Comcast has a mission. That mission is to be the single most dickish company in the world. Between it’s horrible customer service, attempts to convince people it supports net neutrality through shady marketing, and continued attempts to regulate competition out of existence Comcast gotten far in realizing its goal. But all of this still isn’t enough to win the crown of dickishness so Comcast is now injecting advertisements into webpages served by its publicly accessible Wi-Fi access points:
Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.
A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.
The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.
Now that’s some dickish behavior! Injecting code into a page without the permission of the page owner is something mostly attributed to malicious software. Granted Comcast is pretty malicious so I believe calling its injected ads malware isn’t dishonest. But this story also makes another very important point:
One way to prevent this from happening, he said, is for websites to encrypt and serve over HTTPS. But many sites do not do that.
There’s no reason this day and age for a website to have an unsecured connection available. Companies like StartSSL will provide free Transport Layer Security (TLS) certificates for personal use and change a very reasonable fee for commercial use. Almost every (I’m not actually aware of any exceptions) personal computer, tablet, and smartphone made in the last decade is capable of communicating via secured connections. If you’re running a website get a TLS certificate, load it on your server, and force the unsecured connection to redirect to the secured connection (that’s what I do on this site). For those of you who are using a hosting service that doesn’t give you the option of enabling TLS demand that they offer that capability or provide the certificates and enable TLS for you. Allowing only TLS connections not only prevents third parties from eavesdropping but it also prevents third parties from altering pages in transit. We’re at a point (and have been for a long time) where the benefits of TLS far outweigh the negatives.