tag:dreamwidth.org,2010-01-17:472502Musings of an Open Source BOFHwarthog9warthog92011-02-27T21:46:47Ztag:dreamwidth.org,2010-01-17:472502:27892Mediacom: or how an ISP is blatantly violating my privacy.2011-02-27T21:46:47Z2011-02-27T21:46:47Zangrypublic0So some quick background information, I'm visiting my parents back out in the middle of the USA and they happen to have a fairly reasonable internet connection provided by Mediacom Cable. My parents only really have two choices for high speed internet, Mediacom Cable and AT&T DSL. DSL should be awesome, but they live literally on the edge of town, so we have not always had a good path back to the copper loop - so cable it is.<br /><br />In the past few years ISPs have been abusing their power with DNS and doing NXDOMAIN (domain not found) redirects, mainly so that they can gain additional AD revenue from redirecting you to their search pages / engines. This, while annoying, is trivial to get around as we can run our own DNS servers, or make use of Google's, Level3's or OpenDNS dns servers as opposed to the ISPs. Sometimes the ISP goes slightly beyond this by proxing the DNS results, but Mediacom isn't guilty of this ( that I know of). Mediacom is guilty of doing NXDOMAIN hijacking, but I long since switched off of their DNS servers as I blatantly don't trust them.<br /><br />While NXDOMAIN hijacking is evil, and I'm not alone in that belief, what I just found out today blows "evil" out of the water. Mediacom is doing deep packet inspection and is trapping web page 404's (file not found) and redirecting you to a Mediacom search webpage.<br /><br />What does this mean? It means if you type in http://www.example.com/i-miss-typed-something you should get a webpage that says "404 file not found", and should return the 404 status code in the header. In particular this error code is important for automated scripts, and for letting your browser know that something went wrong. Instead what is returned is a webpage that redirects you (via javascript no less) to a Mediacom "search assistant" specifically <a href="http://assist.mediacomcable.com/mediacomassist_pnf/dnsassist/main/?domain=http://www.example.com/i-miss-typed-something">http://assist.mediacomcable.com/mediacomassist_pnf/dnsassist/main/?domain=http://www.example.com/i-miss-typed-something</a> meaning your browser never knows something was wrong, and you don't get to a page that you were looking for.<br /><br />The only way for Mediacom to do this is to proxy all of their web traffic, and to inspect it as it's in flight. Why is this a major issue? It means that Mediacom is literally looking over your shoulder on every website you are viewing. This gives them the ability to do things like reading your bank account passwords and knowing what medical information you are searching for online. Mediacom, by definition, has always know what other machines you are talking to online, but they are now actively listening into the conversations you are having. (<strong>Note: </strong>this is all a moot point if you are using encryption, I.E. https thankfully since they can't do proxying on that - well sorta)<br /><br />It also means that Mediacom is <strong>CHANGING</strong> information before it gets to you. Right now they are modifying file not found pages, but what's to stop them from adding additional ads to webpages for their own benefit? What's to stop them from transparently redirecting you to re-written articles that claim to be from the original source?<br /><br />Mediacom gives an "opt-out" for this, which could have been fine, you change the routing table for the cable modem so that it bypasses the proxy and everything goes as normal. However they didn't choose to implement it this way. No the "opt-out" is a browser cookie that gets set for your specific browser, a browser cookie which is trackable in it's own right, and which doesn't actually prevent your traffic from passing through the proxy at all.<br /><br />So far the only thing I've been able to find is that Mediacom is specifically paying attention to browser user agent strings, which are strings your browser sends to identify what it is. Command line strings, like those for wget, elinks, etc seem to not be given the javascript page, but things like Chrome, Firefox, iPhone, Android, etc all seem to be given it.<br /><br />To say this is an outrage, is and understatement, this is a gross violation of privacy and is nothing but a greedy and evil decision on the part of Mediacom.<br /><br />If you are on Mediacom, I hope you find this and get a chance to read it, and that you would politely, but firmly let Mediacom know this is unacceptable. It would also be good to write your Senator and Congressmen about this, and to file a complaint against Mediacom with the FCC.<br /><br />Some additional links / information if you are interested<br /><ul><li>More details on the javascript used - <a href="http://tumblr.dderek.com/post/183616295/mediacom-is-hijacking-page-requests-now">tumblr.dderek.com/post/183616295/mediacom-is-hijacking-page-requests-now</a></li><li>Mediacom's "Contact us" page - <a href="http://mediacomcc.com/contact_us.php">mediacomcc.com/contact_us.php</a></li><li>Mediacom's "Opt-out" page that very very briefly flashes as you are redirected - <a href="http://search.mediacomcable.com/prefs.php">search.mediacomcable.com/prefs.php</a><ul><li><strong>Note:</strong> this only changes a cookie in your browser, this will not prevent the traffic from flowing through their proxy</li></ul></li><li>Forum thread from 2009 the noticed this - <a href="http://www.broadbandreports.com/forum/r22985799-Cable-HSI-Hijacking-DNS">www.broadbandreports.com/forum/r22985799-Cable-HSI-Hijacking-DNS</a></li><li>FCC complaint about Mediacom's doings - <a href="http://www.manchicken.com/2010/ranting/response-to-mediacom-fcc.html">http://www.manchicken.com/2010/ranting/response-to-mediacom-fcc.html</a></li></ul>and I'm sure more can be found without too much issue.<br /><br /><img src="https://www.dreamwidth.org/tools/commentcount?user=warthog9&ditemid=27892" width="30" height="12" alt="comment count unavailable" style="vertical-align: middle;"/> comments