Comcast Injecting Code into TLS-Encrypted Pages

A few days ago, I was sharing my screen from my laptop with a colleague, when up popped a notification informing me that Comcast (through its Xfinity brand) was no longer supporting my equipment and instructing me that it had to be replaced.

Now before you jump to any conclusions, let me clarify the exact conditions under which this notification appeared:

  • The notification appeared in a single browser tab
  • The browser was the latest version of Firefox, running on Ubuntu 18.04.1
  • The page was from a server under my control, which my colleague and I were working on at the time. It was completely free of any foreign JavaScript that would have allowed or facilitated a Comcast code injection
  • The connection was encrypted via TLS 1.2 with a secure cipher
  • The TLS certificate on the server side was a current one issued by Lets Encrypt
  • Firefox gave the connection a “green padlock” with no mixed content warnings, as in this screenshot (except that I didn’t examine the cert in my browser at the time like I did when capturing this graphic):
This screenshot was captured at a different time, but is representative of what I saw on the page that Comcast injected its code into recently. The difference is that in this screenshot, I was connected to the same site through a VPN.

Authentic Comcast Notification

I didn’t have the presence of mind to screenshot everything at the time the notification appeared. I wish I had. The fact is that I was deep into a lengthy session with my co-worker, and we were focused on the project at hand.

Also: I was flabbergasted.

Comcast is notorious for injecting code into subscribers’ browsers, most notably to track browsing behavior, display its own ads, and warn users about data caps. But that sort of activity is precisely why the EFF and others have been promoting HTTPS everywhere. TLS encryption should prevent what is essentially a “man in the middle attack” by ISPs like Comcast against its own customers.

None of this was news to me.

And while I didn’t screenshot the “end of life notification” regarding the Comcast-issued on-premise equipment, I did click through from the notification.

In a new tab, I was shown the exact model numbers of the equipment for which Comcast was ending support (i.e. only the model numbers in use at my location, and in the correct quantity), and was taken through a simple “wizard” which offered to send me the replacement equipment in a self-install kit. Although I clicked through to see exactly what it would do, I did not submit the form, instead choosing to click a link which opened this support article about “end of life” equipment in a new browser tab.

Had I not been under time pressure related to the project we were working on (and had I not also been bearing the cost of the person’s time who was on the other end of the active screen-sharing session), I might have taken the time to investigate further. Regrettably, I did not do this. It surely would have netted me the specific lines of code injected into my browser on top of the screenshots which I should have captured, but didn’t.

The bottom line, however, is that the message was authentic. The equipment in question was correctly beyond its end of life, and the notification was being served from Comcast.

Also: my machine is clean. I run very few browser extensions. None of them are known to have any vulnerabilities. And my machine is—by every indication, including clean scans—free of malware.

Exit Xfinity

Rather than requesting a self-install kit with replacement equipment, I packed up the end-of-life gear and took it to a local Xfinity store, cancelling my service.

I’ve had television service with Comcast/Xfinity for the better part of the last decade, and internet service for many years longer.

But I would have cancelled the account much sooner were it not for the utter lack of competition in my area. Broadband service can essentially only be had from 2 vendors at the location in question. They both gouge customers with excessively high fees, exploiting the unfair economics of the situation.

But this incident was the last straw.

Comcast had violated me one too many times. Hopefully they won’t turn out to have been the lesser of two evils. Time will tell. In the meantime, something must be done to level the playing field so that ISPs who don’t egregiously abuse the privacy of their subscribers can compete effectively.

2 Replies to “Comcast Injecting Code into TLS-Encrypted Pages”

    Leave a Reply