Monday, October 22, 2018

HTML Injection for the Better Good?

This is surprising and it doesn't make me feel good.

HTML Injection in the bottom right.
This morning I received an e-mail from my ISP (Cox) stating that I'm getting close to my 1 TB monthly bandwidth limit. This is the first time I've received any type of warning from Cox. I clicked the link in the e-mail which gave me daily and monthly bandwidth usage stats for the previous two months. Everything quickly seemed to make sense. This month, I ran several upgrades for my laptop and iPhone plus I began storing my 100,000+ photos and videos in iCloud, so the extra bandwidth usage all seemed correct.

But then Cox went one step further.

HTML injections by Cox into a random website I was viewing.

Later in the day, as I was surfing the Web, I was surprised to see an HTML injection ("Cox Browser Alert") into an online article I was reading on a non-SSL/TLS news website. Again, Cox was reminding me that I was approaching my bandwidth limit. While this is clever, HTML injections feel a bit like a personal violation.


Having an ISP inject HTML into a webpage is analogous to the USPS opening a third party envelope that's addressed to me and placing a note, inside the envelope, that I have some business to conduct with the USPS (i.e. a registered letter to pick up, an unpaid USPS bill, etc). It's great that they went above and beyond to let me know. But, it's also a scary reminder that man-in-the-middle attacks... or at least interference... is very simple for ISPs to do; and this is much worse than when they highjack a 404 page.

No comments: