Comcast 'Blocks' an Encrypted Email Service: Yet Another Reminder Why Net Neutrality Matters

Zack Whittaker, writing for ZDNet: For about twelve hours earlier this month, encrypted email service Tutanota seemed to fall off the face of the internet for Comcast customers. Starting in the afternoon on March 1, people weren't sure if the site was offline or if it had been attacked. Reddit threads speculated about the outage. Some said that Comcast was actively blocking the site, while others dismissed the claims altogether. Several tweets alerted the Hanover, Germany-based encrypted messaging provider to the alleged blockade, which showed a "connection timed out" message to Comcast users. It was as if to hundreds of Comcast customers, Tutanota didn't exist. But as soon as users switched to another non-Comcast internet connection, the site appeared as normal. "To us, this came as a total surprise," said Matthias Pfau, co-founder of Tutanota, in an email. "It was quite a shock as such an outage shows the immense power [internet providers] are having over our Internet when they can block sites...without having to justify their action in any way," he said.

By March 2, the site was back, but the encrypted email provider was none the wiser to the apparent blockade. The company contacted Comcast for answers, but did not receive a reply. When contacted, a Comcast spokesperson couldn't say why the site was blocked -- or even if the internet and cable giant was behind it. According to a spokesperson, engineers investigated the apparent outage but found there was no evidence of a connection breakage between Comcast and Tutanota. The company keeps records of issues that trigger incidents -- but found nothing to suggest an issue. It's not the first time Comcast customers have been blocked from accessing popular sites. Last year, the company purposefully blocked access to internet behemoth Archive.org for more than 13 hours.

Never Attribute to Malice

[RobotRunAmok]

...what can be explained by incompetence.

Re: Never Attribute to Malice

[Reverend Green]

Perhaps because they have a childlike faith in the good intentions of large, powerful, notoriously corrupt institutions?

Re:Never Attribute to Malice

[alexo]

...what can be explained by incompetence.

Any sufficiently advanced incompetence is indistinguishable from malice.

Re:

[Anonymous Coward]

Then why wouldn’t Comcast have just said that? The fact that they denied that anything happened shows that it couldn’t be an accident.

Re:

[RightwingNutjob]

One possible explanation is that it wasn't on Comcast's end. The affected site's service provider may have blocked all of Comcast's IP addresses if one of them was sending out a DOS attack for example. Or it could have been the affected site's own firewall if it detected a DOS or a DDOS coming from a range of Comcast IPs. Dumb stuff like that would happen all the time when I was in college. Some idiot would be bitorrenting movies or just had an unsecured machine spewing ddos packets plugged into the wall an

Re:Are you sure it wasn't an accident?

[postbigbang]

I'm not an apologist for Comcast, at all.

However, remember they run their own DNS so they can mine where you're going with that so-called stealth browser of yours. When it does a DNS lookup, you get the correct IP address to do the https page pull.

If a DNS address becomes black-holed (there are a number of ways to accidentally do this, including being stupid), then you loose a site.

I'm guessing it got screwed up in cache, and when the cache flushed, it came back again. No huge subterfuge, no DDoS attack, just normal screw up. Even Slashdot was pretty stupid about how they did their infrastructure change-over. Happens all too frequently, but it happens. An alarmist charge towards the fate of net neutrality violations is a bit hyperbolic to me.

Re:

[mea2214]

This theory could have been easily tested by switching DNS to 8.8.8.8.

Re:

[Opportunist]

The result would be different. A missing DNS entry does not result in a timeout, you get a site not found.

Re:

[postbigbang]

Read up on how Comcast configures its servers to understand how you can get a browser hang as the re-direct goes infinite-loop. It's not a missing entry error. I'm trying to find the site that explains their info vacuuming architecture.

Re:

[Obfuscant]

Then why wouldnâ(TM)t Comcast have just said that? The fact that they denied that anything happened shows that it couldnâ(TM)t be an accident.

They didn't deny that anything happened.

Re: Are you sure it wasn't an accident?

[bill_mcgonigle]

They can show us the BGP error if it was an accident.

Re:

[Lunix Nutcase]

Who better to block than small, niche sites that have no power? Blocking a Google would cause a huge shit storm.

Re:One day?

[bondsbw]

That's one reason Net Neutrality matters so much. It's hard enough to offer competition against the behemoths. Once Google or any huge service provider can pay their way out of the slow lane, small businesses looking to compete might as well give up.

Re:

[jbmartin6]

Huge companies already pay their way out of the "slow lane" by having more servers, larger pipes, and more CDNs.

Re:

[martinfb]

Never happen! Ask Ajit Pai! ;-O

Re:

[Rick Schumann]

Routing issues happen. Frankly it's a wonder that they don't happen more often than they do. Could have even been a DNS problem; did anyone, anywhere, try using a different set of DNS servers than what Comcast provides?

Re:

[martinfb]

Yep. Same issue.

It is unreasonable, and deeply unethical, for a too-big behemoth like Comcast to get away with things.
IF it were a mistake, OWN UP!
IF it were incompetence or faulty equipment or "maintenance", PUBLISH THE FACTS!
IF it were a covered-up intention, GET EXPOSED AND SUFFER!
IF Comcast is "too big to fail" (i.e. hurts society too much to be punished), then Comcast needs to be broken up.

ALL non-human entities like behemoth corporations need to fully answer to the public.
ESPECIALLY to their

Re:

[Anonymous Coward]

How do you know its not the incompetence of tutanota's ISP, or a transit peer? Given that Comcast users said that the site seemed to drop off the internet, it sounds like a DNS issue which could be Comcast's or whoever provides tutanota's domain service. Outages happen on the Internet all the fucking time but that doesn't mean it was the result of a "blockade" like the morons in the TFA allege.

Re: NN hasn't expired yet

[sjames]

Except that when they happen, rather than working hard to fix the issue, they can just say "We don't care. We don't have to".

Re:

[iggymanz]

the routing issue may have been the fault of another major provider's route to comcast. Those of us who work in organizations that accessed across the continent or world see this kind of thing all the time. This has nothing to do with NN, and may even have nothing to do with comcast.

Re:

[sjames]

THIS PARTICULAR outage might not be Comcast's direct fault, but if not, it was the other side of a peering point. The more Comcast is worried about getting in trouble for NN violations, the more likely they are to pressure that operator to get it fixed. Or, Comcast drops the static route and let's BGP route around the damage.

I am quite familiar with large scale routing issues. In general, something like you propose will either affect only part of a national network (and then find an alternate route) or it w

Re:

[sjames]

Either that or your diagnostic abilities suck monkey balls.

Step one, narrow the diagnosis based on where the outages are. Work out from there.

Re:

[sjames]

Well, let's see. The problem was connection timed out, not DNS resolution failure, so your diagnostic skills DEFINITELY suck monkey balls. A quick sampling of whois suggests the others you listed are not owned by the same people, BTW.

Apparently nobody but Comcast customers had an issue on those days. If the issue was upstream to Comcast, others would likely be affected.

Re:

[roc97007]

That's why you suck them. Don't swallow them.

Re:

[mikael]

It should be easy to use "traceroute" to find the route between a Comcast customer IP address and Tutanota's servers. Wherever it happens, the guilty party could have been dropping the received or transmitted packets from the servers. Traffic seems to go out to the USA via Hurricane Electric and then to Tutanota.

Re:

[Obfuscant]

It should be easy to use "traceroute" to find the route between a Comcast customer IP address and Tutanota's servers.

With the growing number of carriers who block ICMP, while it SHOULD be easy to use traceroute to learn interesting things, in many cases it is worthless.

Here's a flash: is anyone going to sue Comcast for blocking outgoing access to port 25 as an anti-spam measure? It's blocking email. Was this "block" which nobody knows was actually a block but is good to bash Comcast anyway over a case of blocking an outgoing port for spam reasons?

Re:

[martinfb]

Sure seems quite unlikely that ALL intercontinental paths went down all at once. Yes?

Re:

[sjames]

NN rules haven't expired yet. Also, given the number of state legislatures and attorneys general rumbling about both suing the FCC and implementing state level NN laws, this would not be a good time (politically speaking) to provide them ammunition.

Re:

[sconeu]

I didn't know that Ernestine worked for Comcast!

Re:

[sjames]

Call their tech support some time. She may have an Indian accent now, but she definitely works there.

Re:

[sjames]

But then if the evidence is gathered and they are proven liars, it wouldn't go well for them.

Equipment failure is a well understood probllem, including about how long it should take to fix or work around.

Re:

[sysrammer]

Except that when they happen, rather than working hard to fix the issue, they can just say "We don't care. We don't have to".

"So, the next time you complain about your phone service, why don't you try using two Dixie cups with a string? We don't care. We don't have to. We're the Phone Company." - Lily Tomlin

Hanlon's Razor

[Notabadguy]

Never attribute to malice that which is adequately explained by stupidity.

Re:Hanlon's Razor

[sconeu]

Fleming's Razor:

Once is happenstance. Twice is coincidence. Three times is enemy action.

This is at least twice, per TFS.

Re:Fleming's Razor

[Khopesh]

Fleming's Razor:

Once is happenstance. Twice is coincidence. Three times is enemy action.

That's stated by James Bond the 1964 Goldfinger [wikipedia.org] film. I see no indication of it being named "Fleming's Razor" or that the original author (Ian Fleming [wikipedia.org]) wrote the line, though it has been quite some time since I read that book.

Re:

[sconeu]

Yeah, I know. I coined the term. I've heard it referred to elsewhere as "Goldfinger's Law".

Re:

[serviscope_minor]

Never attribute to malice that which is adequately explained by stupidity.

Sufficiently advanced incompetence is indistunguisable from malice.

You contacted a spokesperson?

[fahrbot-bot]

When contacted, a Comcast spokesperson couldn't say why the site was blocked ...

Everyone knows you call Comcast Customer Support to get answers.

Re:

[budsetr]

Call Comcast and ask.

Re:

[Opportunist]

Depends on your definition of effective. It's effective in keeping you as a subscriber, if only by not taking "fuck you" as an answer.

Re:

[Xenx]

Sure, but only in so far as any response to a question qualifies as an answer.

Use a VPN

[Anonymous Coward]

When I use Comcast, I use a VPN.

Re:

[Anonymous Coward]

First of all, ISPs already consolidate users to a few predetermined exit points, with the widespread use of carrier grade NAT.

Secondly, users gleefully consolidate themselves to a few predetermined exit nodes when they use Tor, and you trendy lemmings have such a fucking hardon for Tor.

Third and finally, nothing stops users from running OpenVPN or a similar free VPN server in the cloud or on a VPS host, which greatly increases the number of VPN exit points from a few to very many.

Under The New Rules

[Anonymous Coward]

An ISP has to disclose any traffic shaping. The fact that Comcast would not comment shows to me that it was a mistake. Net neutrality hasn't even expired yet but even if it did, this still would be illegal without disclosure if done intentionally.

Re:

[jd]

Cutting the cables of rivals is also illegal, and Comcast has been in court for it.

x not available from y therefore y is blocking x

[Anonymous Coward]

The headline "Comcast 'blocks' an encrypted email service: Yet another reminder why net neutrality matters"

followed by "Now imagine your favorite websites getting blocked by your internet provider in the name of net neutrality."

Does TFA present substantive information supporting this conclusion?
Does TFA itself make the leap of asserting Comcast blocked Tutanota?

Yet there is the headline and intentional smearing and weasel conflation of Comcast and Net Neutrality to fit pre-ordained narratives and stoke outr

Partly blocked?

[Mister Liberty]

Maybe the site was only partially blocked. Which raises the question when can we know a site is actually wholly blocked...

I'm not defending Comcast...

[GregMmm]

This will be an interesting situation. I've worked in networking for more years than I would like to say. And the mantra is: The network is broken. There is a number of reasons this connection could have had an issue and it has nothing to do with blocking traffic. DNS services, multiple routes converging, new hard installed, there is a number links in this chain. I just want to see now how many times this will come up. What will an ISP have to do to "prove" there is no blocking? Would you trust what

Net Neutrality is the wrong target.

[briancox2]

Yes! This type of abuse is wrong and something should be done about it.

This is monopolistic behavior. If Comcast had to compete with anyone (WHICH THEY DO NOT!) they would never be able to get away with this sort of behavior.

Look, we've been down the road of more and more regulation before. How well did that work to prevent the Deepwater Horizon catastrophe? How about the Housing Market collapse of 2008/2009? I know setting up a group of regulators who big business can easily cozy up to makes you

DNS Issues over state.gov

[Anonymous Coward]

Jut ran into an issue today with accessing state.gov web sites. Determined it was a DNS issue. When I switched my DNS server to 8.8.8.8 (google), the site was available from my browser.

Ended up on the phone with support for two hours trying to convince them it was their DNS server issue, and not my browser, router or modem issue.

Re:

[Opportunist]

Why bother? Leave it at 8.8.8.8 and wait for them to sort it out. Every couple of days, switch back to their DNS and see if they untossed the domain salad.

Re:

[abrotman]

http://dnsviz.net/d/travel.state.gov/WqaUrw/dnssec/

Broken DNSSEC at the gov't.

Shoddy reporting

[jbmartin6]

This is shoddy reporting at best. Hiding behind the quotes on "block" is below cheap shot level. Where are the useful questions? Were any other sites affected? Did anyone take a traceroute anywhere? Why do any work when you can pull in clicks with a sensationalist headline and spurious conclusions?

nothing to do with net neutrality

[mbaGeek]

to point out the obvious. Whatever the problem was, it wasn't because of "Net Neutrality" legislation. Or if Comcast weighs more than a duck - then Net Neutrality matters!

Aaaaand we're back

[eric_harris_76]

For 12 hours, Comcast gave itself a black eye. Then it stopped.

No thumb-fingered bureaucrats necessary.