screen returns an invalid login error. My suspicion is that my ISP has somehow managed to inject a tiny Java script into my https log-in page. In Facebook, sometimes my first login attempt doesn't even register, so I have to hit Enter again. Is that me being too paranoid?
Even if Comcast doesn't have any malicious intent
Of course they have malicious intent; they are inserting ads where previously there were none. Isn't that malicious enough for you?
... of using https for everything. I do now.
conservation of evil. It has to go somewhere. Comcast seems to be at the root of every bad deed these days. I think we figured out that google is dumping its evil quota on comcast.
Some drink at the fountain of knowledge. Others just gargle.
https everywhere
To bad you can't use https for slashdot. Redirects back to http. (And after all their own coverage of NSA spying?) FAIL.
Why do you think this would be your ISP and not some malware on your computer or a neighbor phishing you? Have you bothered inspecting the traffic to see what gets sent back and forth?
I was promised a flying car. Where is my flying car?
Who uses an unsecured, unencrypted wireless network without tunneling all of the traffic through a VPN anyway?
Microsft spel chekar vor sail, worgs grate !!!
Or just always use https.
There's no fucking reason not to.
Yes, use the NoScript add-on for Firefox.
But the subject is about Comcast abuse. Here is just one example, from Comcast's "Automatic Payment Terms & Conditions", retrieved a few minutes ago:
"6. COMCAST SHALL BEAR NO LIABILITY OR RESPONSIBILITY FOR ANY LOSSES OF ANY KIND THAT YOU MAY INCUR AS A RESULT OF A PAYMENT MADE ON ITEMS INCORRECTLY BILLED..."
Most people don't have time to read legal language. Many would not understand it fully. It is overly broad. And, in my experience, Comcast often tries to over-bill.
My opinion? Chairman and CEO Brian L. Roberts (The page jumps around if you move the mouse over the menu.), and Tom Karinshak, Senior Vice President of Customer Experience at Comcast (See the bottom of the page.), should be removed from office.
Another example: The Login page has a link at the bottom left, Contact Us. As of Tuesday, September 9, 2014, 4:18 am Pacific Time, it is a dead link.
From the Wikipedia entry for Comcast:
"In April 2014, Comcast was awarded the 2014 "Worst Company in America" award; an annual contest by the consumer affairs blog The Consumerist that runs a series of reader polls to determine the least popular company in America."
More from the same Wikipedia article:
In 2004 and 2007, the American Customer Satisfaction Index (ACSI) survey found that Comcast had the worst customer satisfaction rating of any company or government agency in the country, including the Internal Revenue Service.
Now if those @#*$&! at Mozilla gave me that convenient checkbox to enable/disable Javascript without having to mess with about:config, I'd have one gripe less.
Then you should use the NoScript plug-in which automatically blocks JavaScript from sites you visit (except certain white list sites and you may have to block them yourself). Besides, the plug-in remember what you have set it up (allow/not allow) even after the browser update (thump up for the developers to keep up with the browser). It is a simple workaround.
"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
If browsers treated HTTP GET nowadays like they have treated HTTP POST (i.e. pop up an annoying modal dialog that says "This connection is untrusted. Are you sure you want to continue?"), I daresay this would motivate everyone to move to HTTPS.
The problem is the web of trust and the cost of getting certificates. There needs to be a mechanism for getting a free or trivial cost certificate if you are not a corporation.
Now if those @#*$&! at Mozilla gave me that convenient checkbox to enable/disable Javascript without having to mess with about:config, I'd have one gripe less.
Consider your request granted. QuickJava puts buttons to enable/disable Flash, JavaScript, Java, Silverlight, etc., etc. on the menu bar.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Yet your HOSTS file still fails to deal with the additional whitespace it creates.
You're still a failure. Your HOSTS solution basically turns any website into fucking Slashdot Beta.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
FACT: APK's Hosts file turns almost any website into a horrible version of Slashdot Beta, with all that white space and broken-up article text.
It's about the ONLY thing the HOSTS file he made is good for.
Common Sense 2014 - far superior to HOSTS in any way, shape, or form. Intelligent, efficient, and much more able to asses a situation to determine if it poses a problem.
Wetware>HOSTS
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
"a superior solution that also fixes DNS redirect security issues"
Guess what's more superior? Having the actual brainpower to remember the addresses by number, not domain name.
Your brain must be pretty weak, considering that crutch you're leaning upon.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I don't disagree that hosts file might not be better, adblock is just a very simple solution, for non Slashdot users, my point is simply that I am not interested in working around the problem, I would be more interested in solving the problem at the source.Clearly ISPs are lacking proper regulation, net neutrality is being allowed to be destroyed, by a lack of response to such things.
“To ensure your security, in order to use our service, you must follow these simple instructions so that your system will trust our security certificate.”
Then MitM every SSL request. There’s commercial carrier grade hardware that will carry out the MitM & injection, and I’d bet you get a huge portion of users who blindly do it. SSL be damned...
Easy fix for them: Whitelist of banks, etc. to not run injection on. They get to claim they’re preserving security for important sites while still injecting adds on everything else. Pretty sure most non-geeks would fall for it.
It drives me nuts that I have to give my cable company (TW) rights to modify the DOCSIS cable modem I bought & own by pushing TFTP configurations down to it. I can’t even imagine giving them ownership of a device that connects directly to the green side of my network that they can modify any time they want.
You can have my old PC router when you pry my cold dead fingers off it...
You know you can just buy your own DOCSIS cable modem and not pay them a monthly lease (and pay for the extra electricity), right?
After a few pages of spam from you I just have one question:
Does your host file based solution block your fucking annoying Slashdot comments?
FACT: APK's Hosts file turns almost any website into a horrible version of Slashdot Beta, with all that white space and broken-up article text.
No it doesn't. Screenshots or STFU.
"see subject-line then & upgrade to a modern browser is my suggestion "
Uh, yea, about that, using the latest version of Firefox.
See, you're so stupid you have to assume I'm running outdated software.
Also, your HOSTS file does nothing if the ads are served from the root of the domain. What're you going to do, block the entirety of the site? Good luck reading it!
Common Sense 2014 - still 300x superior to any HOSTS file.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I'm not stupid enough to utilize APK's nimrod HOSTS file.
Betting you are, though.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I use NoScript, and only allow Javascripts that I trust.
I am also a Comcast customer. The cable connection is through an old, weak cable that goes through the apartment downstairs, and it slows down my connection a bit, but that is tolerable. To fix it, they would have to rip apart the walls in a bedroom occupied by an eight-year-old girl, and I don't want to put any child through that trauma. If I allow Comcast to share my cable connection, then I might be slowed down to an unacceptable level.
Also, their new cable modems DO NOT come with a battery backup -- they make you buy the battery from them.
They say that nobody can take advantage of you without your permission. Well, I'm paying enough in cable bills, and I'm not going to let them. Unfortunately, FiOS is not available in my apartment complex, so Comcast has a monopoly.
Hah.
You know what's more secure than your shit HOSTS file?
Text-only browser.
Probably twenty or so times faster, too.
I don't need to prove anything when Wikipedia outright rejects your inanity.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
"Using my free hosts program it PROTECTS HOSTS vs. infestation ontop of Windows File Protection doing so as well, fool..."
Uh, you very apparently know nothing about LEAST privileges.
Are you too stupid to see the easy-enough for a five-year-old to beat vulnerability you have? It won't protect against MITM, DPI, or other forms of attack.
One day you might have a site whitelisted, the next day it's taken over and your next visit gets you infected (because you're likely the kind of person that *THINKS* you're safe when in reality you are not.)
Simple logic defeats you any time you open your mouth. This is why you're banned from /., Wikipedia, and other places.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I'm not stupid enough to utilize APK's nimrod HOSTS file.
Betting you are, though.
So you don't use it yet you claim it breaks things?
Yeah, keep being a dumbass.
I'm pretty clue-less in this so I'll just ask straight up...
Is it not against the laws in some ways that Comcast does this? What is the Justice Department and the rest of government authorities going to do about it?
Also, your HOSTS file does nothing if the ads are served from the root of the domain. What're you going to do, block the entirety of the site? Good luck reading it!
A lot of Slashdot users have told me that if a site has objectionable ads that slip past the ad blocker, they will in fact just leave the site and not come back. I've done that, for example, to www.facebook.com in my laptop's hosts file.
In the context of ad blocking, "whitespace" appears to refer to the fact that even if the computer's DNS resolver has blocked a GIF, SWF, or iframe from loading, the pixels that the blocked object occupies remain allocated to it. This leaves an ugly blank box behind where the ad used to be. I'm guessing that Khyber prefers ad blockers that rewrite the HTML DOM to remove the box entirely.
[Client-side DNS blacklisting] won't protect against MITM, DPI, or other forms of attack.
What sort of man-in-the-middle attack are you referring to? Hosts protects against DNS MITM (admittedly by being one). HTTPS protects against HTTP MITM on sites that support it (such as Reddit). And Perspectives protects against HTTPS MITM.
Just as Nimrod was "a mighty one in the earth [and] a mighty hunter before Jehovah" (Genesis 10:8-9) who helped Asshur build Assyria, APK Hosts File Engine is a mighty hunter of bad hosts that helps build a wall against malware.
Yea, meanwhile, Comcast's Xfinity injection attack TOTALLY bypasses your HOSTS file. How're you going to stop that, dumbass?
Here's what your HOSTS file does to websites: http://i.imgur.com/BMR5Qnc.png
Again, my point is 100% proven. You are 100% full of shit.
I run and design websites for a job. Guess what? Your HOSTS file idea, long before you started spouting it, was one of the first things for me to bypass, by request of my employer.
And the fun part is, I can keep ads from showing to you long enough for you to whitelist the site, and then slam your ass with ads anyways. See a new IP address? No ads displays for several visits, then BAM show ads on your 5th visit from that IP.
Absolutely trivial to implement in PHP and AJAX. Takes eight lines of code. I could probably do it in two if the web supported brainfuck.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
HOSTS *IS* A MITM, you fucking idiot. Can't protect against MITM when you're utilizing one in the first place. You're exploitable.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
An amateur edited site known to be full of inaccuracies
Ad hominem. Did you try following the chain of sources that Wikipedia cites?
Comcast's Xfinity injection attack TOTALLY bypasses your HOSTS file.
How is Comcast going to inject into an HTTPS session without my browser's certificate verifier smelling a rat?
And the fun part is, I can keep ads from showing to you long enough for you to whitelist the site, and then slam your ass with ads anyways.
At this point I'm ready to split the difference. I agree with APK that hosts is a useful first line of defense, but I agree with you that it doesn't do everything. HTTPS and Flashblock are the next lines.
Normally DNS requests are sent from the browser to the operating system's DNS resolver to the public DNS servers. Hosts has the same effect as a man in the middle at the level of the operating system's DNS resolver.
"Just add the new domains into hosts & boom - no more ads, simple."
That doesn't stop HOSTS when the ads are being served from the root of a domain. You do know what the root of a domain is, yes?
No wonder your shit got canned from Wikipedia. You don't even know web basics.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
It's in the middle because it's checked before DNS. It's not MITM in the strict sense, but it has the same effect.
You don't have to explicitly state it to imply it, moron. This is why you're banned from /. and Wikipedia, you're too stupid to understand. Take your autism and go elsewhere.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Hah. You think you're secure.
SFP/SFC bypass. How the fuck do you think Blaster worked on XP?
It is also possible to differentiate HOSTS file resolution vs DNS resolution, and bypass by forcing you through a proxy. Your HOSTS will not bypass this.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
CheckPoint HTTPS description states that the proxy "Creates a new SSL certificate for the communication between the Security Gateway and the client, sends the client the new certificate and continues the SSL negotiation with it [...] you must deploy [your Security Management Server's root certificate] in the Trusted Root Certification Authorities Certificate Store on the client computers." This is MITM, and Comcast is going to have a hard time getting the required root certificate installed on everyone's browser.
I think you need to learn the the value of being approximate with language for the purpose of illustrating a point. Though hosts is part of the IP stack on many platforms, it's like a DNS MITM in that it returns a response before the configured DNS server has a chance to see the request. It has the same net effect as a DNS MITM that a machine's administrator controls.
In the strict sense, hosts is not the same thing as a transparent proxy, which is what MITM originally meant. But hosts, software firewalls, dedicated firewalls, and transparent proxies have similar effects on an Internet connection. It appears we're missing a good name for the larger category.