Comcast's RFC (6108) states that it designed the system described therein specifically to not need to use DPI.

Not saying Comcast definitely doesn't use it; rather, that it'd be hilarious to see Comcast lie to everyone's faces yet again.

Of course, to distinguish HTTP traffic from non-HTTP traffic and to intelligently insert the code snippet only where it won't disrupt e.g. API call response or a file download, some basic level of DPI is required.

You don't re-wrap. You just downgrade to HTTP.

This is why TLS1.3 and HSTS exists.

Do you have a link to anything on this? I'm still not clear on how to MITM a TLS transmission sans CA cert.

The attacker needs to generate a new cert that the client trusts. This is easy on a corporate network where you can force users to trust a private CA. Unlikely to happen with a US ISP, but possible if someone hacks the CA (eg DigiNotar) or the CA hands out unconstrained certificates to someone who acts badly (eg CNNIC).

Speaking of which, is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.

Mozilla and Microsoft publish their lists. Chrome uses the OS's root store. I've seen other open source software use Mozilla's list, but I've never seen a list of what software does that.

https://wiki.mozilla.org/CA/Included_Certificates https://docs.microsoft.com/en-us/security/trusted-root/parti...

What you are describing doesn't seem to be a MITM attack on https traffic, but something else, which is why I stated "sans CA cert".

They're describing what would be required to MITM HTTPS traffic. You're correct that they essentially need to get the cert.

Without a root CA? And without showing up in certificate transparency logs?

Good luck :)

No.

Does your browser not load <noscript>?

It doesn't, which is admittedly pretty unusual.

Never mind. Sorry for the noise.

Oh okay! I just wanted to make sure there wasn't anything I could do to make this a better experience for you! Enjoy.

I think the school has the fiber too.

250ms is a lot. 50kb isn't a lot on it's own... but when it happens consistently then it adds up quickly.

Also, it's just plain wrong to charge me for what I didn't ask for.

They have my #. They have my email. They have my address.

Those are the ways I want to be contacted.

FoCo is getting giga fiber!

To people who live in Fort Collins actually call it FoCo?

Yes. To the extent that many of the surrounding areas call themselves NoCo for North Colorado.

I don't any more but when I was there I called it FoCo

Yes.

Cheers, back up now. Might have been scaling.

Nope, they physically open your packets, change the content of the HTML, and send the packets along the way. Even if you access the IP directly, it still injects code via MITM attack.

I saw the MITM injection from Comcast exactly once and it served as a reminder to go and change the DNS settings on my routers. Never seen the injection since, and I've been on Comcast for years.

That is odd, I recently got a MITM injection even while running everything on openDNS.

Maybe you're right and me not seeing injections could be explained that a lot more traffic goes through SSL/TLS by default, or I'm just not getting close to my monthly quotas any more.

Out where I am we don't have fiber yet :( We'll be switching ASAP when it's available.

i love fort collins so much and it gets even better the further north and/or west you get.

Totally aware it's old news... and I was hoping to paint a better picture than the previous artists.

Yeah, I'm not hating at all. Just signalling frustration with you.