Nice!

I'm still chugging away with ADSL2, but as a result of living within sight of my local telephone exchange where all the DSLAMs reside, I get almost the best download speed that the technology offers - I get pretty much all of the "up to 20 MiB/s" that my ISP advertised... however, the max upload speed is a fairly pitiful 1.3 MiB/s. That right there makes things like cloud storage less than amazingly useful.

I've got at least 4 different ISPs offering fibre to the cabinet where I live; once my contract period is up with my current ISP, I'll be doing some research and weighing up my options.

(Edit) Here's what speedtest.net has to say about my connection:

Wow!

I just upgraded to a DOCSIS 3.0 one year ago. I didn't realize what I was missing. Updates used to take all night. It was getting ridiculous, so I compared the specs of my rented modem to the current accepted hardware list and found out it was outdated. I wasn't getting anything close to advertised speeds.

This is what speedtest.net says about my connection:

Only 95 Mb/s?

At home on VDSL it's about 32Mb/s with 3.2 upload.
Living in an agricultural area I'm not holding my breath waiting for Fiber.

Here in this Aberdeen, Scotland, apartment hotel it is a bit less:



And that's only because some neighbouring bandwidth hogs seem to be out...

CenturyLink DSL. I'm paying for 12 which is the highest available where I live.

Hey. We know you guys in Japan have had better broadband since like the 19th century and all. Give us a break, mmmmkay?

http://blog.ryankearney.com/2013/01/...r-web-traffic/

Came across this during a random web ramble... does that make you love Comcast a little less?

Apparently (so I've read) the script they inject "polls Comcast servers once every five seconds from each tab you have open, consuming data. Also, it overrides common global javascript variable and css class names (like .header, and .logo) for its own purposes, thus breaking many websites."

Well, while the behaivor is reprehensible, I'm having trouble getting majorly worked up about it. If we take it for a given that few customers read their comcast.net/com emails, what other notification mechanism is there? I will study that code a bit because it's interesting, but it's borderline hyperbole to call this a privacy invasion. Clear-text HTTP cannot be, by definition, private.

For an alternate notification method, I'd suggest good old SMS*. As part of signing up for the service, the customer provides his/her cell number, and gets alerts via that method. Or (even easier), Comcast could ask their customers if they have a different, preferred email address that they'd like to receive account status alerts on.

I'd like to hear your opinion on the security implications of the practice of ISPs injecting arbitrary scripts into every non-encrypted page. Does it (as an extreme example) open up the possibility of an MITM attack? Should the paranoid do all of their web browsing over a VPN connection or TOR?

Hmm (musing here) if usage of VPNs increases sufficiently, might ISPs who primarily cater to home users start blocking Generic Routing Encapsulation?

* Just remembered that SMS might not be the best method in the US, or anywhere else where you can get charged to receive an SMS. My mind still boggles over the entire concept of the receiver paying any part of the cost.

Alternate email: good. SMS: not so good, because in a few places in the US, incoming isn't free as you mention. Not everyone (shock!) has a mobile phone, either.

Clear-text traffic should have no expectation of privacy or integrity. The political liberal in me bristles at the mere thought of interception and injection. But this one of those cases where the security engineer in me gets to override that. In so many places along the path from a browser to a server, there exist points at which traffic can be snooped or manipulated. Purely for the sake of engineering and network upgrade maintenance, you should know that ISPs already capture a large portion of traffic via span ports on switches. ISPs have been hijacking NXDOMAINs for a long time, and no amount of bitching has brought about change. This new thing that Comcast is doing doesn't seem all that different.

If you want to protect against eavesdropping, use encryption. If you want to protect against modification and MITM attacks, use digital signatures. A VPN will take care of both of these; TOR protects privacy but not integrity. And if $ISP blocks GRE, then somebody will figure out how to do GRE over HTTP(S).

More thoughts.

In an ideal world, ISPs would be govered by common carrier laws, which have (historically) placed for more restrictions on what carriers can do to/with traffic. But through vociferous lobbying, ISPs are regarded as information services, which -- in the US, anyway -- aren't as regulated. Yes, I absolutely hate that nobody with power seems to care about the erosion of privacy online. But it does little good to sit in a cave and moan, because too many moneyed interests benefit from the status quo. I'd much rather spend my energies on helping people figure out how to use existing technologies to achive a modicum of privacy and integrity that's known to work.

Thanks Steve, it's always good to get an informed opinion rather than jumping to possibly erroneous conclusions as a result of righteous indignation with a dash of paranoia

The thing that bothers me about all this is the aspect of "creeping normalcy" of it all.

First we got the hijacked NXDOMAIN shenanigans, then ISPs doing fairly benign script injections as in the case of Comcast, and then you end up with much less benign stuff like this: How a banner ad for H&R Block appeared on apple.com—without Apple’s OK. It makes me worry what will be next.

I foresee a future where I feel compelled to sign up for a VPN service. *Sigh* like I can afford any extra expenditures these days, no matter how small

Oh yeah, the normalcy indeed creeps me out. And I'm certainly not above a little righteous indignation every once in a while, especially when I'm giving public presentations!

While VPNs can be useful to hide from your own ISP, you have to trust that the other end of the VPN has a "better" ISP. It's likely that you won't be able to have much confidence about this unless you're using, say, Amazon Web Services to host your VPN server. They don't have an ISP; they connect directly to the backbone at multiple POPs all over the world. (And, yes, I would trust AWS for hosting a VPN server. But it isn't free, of course.)

That article you pointed to is very creepy. I see a distinction between Comcast's actions for customer notification and these other ISPs injecting ads even though you've paid for the service. A healthy dose of righteous indignation is called for here.

But wait -- we're already seeing the same stuff with Facebook's "Like" button everywhere. That little button drops a cookie on your machine, you know that, right? Facebook can track you across the web even if you aren't a customer their product. This is why I've added facebook.com, facebook.net, fb.com, and fb.net to my hosts blocking file. Eat my RST, Mark Zuckerberg, you miserable little prick.

I don't see those Facebook "Like" buttons anywhere, thanks to the Ghostery add-on for Firefox. It also strips out G+'s "+1" buttons, and buttons from Twitter, Reddit, StumbleUpon, and several more.

I also use AdBlock Plus and NoScript, and have enabled Firefox's "Do Not Track" feature (not that I put much faith in that last one). I even went so far as to install the GreaseMonkey add-on just so I could use user-scripts to remove adf.ly and similar redirects.