A Man In the Middle (MITM) attack is basically when an attacker stealthily interposes itself between you and another agent (person, server, etc), and intercepts and possibly alters the communication. Normally the bailiwick of cybercriminals or Advanced Persistent Threats and Nation-State Actors, turns out this is commonly done by our ISPs as well.

I was browsing the web this morning and visited this page about the CHERI project. That page is hosted on the University of Cambridge website and should be completely safe to visit.

However, when I loaded it up on my iPhone, I saw a banner from Optimum advertising their free upgrade to faster internet. (I believe this is known as a DOM injection attack.) I had a literal WTF moment as this should be impossible. The website is served over HTTPS which should mean that, unless someone has broken the crypto underling modern TLS, even my ISP, which sees all of my internet traffic, should be incapable of decrypting and modifying any of that traffic.

But what if that website loads some resources not via HTTPS? I opened up the debugger’s networking tab on a Firefox desktop browser window, loaded that site, and sure enough, there is a plain HTTP request to a single resource. (Oddly I am not able to reproduce this consistently, nor at all with Chrome.)

So what probably happened is

  • Optimum saw an unencrypted HTTP request

  • fingerprinted my request by IP address and perhaps some other mechanisms

  • determined that it had not already sent me that advertisement

  • injected some Javascript into the content of that request

  • the Javascript payload added a little banner at the top of the page I was viewing notifying me of the newer, faster internet speeds

When I got past the initial shock, I recalled that I had read about something like this before, and was able to track down a post from hackernews Xfinity is Man-in-the-Middle (MITM) Attacking my Internet from 2019. See also Comcast still uses MITM javascript injection to serve unwanted ads and messages from 2016.

This commenter on the Xfinity post purports to have knowledge of the details of how Comcast’s “User Messaging” feature works, via a network appliance that is operated by other ISPs as well. I’m unable to find any more information on the internet about what this appliance might be, who makes it, etc.

It isn’t hard to find software that does this sort of thing at the org/corporate level, e.g. Ivanti Traffic Manager can “decrypt and re-encrypt SSL traffic dynamically”, and there is probably a raft of Cisco hardware and software that can do the same things. But I haven’t been able to find anything specifically for ISPs that would support this functionality. The closest thing is this document on Cisco SD WAN technology that mentions that

An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

I would guess, however, that this is too “low level” an operation for the sort of functionality we’re talking about, and there is likely some kind of appliance dedicated to intercepting and modifying specifically HTTP traffic without worrying about modifying and reassembling individual packets.

But it seems equally plausible that it is just software running on the modem or router itself, which could periodically “phone home” to the ISP to check whether there are any “user messaging” campaign the ISP wants to run.

Unfortunately there probably are no ISPs (maybe Google Fiber?) whom you could trust to not engage in this sort of shady activity.