So this sucks, but its not as bad as many are making it out to be. In a previous role, I was forced to deploy an appliance that did this exact same thing. Its not a man in the middle, or traffic intercept with forged responses.
Most of the time these appliances act as a 'cache' device. They will sit some where in the network ( inline, out of band, or as a WCCP device ) that will answer common router cache lookups.
In the case of WCCP, User behind cable modem X requests www.google.com ( HTTP Non Secure Traffic ONLY! ) and the router asks the appliance, "Hey, do you have a cache record for this request from this user behind modem X?". At this point, the appliance will do a DHCP Lease Query for that IP and get Option 82 from the lease record. Most of the time this is the mac address of the Modem. Then it takes this Mac address and either looks up in an internal database or an external one to check if this user has a message 'waiting', IE: Over allotted bandwidth, billing note, spam or just BS. If there is a message waiting, the appliance will tell the router, "YUP, i've got it. Let me send back this small .JS response". From my experience, this small JS ( Even if it is horribly written ) will be returned to the user with some code in it that does another request to the website originally requested in a frame of some sort. Request is made again, but this time the "message" waiting for the user has already been delivered, so the initial process returns "Nope, nothing for that user" and the content originally requested is loaded upon the 2nd round trip. Its still your PC with a fake original response. I won't pretend to know how Comcast or Rogers does this, but I know one Vendor I have used did it this way. I fought it till I was told to put it in production or find other employment. It sucks, but if done correctly on HTTP Non Secure traffic only in a manner that is described above, I think its a better idea than products like procera or sandvine do which IS MITM forged responses. Hope this helps explain a little better what maybe going on in this situation.
Most of the time these appliances act as a 'cache' device. They will sit some where in the network ( inline, out of band, or as a WCCP device ) that will answer common router cache lookups.
In the case of WCCP, User behind cable modem X requests www.google.com ( HTTP Non Secure Traffic ONLY! ) and the router asks the appliance, "Hey, do you have a cache record for this request from this user behind modem X?". At this point, the appliance will do a DHCP Lease Query for that IP and get Option 82 from the lease record. Most of the time this is the mac address of the Modem. Then it takes this Mac address and either looks up in an internal database or an external one to check if this user has a message 'waiting', IE: Over allotted bandwidth, billing note, spam or just BS. If there is a message waiting, the appliance will tell the router, "YUP, i've got it. Let me send back this small .JS response". From my experience, this small JS ( Even if it is horribly written ) will be returned to the user with some code in it that does another request to the website originally requested in a frame of some sort. Request is made again, but this time the "message" waiting for the user has already been delivered, so the initial process returns "Nope, nothing for that user" and the content originally requested is loaded upon the 2nd round trip. Its still your PC with a fake original response. I won't pretend to know how Comcast or Rogers does this, but I know one Vendor I have used did it this way. I fought it till I was told to put it in production or find other employment. It sucks, but if done correctly on HTTP Non Secure traffic only in a manner that is described above, I think its a better idea than products like procera or sandvine do which IS MITM forged responses. Hope this helps explain a little better what maybe going on in this situation.