Win! That lasted for a few months. Then recently there was some weird big internet outage in our area. Xfinity notified us about it. They had to push some updates or something to our device, and that broke everything again. I struggled with it for days, but what ultimately worked was turning off Bridge Mode, and turning it back on again (isn’t it always?).<\/p>\n
In those in-between days, the only thing I could figure out to get online was to connect to the SSID “xfinitywifi” that this router seemed to be emitting. This “xfinity” network is unusual because it behaves kinda like a coffee shop or university hotspot in that it pops up that weird browser modal and you have to log in with your (Xfinity) credentials. It’s a value-add kinda thing for their service. Their routers are dotted all over the place, so if you’re a customer of theirs, you get internet (“for free”) a lot of places. My fiance was at the doctor the other day, and she was using it there.<\/p>\n
If that’s the network you’re connected to, Xfinity performs man-in-the-middle attacks on websites<\/strong> to send you messages. Here’s an example of me just looking at a (non-secure) website:<\/p>\n Man-in-the-middle, meaning, this website had no such popup in its code. Xfinity intercepted the request, saw it was a website, and forcefully injected its own code into the site. In this case, to advertise an app and to tell you about security. Ooozing with irony, that.<\/p>\n If they can do that, imagine what else they can do. (Highly recommended listening: ShopTalk #250<\/a>) They could get even more forceful with advertising. Swap out existing advertising with their own. Install a keylogger. Report back information about what you’re doing and where you are. You might not even know if anything is happening at all.<\/p>\n This might seem a little tin foil hatish, but realize: they’ve already been incentivized to do this. All the incentive is there to keep milking value out of this superpower they have. <\/p>\n Some good news: Individual websites can stop this with HTTPS.<\/strong> That’s a massively good step. With HTTPS, the traffic packets are encrypted and Xfinity can’t read or manipulate them effectively. Through metadata, they might be able to guess what they are (e.g. know you’re streaming a video and throttle speed), but there isn’t much else they can do. <\/p>\n It’s not just this one indiscretion, Xfinity also uses this tactic to send you other messages.<\/p>\n @chriscoyier<\/a> @XFINITY<\/a> also how they warn you about bandwidth or billing issues. not fun.<\/p>\n — David Bisset (@dimensionmedia) February 24, 2017<\/a><\/p><\/blockquote>\n @chriscoyier<\/a> @XFINITY<\/a> I have seen an ISP adding ads to bing home page. 😕<\/p>\n — AKT (@itsakt) February 25, 2017<\/a><\/p><\/blockquote>\n![\"\"](\"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2017\/02\/man-in-middle.png?ssl=1\")
<\/figure>\n\n
\n