Comcast's open Wi-Fi hotspots inject ads into your browser

Comcast is giving users a very good reason to demand an HTTPS connection on every site they visit. The Internet service provider has started injecting ads for its services on websites where you wouldn't normally see them when you're using an Xfinity public Wi-Fi hotspot.

Imagine, for example, you were browsing your favorite news site when suddenly a pop-up from Comcast appears at the bottom of your display—a behavior you'd never experienced on that site before. That's exactly what happened to former Wired editor Ryan Singel when he connected to a Comcast Xfinity hotspot earlier in September.

It appears Comcast has actually been doing this for months, but the program only recently came to light after a report by Ars Technica.

The injections can either be an alert to let users know they are connected to a Comcast hotspot, or inserted ads to promote Comcast's Xfinity mobile apps, a Comcast spokesperson told Ars. Comcast was not available for comment at this writing.

Comcast says it is doing this in part as a way to reassure users that they are connecting to an authentic Comcast hotspot. Security at public Wi-Fi hotspots is certainly an issue as hackers could make a hostile Wi-Fi router look like an authentic Xfinity hotspot.

Unfortunately, injecting JavaScript into a website where the code doesn't normally show up isn't the way to do it. Comcast's intentions may be sincere, but injecting JavaScript into a browser could create unintended security vulnerabilities for a malicious actor to exploit.

JavaScript is one of the building blocks of the modern web and you really can't experience numerous websites without it. But it can also be designed to behave maliciously—and your browser can often have a hard time distinguishing between good and bad code.

Comcast is far from the only ISP out there doing this. Many public Wi-Fi hotspot locations also inject ads into your browsing experience. The DSLReports forums, for example, show examples of BrightHouse Networks doing something similar.

So what's a user to do when even ISPs are trying to mess with your browser? Try forcing your browser to connect to websites using HTTPS via a browser extension such as The Electronic Frontier Foundation's HTTPS Everywhere for Chrome and Firefox. This removes the opportunity for Comcast to slip its ads into the web content you're viewing midstream, though not all websites support encrypted connections.

And, as always, you should use a virtual private network (VPN) when connecting over public Wi-Fi.

Subscribe to the Best of PCWorld Newsletter