Comcast’s Impressive System for Notifying Infected Users

Posted by J.D. Falk on

Pretty much as long as there’ve been computers, one of the biggest challenges has been user education. How do you create software smart enough to inform a user when they’re about to do something potentially disastrous — or, worse, when something disastrous has been done to them?

As one of the world’s largest access providers, our partner Comcast has put a ton of thought into developing a notification system for their users. Their motivation is clear, and close to the heart of anyone working in security for end user systems: “to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.”

The solution Comcast developed involves, in effect, hijacking HTTP requests — in other words, interrupting web browsing — on the theory that users who don’t know that they’re infected (or even those who do) will continue accessing web pages.

Perhaps unfortunately, while they were doing this Comcast also came under intense scrutiny in the U.S. over network neutrality issues (a topic which seems no closer to resolution today), while other access providers were slammed for monitoring users’ traffic and inserting extra ads into their browsing experiences (an idea that just won’t die.) Reading the design document for Comcast’s system, which was published by the IETF last week as RFC 6108, it’s clear that Comcast took all of these concerns into account. Many are even called out as negatives directly in the requirements section:

Why's your cable bill so high? by Kevin Burkett on Flickr“The system should not significantly alter the content of the HTTP response from any website the user is accessing.”

“Maintaining the privacy of users is important. As such, content flowing through or incidentally observed by the system must not be cached.”

“The system must not be used to replace any advertising provided by a website, or to insert advertising into websites. This therefore includes cases where a web page already has space for advertising, as well as cases where a web page does not have any advertising. This is a critical area of concern for end users, privacy advocates, and other members of the Internet community. Therefore, it must be made abundantly clear that this system will not be used for such purposes.”

And while it wasn’t listed as a requirement, it appears from the design document that most users’ web traffic will never be intercepted by this system — a relief for users concerned about privacy. Instead, the system is only applied to users whom Comcast feels need to be notified.

Though there are many vendors offering deep packet inspection appliances intended for enterprise networks, and some of those include interruptive notification features, Comcast designed this system to use commonly available open source software and open standards — specifically the Internet Content Adaptation Protocol (ICAP, RFC 3507) implemented by the venerable Squid cacheing proxy, GreasySpoon scripting framework, and Apache Tomcat.

It’s an impressive design, and I think it’s even more impressive that Comcast has chosen to be so open with it. Not only are they encouraging and inviting honest discussion of the entire concept of interrupting users’ internet traffic to provide much-needed notification and education, they’re also giving the rest of the world a big head start on how to do it right.

Photo by Kevin Burkett on Flickr, used under a Creative Commons license.


Popular this Month

 Video in Email: Is It Right For Your Business? (Part 1)

Video in Email: Is It Right For Your Business? (Part 1)

Video in email is nothing new. Marketers have been using some form of video...

Read More

 [New Research] Are These Hidden Metrics Harming Your Deliverability?

[New Research] Are These Hidden Metrics Harming Your Deliverability?

Reaching the inbox is not as simple as hitting send. Once a message is...

Read More

 What Job Is Your Subscriber Hiring Your Email To Do?

What Job Is Your Subscriber Hiring Your Email To Do?

Over the last 16 years, I’ve worked as a product manager, run product...

Read More

Author Image

About J.D. Falk

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.