On a broader level this is why the FCC is IMHO wrong in not considering broadband a telecommunication service. As ISPs inject their content (including advertising) into third party content, they essentially take over said content. E.g., if someone requests access to my content via their service, besides any corruption of functionality, artistic work and even intended meaning, any revenue generated by this is directly drawn from my content without license. From my perspective as a potential content provider, this is clearly a violation. It may be even a violation of existing contracts, e.g., if there's a no third parties clause involved in an existing advertising contract the content provider has agreed to.
From which quite naturally follows, if broadband providers in the US consider themselves content services rather than telecommunication services, they have to acquire licenses for the content they provide, as well. (Xfinity, may have your billing address?)
As a content provider this is why you need HTTPS, and it's why you should ensure you certificate is in the transparency logs, and that your site requires CT entries.
However, this is more like "better have a lock so that thieves have a harder time breaking the door". If the US are making IP violations legal, they put themselves in danger to be treated like other countries who are considered notoriously ignoring IP as part of their overall business model.
The sad thing is that with many kinds of cybercrime, it's easier to fix the security vulnerability, than it is to track down the criminals and make them stop :)
In this case, the vulnerability is using HTTP, not HTTPS.
Well, HTTPS could still be man-in-the-middled, right? I am not really informed, but I would not be surprised if some ISPs are even recognized as certificate authorities.
MITMing TLS requires either (1) a falsely issued certificate, which would be "a big deal" when (not if) found and would lead to the issuer losing their status as accepted in browsers, or (2) the user to install a certificate generated by the person doing the MITM, this is often done in corporate environments.
> Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.
Are we sure that there won't be an exception installed to this in favor of broadband providers, considering the paths already taken?
Terms and conditions of this comment: This comment is provided for free to <https://news.ycombinator.com> AKA "Hacker News", including any redistribution to be considered under the clause of fair use. Any other redistribution, including injection of third party content or surrounding content, chrome, or any other HTML element(s), be it in static or generated code, is considered a violation of the terms of this contribution.
Your browser and OS quickly delist any certificate found to have forged a certificate for a website they don't own. They're unapologetic about it too - and don't care who they piss off.
However, browsers have played along with US legislation previously. (E.g., when long key encryption was restricted to US versions only.) I'm not sure, if Mozilla would be playing along nowadays, but you can't be too sure, either. Moreover, you could consider certificates installed by antivirus software as some kind of prior art to this. (While considered a security risk, at least by some, they are not delisted.)
