>>
http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>
>Al, I'll show my ignorance and ask how HTTPS would prevent this (pretty sleazy) behavior.
What Comcast is doing is essentially a man-in-the-middle (MITM) attack. One requirement for that to work is Comcast has to appear to be the site you're trying to reach (call it SiteX). But, for an HTTPS site they have to have the correct digital certificate. If they sink the traffic but don't have a cert the connection attempt will fail. If they try to present a fake cert your browser may warn you about "untrusted" or reject it outright if the cert was previously pinned (i.e. a copy of the real one stored in your browser).
On top of that, traffic to/from an HTTPS site is encrypted so the chances of a MITM being able to read and modify the traffic on the fly are low. Standard HTTP is just plaintext flying around so it's easy to do sleazy things like this.
Regards. Al
"Violence is the last refuge of the incompetent." -- Isaac Asimov
"Never let your sense of morals prevent you from doing what is right." -- Isaac Asimov
Neither a despot, nor a doormat, be
Every app wants to be a database app when it grows up
