Stories
Slash Boxes
Comments

SoylentNews is people

Comcast Injects Copyright Warnings Into Unencrypted Web Pages

posted by cmn32480 on Wednesday November 25 2015, @02:35AM   Printer-friendly
from the anybody-surprised? dept.

chromas writes:

From ZDnet:

If Comcast thinks you're downloading copyrighted material, you can be sure it'll let you know. But how it does it has raised questions over user privacy. The cable and media giant has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material -- such as sharing movies or downloading from a file-sharing site.

Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner's code on his GitHub page, told ZDNet in an email that this could cause major privacy problems. Sumner explained that Comcast injects the code into a user's browser as they are browsing the web, performing a so-called "man-in-the-middle" attack. (Comcast has been known to alert users when they have surpassed their data caps.) This means Comcast intercepts the traffic between a user's computer and their servers, instead of installing software on the user's computer.

A Comcast spokesperson said in an email on Monday that this is "not new," adding that engineers "transparently posted an Internet Engineering Task Force (IETF) white paper about it" as early as 2011, which can be found here.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Comcast Injects Copyright Warnings Into Unencrypted Web Pages | Log In/Create an Account | Top | 46 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday November 25 2015, @06:10PM

    by Anonymous Coward on Wednesday November 25 2015, @06:10PM (#268082)

    It is my understanding that HTTPS *does* hide the specific URL you are visiting. That is one reason that so few websites support HTTPS. To use HTTPS, you need a dedicated IP address to get the certificate issued. This does not work well with (cheaper) shared hosting.

    You can now share an IP address with several HTTPS websites by specifying more than one common name in the certificate. You are still restricted to one IP per certificate though.

    If webservers (and end-users) finally move to IPV6, this particular problem will be solved. Though the "powers that be" will still know wich websites you are visiting based soley on the unique IP address. Maybe CJDNS will help with that.

  • (Score: 0) by Anonymous Coward on Wednesday November 25 2015, @06:33PM

    by Anonymous Coward on Wednesday November 25 2015, @06:33PM (#268089)

    Darn it. I even looked this up while composing my reply, but did not scroll far enough down the page

    RFC 4366 [ietf.org] (Server Name Indication) permits virtual hosting for SSL and is pretty old and well supported nowadays

    See http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI [apache.org] for a pretty in-depth explanation.

    - Is unique IP address a must for SSL? [stackexchange.com] So you can disclose the server name without giving each website a unique IP address. Still a information leak I suppose.