[andreasley]

It's not about Verizon. Of course they know where their users connect to. But by injecting a special HTTP header field, they make it possible for third parties to track the user – for example an ad network that serves ads on sites the user visits. Regular cookies are limited to certain domains, but this header is added to every request, making it cross-domain. HTTPS would prevent Verizon from injecting it.

[scintill76]

They may not be able to inject HTTPS, but they can offer an API that will map IPaddress:port to identity (as one mentioned here[1]), for only a bit more overhead than tampering with HTTP headers and without breaking TLS.

If they want to make some possibly non-standard protocol adjustments they mutually understand, they should be able to inject it, too. Researching the protocols/crypto to understand that more and trying to produce a POC are side-projects on my list, maybe some day.

The root of the issue is that your ISP often knows who you are, every site you connect to knows who your ISP is, and they have incentives to trade notes on you and few reasons not to.

[1] https://news.ycombinator.com/item?id=10357583

[Tepix]

I'm sure the three letter agencies also love it. But as we know now, the agencies don't have to rely on extracting cookies from intercepted traffic in this particular case: Verizon will happily go above and beyond the call of duty and betray the trust the customers put into them.

[manigandham]

The HTTP header was really the lowest tech they could've used and feels like more of a stopgap.

Most ISPs will use tracking at a much lower network layer and provide APIs for partners to match up IDs on demand. No need for HTTP headers.