Privacy and security fears have been raised by a Californian based developer, Jarred Sumner, who posted on Github that Comcast - a US-based ISP - is using a man-in-the-middle (MITM) attack to warn users of potential copyright infringements they may have committed.
The message reads:
"An important message from Comcast. As part of the Copyright Alerts System operated by the Center for Copyright Information, a copyright owner has sent Comcast a notice claiming your internet service from Comcast was used to copy or share a movie, television program or song improperly. We have sent an e-mail with more information about this notice to the comcast.net e-mail address of the primary account holder in your household."
The code responsible for displaying the alert is called comcast.js and spans 237 lines of code. This sort of MITM attack is only possible when users connect to an insecure website over a HTTP connection.
Usually when you enter a URL a request is made to the server, which then responds and sends the websites source code, which the browser displays. What Comcast is doing however, is intercepting the users request and then passing it to the server, in turn the server returns the data to Comcast who then inject their code and relay the modified data to the user, who then sees the alert. Criminals in the past have used this attack to trick users into releasing private information.
Man-in-the-middle attacks can be mitigated by using the secure protocol HTTPS, unfortunately many websites do not support this protocol yet, or do not have it enabled by default if problems are likely to occur with the website. The Electronic Frontier Foundation maintains an extension called HTTPS Everywhere which tries to force connection to HTTPS to help prevent HTTP connections being hijacked.
Another method to mitigate this attack, is by being permanently connected to a VPN, this will ensure that your traffic is routed through a secure connection at all times, preventing Comcast from ever intercepting a connection it can tamper with.
Source: Github via ZDNet | Image: Jarred Sumner