Since you need a DOCSIS modem box and a router, I would suggest people put a router box you fully control behind your ISP's DOCSIS brick, and just assume the latter is compromised continuously.
I use pfsense on a usb stick in a little box with 2 ethernets.
Which, frankly, isn't even a paradigm shift. It just means the transition from trusted to untrusted is in your living room instead of on the street corner outside in the cable box.
DOCSIS is the standard for IP networking over cable TV infrastructure. An open source modem can't be built because there's a huge certification / documentation fee from CableLabs and part of the requirements involve the cable carrier being able to control/update the modem at their whim.
Putting your router behind the DOCSIS modem lets you firewall the modem the same way you'd firewall the Internet at large - that is, an attacker who compromises the modem wins the ability to specifically monitor your traffic, but does not immediately gain free access to your local network.
Would it be possible to just fake the cert or generate your own, in the same way that some people self sign SSL certificates instead of paying Verisign?
Parent wasn't talking about SSL certificates - you need to certify both hardware and software and pay a fee and the ISPs generally don't let you run your own firmware on the cable modem - heck they don't let the OEM update it either.
The cable companies need to be able to push firmware and settings to maintain the network and avoid abuse. So they have certification standards and you need to pay to play.
For example, with DOCSIS 2 modems, you could spoof the MAC address and make some config changes and get anonymous internet access at the highest service tier.
It's a completely shared infrastructure from the demarc in your home to the local cable node. It's not very secure and pretty trivial to abuse. Remember this was an infrastructure originally implemented to distribute TV signal.
Because of that TV heritage and the way they grew (on a town by town franchise basis), cable networks were usually a patchwork of really shitty networks up until fairly recently. My (limited) understanding is that on relatively modern cable systems, there is fiber connectivity to the local nodes, and then coax from that device to the homes in the area.
DSL is a switched network of sorts, and provisioning happens on the switch in the CO. Ditto for fiber.
I use pfsense on a usb stick in a little box with 2 ethernets.