Home / Blogs

Comcast’s Impressive System for Notifying Infected Users

Pretty much as long as there’ve been computers, one of the biggest challenges has been user education. How do you create software smart enough to inform a user when they’re about to do something potentially disastrous—or, worse, when something disastrous has been done to them?

As one of the world’s largest access providers, Comcast has put a ton of thought into developing a notification system for their users. Their motivation is clear, and close to the heart of anyone working in security for end user systems: “to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.”

The solution Comcast developed involves, in effect, hijacking HTTP requests—in other words, interrupting web browsing—on the theory that users who don’t know that they’re infected (or even those who do) will continue accessing web pages.

Perhaps unfortunately, while they were doing this Comcast also came under intense scrutiny in the U.S. over network neutrality issues (a topic which seems no closer to resolution today), while other access providers were slammed for monitoring users’ traffic and inserting extra ads into their browsing experiences (an idea that just won’t die.) Reading the design document for Comcast’s system, which was published by the IETF last week as RFC 6108, it’s clear that Comcast took all of these concerns into account. Many are even called out as negatives directly in the requirements section:

“The system should not significantly alter the content of the HTTP response from any website the user is accessing.”

“Maintaining the privacy of users is important. As such, content flowing through or incidentally observed by the system must not be cached.”

“The system must not be used to replace any advertising provided by a website, or to insert advertising into websites. This therefore includes cases where a web page already has space for advertising, as well as cases where a web page does not have any advertising. This is a critical area of concern for end users, privacy advocates, and other members of the Internet community. Therefore, it must be made abundantly clear that this system will not be used for such purposes.”

And while it wasn’t listed as a requirement, it appears from the design document that most users’ web traffic will never be intercepted by this system—a relief for users concerned about privacy. Instead, the system is only applied to users whom Comcast feels need to be notified.

Though there are many vendors offering deep packet inspection appliances intended for enterprise networks, and some of those include interruptive notification features, Comcast designed this system to use commonly available open source software and open standards—specifically the Internet Content Adaptation Protocol (ICAP, RFC 3507) implemented by the venerable Squid cacheing proxy, GreasySpoon scripting framework, and Apache Tomcat.

It’s an impressive design, and I think it’s even more impressive that Comcast has chosen to be so open with it. Not only are they encouraging and inviting honest discussion of the entire concept of interrupting users’ internet traffic to provide much-needed notification and education, they’re also giving the rest of the world a big head start on how to do it right.

(This article was originally published on Return Path’s Received: blog.)

By J.D. Falk, Internet Standards and Governance

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com