I was strongly reminded about the scariness of non-secure websites the other day.
I’m using Xfinity as an internet service provider, and they give you a device that is both a cable modem and a router.
Here’s a tiny bit of backstory. I use a VPN, and I discovered that in using their modem directly, the VPN wouldn’t work. I’m not sure why. I didn’t dig into it very far, because I have a modem of my own I’d prefer to use. So I plugged that in, which worked… but not particularly well. The connection was spotty and slow, even right in my own house.
I think (maybe?) it was competing WiFi signals from the two routers sitting right next to each other. Don’t quote me on that. The reason I think that is because, fortunately, I was able to turn off the router on the Xfinity device, and that solved the problem. Thde speed and connectivity was back. To their credit, it was really fast. The Xfinity device has a featured called “Bridge Mode” that is specifically for turning off the router so that you can use your own. I was able to enable that, use my own router, get the speed back, and connect to the VPN.
Win! That lasted for a few months. Then recently there was some weird big internet outage in our area. Xfinity notified us about it. They had to push some updates or something to our device, and that broke everything again. I struggled with it for days, but what ultimately worked was turning off Bridge Mode, and turning it back on again (isn’t it always?).
In those in-between days, the only thing I could figure out to get online was to connect to the SSID “xfinitywifi” that this router seemed to be emitting. This “xfinity” network is unusual because it behaves kinda like a coffee shop or university hotspot in that it pops up that weird browser modal and you have to log in with your (Xfinity) credentials. It’s a value-add kinda thing for their service. Their routers are dotted all over the place, so if you’re a customer of theirs, you get internet (“for free”) a lot of places. My fiance was at the doctor the other day, and she was using it there.
If that’s the network you’re connected to, Xfinity performs man-in-the-middle attacks on websites to send you messages. Here’s an example of me just looking at a (non-secure) website:
Man-in-the-middle, meaning, this website had no such popup in its code. Xfinity intercepted the request, saw it was a website, and forcefully injected its own code into the site. In this case, to advertise an app and to tell you about security. Ooozing with irony, that.
If they can do that, imagine what else they can do. (Highly recommended listening: ShopTalk #250) They could get even more forceful with advertising. Swap out existing advertising with their own. Install a keylogger. Report back information about what you’re doing and where you are. You might not even know if anything is happening at all.
This might seem a little tin foil hatish, but realize: they’ve already been incentivized to do this. All the incentive is there to keep milking value out of this superpower they have.
Some good news: Individual websites can stop this with HTTPS. That’s a massively good step. With HTTPS, the traffic packets are encrypted and Xfinity can’t read or manipulate them effectively. Through metadata, they might be able to guess what they are (e.g. know you’re streaming a video and throttle speed), but there isn’t much else they can do.
It’s not just this one indiscretion, Xfinity also uses this tactic to send you other messages.
@chriscoyier @XFINITY also how they warn you about bandwidth or billing issues. not fun.
— David Bisset (@dimensionmedia) February 24, 2017
@chriscoyier @XFINITY I have seen an ISP adding ads to bing home page. 😕
— AKT (@itsakt) February 25, 2017
It’s this double whammy of scary:
- Seriously?! You require me to have a box in my house that broadcasts a public WiFi hotspot
that I can’t turn off?You’re automatically opted into it, but you can turn it off. - Seriously?! You use that hotspot to perform man-in-the-middle attacks on anybody using it?
I’m sure it’s not just Xfinity, it’s just that’s what I’m using now and have now seen it with my own eyes. To be clear, I’m sure I signed something that allows them to do everything they are doing and I don’t think anything they are doing is technically illegal (again, don’t quote me on that).
Being upset at them, and telling them about it, is a good step. Fighting back is another. Internet access is vital, so you have to use something, but if you have an option, is there an ISP that doesn’t do this available to you? Use them. Money talks.
Again, HTTPS solves this on a per-website basis. Jeff Atwood sums this up pretty well:
You have an unalienable right to privacy, both in the real world and online. And without HTTPS you have zero online privacy – from anyone else on your WiFi, from your network provider, from website operators, from large companies, from the government.
The performance penalty of HTTPS is gone, in fact, HTTPS arguably performs better than HTTP on modern devices.
Using HTTPS means nobody can tamper with the content in your web browser. This was a bit of an abstract concern five years ago, but these days, there are more and more instances of upstream providers actively mucking with the data that passes through their pipes. For example, if Comcast detects you have a copyright strike, they’ll insert banners into your web content … all your web content! And that’s what the good guy scenario looks like – or at least a corporation trying to follow the rules. Imagine what it looks like when someone, or some large company, decides the rules don’t apply to them?
The move to HTTPS is non-trivial, and introduces somewhat complicated dependencies. It’s easy to forget to renew your certificate and break your entire website just like that. I’m not arguing against HTTPS (exactly the opposite), but you should know that it requires some upfront work and some diligent maintenance.
If you’re on WordPress like me, I wrote up how I moved to all-HTTPS going on two years ago. It involved a little database work even, getting URL’s pointing to the right places.
SSL certificates (the main prerequisite for HTTPS) also have traditionally cost money. No more! Let’s Encrypt is here:
Lets Encrypt is a free, automated, and open Certificate Authority.
There is an in-progress WordPress plugin for it. Let’s hope that gets off the ground. Just a few days ago I used the Let’s Encrypt Plesk extention to put HTTPS on ShopTalk’s website and it took me like 5 minutes. I’ll have to write that up soon.
Also check out the really excellent Moving To HTTPS Guide:
A community site to help site owners migrate to HTTPS with a simple tested process. Allowing you to filter the plan based on multiple platforms (WordPress, Magento, and more), hosting environments (cPanel, Apache, and more) along with the level of control / access you have over the site.
Re ‘require me to have a box’ – you can run your own modem as long as it meets their specs (a lot of DOCSIS 3s do). Nothing to do with your main point which is that their practices are to be avoided, just thought I’d mention it
They have made it increasingly more difficult especially if you have a bundled digital voice and need to find a supported modem.
I was getting an error trying to go disable that dumb public wifi just now, and then your comment made me remember I’m using my own modem.
My mobile ISP (SFR, in France) let me use my phone has a wifi router. That’s cool, except it is not : the do the same things and modify the code of HTML files downloaded in the browser. Worst of all, this is not visible. They don’t display any popups, they just “optimize” the page’s code.
But they do it very wrong : they inline the content of all the css and js files in
<style></style>and< script> </script>tags. Why ? WTF knows, I think it is made to reduce the number of http queries, but by doing so they force me to download all css and js files from all websites on every clicks… even librairies like jQuery !They also change all
<img>src to make all images go trought a web proxy server that compress them more (and make them ugly, and sometimes broken). This is crazy. And I have been fighting with them for 5 years about that. And they didn’t change anything. HTTPS sure is the solution to that.And to work around the “problem,” Comcast forces users to install a “Xfinity Security Protection” root certificate…
Let’s not give them ideas. ;P
It seems pretty likely that Comcast already has the idea, especially if they’re installing a root certificate. If the router is configured to work as a proxy, it CAN decrypt SSL traffic passing through it. Here’s an explanation: http://community.lightspeedsystems.com/lessons/ssl-explained-trusted-man-in-the-middle-proxy/
@Sam What you posted about decrypting SSL traffic passing through is plain scary. Had no idea that the web filter can intercept the original certificate and then create its own certificate based off the original cert. Surly there most be so kind of protection from this, highly secure sites and certs cost a lot and I am sure if cert providers cannot find a way to deal with this there will be a loss of money quickly, luckily that is where businesses react fastest as opposed to Gilles from France who by now is most possibly the running gag at that messed up French ISP support centre. These are some quite worrying developments. I count on the community and open source, freedom of speech and most of all privacy evangelists to fight back. The net is ours.
Really, ISPs injecting content in HTML pages is very douchebag-gy. It should be forbidden by law. Or at least made optional.
For the US, it will never happen with Ajit Pai leading the FCC. In Europe, there’s still a chance.
If you mean “EU” keep in mind that the law of many states (like almost all except the Netherlands) makes data retention a mandatory reality. If you mean the continent, well OK there’s still Switzerland and Iceland. Laws are quite good there.
But don’t count on the EU for very privacy-aware decisions.
Hey Chris, thanks for the support of the moving to HTTPS guide!
If you have any ideas to improve it let me know
Interesting story. I use Xfinity as well, but with my own modem. Internet only! I use VoIP for telephony and we don’t have TV. It’s not worth paying for advertisement. So Netflix it is.
However, I have my own dedicated server for some websites. I integrated HTTPS about half a year ago with letsencrypt. It auto renewes your certificate so it is a no work solution. I HTTPSed a couple WordPress blogs and CMS driven sites. It requires a little bit of work but can be done in 10 minutes.
Also, just Google HTTPS interception. As far as I understand even that is not secure! As for privacy … We’re screwed!
But honestly, were you ever so naiv? There is no such thing as security or privacy on the internet! Everything can and eventually will be broken or decrypted, just a question of time and effort.
I have Comcast as well and the idea that not only can Comcast inject code but potentially anyone else also using their public Wifi is a bit alarming. And while only browsing secure sites helps, it’s not guaranteed privacy. And it is definitely a good idea to turn off the public WiFi spot coming from your router.
Thanks for sharing this Chris! I use Xfinity and yeah, it’s bs they do that, but not alarming really, almost sort of expected. Never been a fan of them, but where I am I didn’t have a choice, and I’m sure they aren’t the only ones doing it. HTTPS is not a perfect solution by any means, but it’s better than not having it. I’d rather have a lock on my front door than not… Thanks for the guide as well, I have passed this to a few people!
Putting up SSL on your site is easy – but keeping all those JS and CSS assets in check, not to mention already published content, eg. thanks to the nasty habit of a lot of CMSes to add absolute image URL instead of relative / dynamic ones .. is a hard hustle.
But if its already a steep level for regular developers, who should know at least a few sysadmin tricks – whats with normal site owners and “hobbyist” programmers or webdesigners? Lots of “fun” ensued.
cu, w0lf.