This month, Comcast is starting to enforce a 1 TB data cap in my area. The company has promised to notify users who approach their data cap via “in-browser messaging,” which looks like this:

Comcast is MITMing my shit 😠 pic.twitter.com/5SDBopyqDD

— Chris Dzombak (@cdzombak) November 21, 2016

Yep, that is Comcast’s content injected into a random webpage I visited.

This might seem like a customer-friendly feature, but it’s extremely dangerous for Comcast’s users. This practice will train customers to expect that their ISP sends them critical messages by injecting them into random webpages as they browse. Moreover, these notifications can plausibly contain important calls to action which involve logging into the customer’s Comcast account and which might ask for financial information.

This is a beautiful vector for successful phishing attacks.

Any website could present its users an in-page dialog which looks similar to these Comcast alerts. The notification’s content could be entirely controlled by criminals hoping to harvest users’ Comcast account login information. This would give an attacker access to users’ email, which is a gateway to reset the user’s passwords on most other sites — remember, most password recovery mechanisms revolve around access to an email account.

(Of course, a malicious site would show those dialogs only to clients visiting from Comcast’s residential IP space.)

Ad networks could also serve as a vector to spread malicious Comcast-look-alike phishing dialogs across a number of legitimate sites. This wouldn’t require a site to be malicious outright, just to use a vulnerable ad network. (I’ve written previously about ad networks and ad blockers.)

For website operators, this is yet another reason to move everything to HTTPS. Comcast can’t inject content into encrypted communications, and making this customer-communication method less effective by moving more sites to HTTPS will discourage them from further investing in content injection.

Comcast has submitted an informational RFC (6108) to the IETF documenting how this content injection system works. This appears to be a shady effort to capitalize on the perceived legitimacy that pointing to an RFC gives you.

First, let me point out that just publishing a memo that says you plan to do something, doesn’t mean that the thing you’re doing is acceptable.

Second, RFC6108 does not address this concern whatsoever. There’s a short section about security considerations, which largely boils down to this guidance: “…the notification must not ask for login credentials, and must not ask a user to follow a link in order to change their password, since these are common phishing techniques. Finally, care should be taken to provide confidence that the web notification is valid and from a trusted party, and/or that the user has an alternate method of checking the validity of the web notification. …”.

This means Comcast customers are expected to know that these notifications should not ask for login information. How are users expected to know that? If a malicious site embeds a login form into one of these dialogs, how is a customer to know that it isn’t legitimate?

And how does Comcast “provide confidence that [this] web notification is from a valid and trusted party?” It’s a bit of HTML on a random, non-HTTPS website. Anyone can pop a Comcast logo onto a webpage. There’s no way to confirm that it’s “valid”. Comcast’s RFC doesn’t say how this confidence should be provided — probably because it’s completely impossible.

Alternatively, Comcast wants users to employ “an alternate method of checking the validity of the web notification.” What, exactly, is a user supposed to do to verify that one of these dialogs is legitimate? Let’s keep in mind that many users don’t even check for a lock icon in their browser’s address bar; so any verification system Comcast provides must be easier and more obvious than that. I eagerly await its proposal.

This is a reckless practice by Comcast which puts its customers at risk. These notifications are a terrible, dangerous idea. I urge Comcast to reconsider its use of this notification system, for the safety of its customers.