Update, 3/4/24 – People are having a terrible time getting SecurityEdge disabled, and when they do Comcast charges significantly more for their service. This is a clear indicator they’re monetizing your data, i.e., selling to advertisers information about you such as where you go, what you do, what you like, et al. The trick is to update your contract and force them to remove it or threaten to leave (so it’s handled by customer retention, NOT customer service).
First things first: ESET NOD32 rocks!
I’m not one to preach one antivirus vendor over another but ESET’s suite of antivirus products is the best I’ve ever seen in my IT career, effectively stopping some of the worst malware there is. In the worst case, it will self-sacrifice and fall on its sword before it lets your computer suffer.
ESET also doesn’t tolerate adware or business-endorsed junk that pays other vendors like Symantec or McAfee to look the other way. I refuse to pay for anything on my computer, but I buy ESET.
ESET’s website filter is what caught this whole event in the first place, detecting that websites were NOT from the original website server but from a third party. This is called a Man in the Middle attack, and it can be hard to spot.
When it comes time to buy ESET, you don’t need anything more expensive than their bottom-tier NOD32 product. It’s cheap and affective.
Man in the Middle / MitM Attacks
The little padlock – sometimes a green icon, it can look different per browser – is supposed to mean that the page you’re on really is Google, and that someone else can’t see what you’re typing and can’t see what you’re getting back. They can’t see your bank account balance, the email from your mistress, or your business emails either, it’s private.
A Man in the Middle defeats this security, and if carefully executed that padlock icon will still be there while it’s happening.
It’s not an attack, it’s a FEATURE!
Now we’re getting into the heart of the matter: Comcast Business and XFinity Fi have security products called Web Filter Protection, Malware, Phishing and Botnet Protection and XFi Advanced Security that are intended to protect you from phishing emails, hostile websites and other scary places on the Internet, including sites about sex education and greeting cards (not kidding, screenshots follow).
Question: how do these products know you’re going someplace scary?
Answer: they monitor every site you visit and decide whether you should see it.
Comcast isn’t the only company that does this, just about everyone else wants to protect you too:
- Microsoft SmartScreen is a cloud-based “feature” that uploads every site you go to for review
- Mozilla Firefox has “Deceptive Content and Dangerous Software Protection” and “Enable DNS over HTTPS” to a specified provider (not itself evil, but you should know what it does before you turn it on).
- Google Chrome has SafeBrowsing that will “protect [you]from dangerous websites”.
There are three ways these protection systems can work:
- Review the encryption certificate and see if it matches: if you hit google.com but the certificate is from starbuckscoffee.com, then you have a problem. This is what ESET does, it’s non-invasive.
- Voluntarily send your website information to a business for review. This is what Microsoft, Mozilla and Google are doing.
- Don’t mess around and intercept absolutely everything going across the wire while still pretending to be the original site: this is what I discovered Comcast’s security products do, and since they’re the Internet Service Provider, it’ll spy on not only your browsers, but every smartphone in your house and even your TV. It’s quietly enabled by default and you’d never otherwise know it’s happening.
You need to be aware of these features being automatically and silently enabled on just about every product you use, from iPhone and Android to all browsers, and even your Internet Service Provider! When there’s an upgrade or a new “feature” of its kind available, it will be automatically installed, or re-enabled if you’ve previously disabled it. You need software that can detect this for you, or you’ll never catch it.
Technical Details – How It Started
This is an example of the alerts I received by the hundreds. Nowadays “thick” apps (such as Steam, Outlook, etc) are really just mini browsers. In this case I was running Steam in the background and this website URL alert came up.
It wasn’t an encrypted page (https), but ESET still knew that the data intended for the Steam app wasn’t really coming from steampowered.com.
At this point every application was broken and stopped, I couldn’t work.
I pulled up a command prompt and issued “ping microsoft.com” and I got an IP address. I then pinged “google.com” and got the exact same IP address…! Ping cnn.com, same IP, ping steampowered.com, get the same IP…! This isn’t supposed to be happening.
I pulled up the command prompt and used nslookup to troubleshoot.
nslookup is a command line tool that instructs a named server to return an IP address for a specific domain. For testing, I used one.one.one.one, which is Cloudflare’s DNS provider. It makes things easy because the IP for one.one.one.one is 1.1.1.1!
– First query to 9.9.9.9 shows that one-dot’s IP address starts with 104, which is impossible.
– Second query goes straight to 1.1.1.1 itself, and even it came back with the same result starting with 104!
– I then used my internal PiHole server, which does all DNS queries over VPN. It correctly returned 1.1.1.1 .
These results prove that Comcast was executing a Man in the Middle attack and pretending to be Quad9 or Cloudflare, transparently returning their proxy page instead of the other providers’ real responses.
Just for the extra confirmation, I pulled up Wireshark and reviewed every packet to prove the same thing.
The above shows the raw DNS packets. Notice that my .local domain name (redacted) is appended to every query so it has to run it twice, this is normal behavior for every Windows machine. It confirms resolution of one.one.one.one to 104.225.12.29, which is obsurd.
The above shows the DNS query through my PiHole server, which does all queries over Spread Spectrum VPN. It returned the correct result for one.one.one.one .
Fixing the Problem
Notice that while you can turn Web Filters off, they tell you that Malware, Phishing and Botnet Protection remains on and that you cannot turn it off! This is because Comcast monitors what goes out your Internet connection, and if they detect a mail flood, malicious/viral payloads or your computers reaching out to thousands of computers per second, they’ll shut your account off until you resolve the situation.
This, ladies and gentlemen, is why you need a VPN at all times. The intent is good and will indeed protect your average Jack and Jill, but they do achieve this protection at the cost of your privacy. There is no recourse because Comcast will say it’s protecting other subscribers from you if you get infected, and protecting their circuits from malicious floods, preserving your bandwidth and keeping your costs down.
What you can do
Some things to notice here are the categories of sites to be filtered – there is no context that any household should ever block these things. If you can’t allow Art because you don’t want your children to see Venus DeMilo’s dirty boobies, you have problems other than security. If you can’t handle Greeting Cards or don’t want to get infected with other people’s Politics and be bothered with how laws are passed in your own country, I can’t help you. Sports is violence! Scary! Sex Ed, can’t have that…
Do you think articles about Trump would be categorized under cults? That’s a matter of opinion – form your own.
When you allow someone else to set your Internet filters, you relegate control of your own education and exposure to what’s happening in the world to someone else. You stop really parenting, and can’t even speak intelligently to your children about what they learn in school when they get home.
Lastly: log into the service portal (business or home) and watch what websites they see you visiting:
This is valuable because a) it reminds you that you have no privacy with any website you visit unless you use a VPN, and b) demonstrates whether your VPN is working because if it were, they shouldn’t have any websites listed.
Reminder: when you visit this portal, keep checking that Web Filters are OFF because ON is the default, and they’ll flip it back on just because you logged in to ensure it’s off!
I hope you found this article helpful. Keeping an eye on your ISP, browsers, cell phone settings and other defaults takes time – hours – and they make it complicated on purpose. Fight the good fight.