Script injection into HTTP by Cox Communications

Yesterday night while I was working on my website, an unpleasant surprise popped up in my browser – a popup, shown via a script injected by my ISP, Cox Communications:

I had heard about the unpleasant technique of internet providers injecting scripts into their customer’s plain HTTP traffic before, but I did not know that Cox Communications was employing this horrible practice, too. A brief look revealed that the script is coming from the IP address 184.178.98.61, which belongs to a bigger block assigned to Cox, the 184.176.0.0/12 subnet. Since I doubt that they’re using only a single IP address for these scripts, I blocked the entire range on the firewall for now (using a script blocker like NoScript for Firefox would work, too).

While that may be an immediate solution to get rid of the pop ups, it is the practice itself that I find absolutely disgusting (and that’s besides the fact that it violates the so-called “end-to-end principle“). They’re my ISP, and that requires a certain trust, because my communications run through their network. This trust included – foolishly – thinking that they would not tamper with traffic on the way from one end point to another. And that trust has been destroyed entirely. Well done, Cox.

I have no doubt though that the not-so tech-savvy internet users (which are probably the majority these days) won’t question this practice (and that’s why Cox can get away with it, while I also have no doubt that they formulated their contracts in a way that makes this perfectly legal for them to do). So let’s apply this type of thinking to a different protocol: POP3. Using it on port 110, it’s unencrypted too – if I would retrieve my messages via POP3 (which I’m not), Cox might just as well intercept that traffic, and inject some notifications into the message body of any email that I retrieve. If the practice of script injection to show a popup didn’t sound wrong yet, does it now, maybe? The principle is exactly the same.

I also found it particularly annoying that this script was added into the administrative interface of my website – it’s no surprise, because it is not HTTPS secured, but still: I am appalled by the “brute-force” thinking and complete lack of decency and respect behind using such script injecting techniques: just push it into any kind of HTTP traffic, doesn’t matter what it is.

The question remains: why is this even necessary? After all, I am their customer: they have my email address (that’s where they manage to send me a message when my bill is due, always, and reliably), my phone number, and my home address. If there’s anything they need to tell me, they can contact me without injecting their scripts into the traffic going from other websites to my browser, violating the end-to-end principle, and annoying (or confusing) their customers with this rude behavior.


Oh and, about the popup: “we recently shared the great news with you that your Cox High Speed Internet speed has increased” – that’s not true. The only thing I saw was a price hike, from $54.99 to $61.99 per month, without any announcement whatsoever. Or is that what Cox refers to with “great news” perhaps? It’s great news for them for sure, to charge even more for comparably low internet speeds. I’ve written about that before.

Advertisements

3 Comments

  1. ISPs aren’t what they used to be anymore. They have more control than they should have. And what you describe looks and sounds really scary.

    I’m also using cable internet (Unitymedia, owned by the american company Liberty Global) in Germany and my ISP offers the famous Fritzbox along with certain contracts for rent. Sounds great, as these devices are really feature rich but it actually is a trap because they control them fully. They will know your settings, your phone directory, your wifi passphrase, etc. They will decide when to deploy updates, which then probably break your internet connection and so on.

    I’m happy with two devices now: A modem where control of my ISP ends (almost) and a separate Fritzbox as my router. Feels better.

    BTW: Link at the end seems to be broken.

    Like

    1. Ooops, fixed. Thanks Viktor.

      We’re using a similar setup (separate modem and router), but own both devices. The ISP did a remote-config of our modem, though. I still need to get a better firmware onto our router (I’m thinking about Tomato now, need to look into it).

      Like

  2. Tomato. Now that’s a word I haven’t hear since the days of tinkering with my Linksys (pre-Cisco) routers. On a similar note my Dlink router inserted it’s search provider into my browsers during setup (I think I made a wrong choice of smoething) and I had a devil of a time removing that mess.

    Like

Thoughts? Let me hear them.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s