I'm moving soon and I'm trying to get Comcast setup at the new location. I went through their online ordering process, and aside from the fact that there was no useful information given to differentiate one "package" from another, the process wasn't too painful... until the last step.
At the end of the process, they require that you chat with a representative online in this shoddy Java applet. I assumed the representative would simply verify some information, then wrap things up. But actually, she said that she needed my SSN. She also reassured me numerous times that "COMCAST is all about protecting customer confidentiality", and that my "information is secured and cannot be viewed by anyone else." Hmm, I thought to myself, I do see that this applet was loaded on a page fetched using https, but how do I know that the applet itself is communicating with the server securely?
So, of course I immediately started tcpdumping the session.
$ sudo tcpdump -s0 -i en1 -A
And sure enough, I started seeing unencrypted communication between the applet and the server.
(applet -> server)
21:54:36.590164 IP 10.0.1.198.60082 > 184.108.40.206.http: P 26477:27264(787) ack 37992 win 65535
...B..,...P...0.6..P...,e..GET /sdccommon/lachat/poll/send_msg.asp?fmt=sst&dtype=msg&Msg=... HTTP/1.1
User-Agent: Mozilla/4.0 (Mac OS X 10.5.5) Java/1.5.0_16
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Cookie: CCSSLB=XXXXXXXXXXXXXX; ASPSESSIONIDQSTACRRA=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX;
(server -> applet)
21:55:54.626048 IP 220.127.116.11.http > 10.0.1.198.60082: P 54493:55606(1113) ack 39154 win 65535
....P...6......P..._...HTTP/1.1 200 OK
Date: Mon, 27 Oct 2008 04:55:55 GMT
Content-Type: text/xml; Charset=utf-8
Expires: Mon, 27 Oct 2008 04:54:55 GMT
PROBLEM <Order Information>PROBLEM
TEXT<Okay, no problem then. If you really think that this chat is not secure, you can call...>TEXT
TIME<10/27/2008 12:55:52 AM>TIME
In the end, the chat channel clearly was not encrypted. And during the conversation they send your name, address, phone, and SSN through this chat session, and they claim that the information is secured.
I would advise everyone to NOT trust online orders with Comcast, especially ones that use the Java applet pictured here. Or perhaps the better advice is to just not trust anything with the word "Comcast" on it (except for this blog post).
I don't know why I'm still amazed by their consistent incompetence.