There are several corporate firewall products that can do just that. Comcast can just start demanding that their customers install their root cert and that's that.
Remember they are the only venue to access the internet for a lot of people, what are they going to do? Stop using the pretty much mandatory communication and information platform?
I'm always surprised just how many people here on this site think you can fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.
They could, but they don't. Until they do, or imply in any way that they might, let's stick to the facts and leave wild, flailing speculation to reddit.
Regardless of what an ISP might do, HTTPS everywhere is excellent advice.
After all the horrible consumer practices Comcast does regularly you'll still give them the benefit of the doubt? How many times do they have to prove themselves as untrustworthy and consumer hostile that you'll stop sitting there and just hoping that next magical tech will make them stop trying to extract maximum money and inject ads into your stream?
Yes, HTTPS is great and should be deployed everywhere. But thinking that they'll just give up on injecting ads into your stream when a large chunk of people use it is hopelessly naive - especially when off-the-shelf enterprise solutions that MITM HTTPS traffic already exist.
The technical capability to MiTM TLS exists since the very moment TLS was designed. It all hinges on the ability to get a trusted certificate for the domain you want to MiTM. You can do TLS MiTM with Apache if you choose to. Acquiring the Cert has always been the problem and nothing changed in that regard. Strictly speaking, things on that front have become harder since browsers are becoming more and more strict about enforcing TLS security. If Comcast moved to distributing a CA cert to their customers I could quite well imagine that all Browser vendors block that root, as they’ve done with CA that fell out of trust.
Not to mention the Certificate Transparency efforts..
Breaking TLS is considerably harder. And forcing a cert upon your customers would be hard to scale... It would be similar to implementing a firewall forbidding TLS and VPNs. That's a hard sell.
Comcast and their telco friends just managed to lobby legislation away while completely ignoring complaints and good business. It doesn't look like Americans have any power to fight against these companies so trust into other for-profit companies which are reliant to Comcast & Co. for their profits seems a bit optimistic to me :/
That post wasn't about legislation. It was about the fact that if Comcast started trying to install root certs on the machines of customers using them for their ISP (which itself is unlikely because of the extra cost both to install, and to troublehsoot, i.e., "why can't I browse anything when I am on my new phone"), Google, Apple, and Microsoft could, and likely would, decide to reject them in their respective browsers as being untrusted. Because they have seen fit to do that in other instances where user security was compromised, and an ISP MITM every bit of your traffic is no less alarming.
I stated the reason, and I don't have a replacement. It's a great idea, but for now I'll have to wait for websites to enforce https on their users. But of course it can work for you if you have the resources to spare.
All of these products require that a corporate root certificate is installed on the devices initiating the connection. This would require that all users install the cert on all devices, some of which do not allow such an install. I don’t think you can install certs of your choice on a PlayStation, an Amazon Echo, an Apple TV or any of the home automation systems. This would break all of those devices. It would also break any app that uses cert pinning. All of this is manageable in a corporate setting where you can remotely configure all devices and have a suitable IT support operation, but it would be an absolute support nightmare for comcast if random stuff just breaks when on their network. Think about what happens when Apple TVs or tivio boxes come with a sticker explaining that they don’t work on Comcast networks because Comcast does not allow secure communication. Banks would require their customers not to do internet banking while on Comcast networks since secure connections cannot be established.
So they'll be whitelisted. They just need to make use of FB/Google/Amazon/etc. websites impossible without the root cert and they can continue injecting ads into any website content. It's not like they care about injecting ads into PS4 API calls (yet).
Also how hard do you think it would be for American telcos to push for inclusion of their MITM certificates? Especially if other companies like Verizon come aboard the profit train?
Browser vendors distrusted whole CAs for less than full interception. In the end, all of this would require control over the device and Comcast can’t achieve that (unless legislated, but that’s a whole different ballpark)
> Comcast can just start demanding that their customers install their root cert and that's that.
Comcast can demand all they want but they are going to have to hand hold a lot of people though the process. Sure Windows/Mac could offer a nice executable to install it for you but you still have to get people to install it and that’s not something there while customer base will be able to do.
The process of installing CA’s on iOS devices involves even more steps. And this is a process that will have to be completed every time an new device is put on their network.
What about even more “locked down” systems? Your IoT doorbell? Your networked cctv camera? Your Smart TV?
Is it possible? Sure. Is it practical? If kazakhstan couldn’t do it I’m going to struggle to see Comcast pull it off (though if anyone can, it’s prob them). See in a Corp environment where they own all the devices it’s fairly easy to do as most of your deployed hardware if going to be able to remote install what IT asks of them, your mobile devices are going to be enrolled into MDM’s and you will have IT staff on hand to help staff enroll their devices. None of which Comcast have.
We are not talking about your avg hacker news reader configuring their devices to get online, we are talking about people like my mother who can just about browse the web and play games on her iPad and struggles to set the alarm on it. How you going to get her to install the rootca without having some do it for her? Sure get the installer to do it? But what about all your existing customers? You going to schedule a call out for each of them? And what about when she gets a new device? You going to make her take the device to the local Comcast store to get it installed?
Oh and Chrome and or Firefox could throw a massive spanner into the works by refusing to accept their root cert half way though deployment meaning all those “updated devices’ need to be updated again before they even had a chance to use it at any major scale.
Sure it’s possible, I just don’t see it as practical as of today.
Dunno what the adoption rate of the cert was or if they do force the use of the cert when accessing foreign https sites
They quietly removed the notice off the telecom's websites saying that people will need to install the cert or may lose access to foreign https sites (not from kazakhstan) but I would expect someone would of gotten word out if they had (Maybe they did and i've just not come across it).
You're way overthinking this. Go look at how exactly the automated deployment of MITM HTTPS corporate firewall works - it's a few steps affair and gets them 90% there.
All they need to do is block YouTube/Google/Facebook until you run the "Comcast internet setup wizard" (remember? those were a thing!) which makes most customer connections MITMable. Then charge extra for all non-MITMed connections ;)
Declare Firefox as unsupported, Google will have to cave in to the biggest telco and that's that. This article (and all others about Comcast) clearly proves that Americans have zero leverage over companies like Comcast. The customers are peacfully accepting modification of their network traffic now, why do you think you'll suddenly get any more leverage over a natural monopoly you're forced to use in the future? Especially after dismantling net neutrality?
The internet setup wizard is a pain to even get to these days esp if you are trying to run it on a “dirty” device that has already been used online and is enforcing HSTS.
You can only redirect them to the wizard if they try and connect to a non https site or the non http site of a https site they have yet to visit.
Same mother. She has a 4g sim in her iPad cheapest deal for her usage level is prepaid sims. When the prepaid credit is gone it’s cheaper to use an new sim than top up the exisiting sim. Except you have to go though a activation portal to enable the sim. It’s easy. Pop in the new sim, visit telcos website or any non https valid domain press the active button and away you go.
She still can’t do it. And in a world where more and more people are using apps instead of browsers where preinstalled apps will just fail you are gonna not to cause even more issues.
BTs Smart Setup captive portal on their routers was one of the most annoying things they did. And when searching for it the top results are for turning the thing off. Why? Because it interferes with devices that can not display the portal, Smart TVs, Amazon TV sticks, Settop boxes, webcams, IoT toasters, etc.
While they haven’t removed it from their latest router they have had to make disabling it much easier than in previous versions.
With the number of end user devices on the market, I just don’t see them managing to pull it off by getting end users to install their cert.
But you touch on a point. You say that Chrome would have to just suck it up from Comcast. Now I’m not saying I disagree, but why would Comcast go though all that pain to get end users to install a root ca if they held so much power over Chrome (the largest browser my customers use) then why not just get the browser to install the cert anyway and save all that hassle with your end users. Think of the savings they would make not having to handle all those support calls.
Like I said. Possible? sure, practical today? I don’t believe so.
> I'm always surprised just how many people here on this site think you have fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.
I don't understand. Your second sentence seems to contradict your first; Comcast bribing legislators is a social/political attack. What did you mean?
I currently see more hope in tech solutions than political solutions to the problems of privacy, net neutrality, and script injection. We have the option to use content and routing encryption technology that looks something like TOR or I2P. Instead, we're asking politicians who don't understand the tech to protect us from ISPs who will never stop trying to leverage anything they can find in our traffic. Allowing Comcast to see the traffic at all is the problem, and politics will never prevent that.
If it's apparent to you that the political fight is more winnable, or that technical approaches to privacy are doomed, then what is the social/political solution to internet privacy? Because we don't have any right now, and it looks like we're losing the political war.
