[freneticfox]

The injection is currently for non-HTTPS only, but I can easily see this situation evolving for the worse as HTTPS becomes increasingly the default.

What will happen is someone at Comcast will notice that their injections aren't happening often enough anymore due to HTTPS adoption. Someone at Comcast will suggest implementing a MITM TLS proxy service to get things working again. Someone else at Comcast will note that wouldn't actually work because they can't install fake root certs on every client device...

Then Comcast will basically switch to a model where the HTTPS interception is "optional" (requiring the client-side use the proxy explicitly), but they'll start shipping some kind of "Comcast Setup" executable (or mobile app) users are supposed to run on their client laptops/phones so that they can get these important service notices, which turns on the client-side use of the proxy and installs the fake root certs. Geeks may not install it, but the bulk of their customers will, and everyone loses. I don't think broadband consumers are aware of the fact that they shouldn't trust software provided by their ISP...

[ec109685]

Chrome and all other browsers would quickly put an end to that.

[frik]

> The injection is currently for non-HTTPS only, but I can easily see this situation evolving for the worse as HTTPS becomes increasingly the default.

That's my fear too. This has to be handled by other means and has to stop. If everything is HTTPS you can be sure it gets very unsecure by design, as everyone will upgrade its capabilities and inject you certs, than we would need a new more secure protocol.

Why is email still unsecure and sent in plain text? Why is there hype for HTTPS but everyone is fine with sending mail in plain text yet we have SMIME, etc and no one is using or supporting it.