Editor's note: This post was originally published by @karthikb351 on Medium and has been reproduced here with permission in full without any edits save for some formatting related changes for better readability and to fix a couple of typos. Gadgets 360 has reached out to both Airtel and CloudFlare for comment on this story and we will update it with their reaction when we hear back from them.
Update at 14:15 - Airtel has responded with the following statement sent to Gadgets 360: "This is completely baseless and incorrect. As a policy, Airtel does not block/ sniff any content. Only in the case of instructions/ orders from the Government or the Courts, specified URLs are blocked. Blocking of any page [as per instructions from relevant authorities] is done at the URL level and not whether it is http/ https. This also has nothing to do with the validity of any certificate."
Airtel is sniffing and censoring CloudFlare's traffic in India and CloudFlare doesn't even know it by Karthik Balakrishnan
Note: This is largely due to the work done by @captn3m0 and @shantanugoel. I'm merely writing this because they are too lazy to.
It started when we discovered that The Pirate Bay was showing a blank page and was attempting to load an iframe to https://pricee.com/api/redirect/t.php?from=gadgets360&redirect=http%3A%2F%2Fairtel.in%2Fdot, which is a notice saying that the site is blocked as per the Department of Telecom's orders.
This is fairly routine, there are a ton of sites blocked in India without explanation, and it's very common to find vague notices like this.
But this one was particularly interesting for a couple of reasons, firstly, we noticed that this was happening on a HTTPS page, with a valid certificate.
We hit https://thepiratebay.org via a VPN and it loaded fine, and we confirmed that the certificate for CloudFlare were the same and valid.
@oddtazz Updated the gist to include the valid log (over a US server). Same cert in both cases: https://t.co/fV1HrL1aWj
— Nemo (@captn3m0) July 13, 2016So Airtel couldn't have changed the page to show that notice. Unless they had CloudFlare's certificates, which was super unlikely, and in anycase we ruled out since the exact same page was shown to people who on non-Airtel networks as well, with a link to Airtel's notice.
@karthikb351 Nopes, fails silently. pic.twitter.com/6NnqP0BKJM
— Anurag (@gnurag) July 13, 2016@karthikb351 LOL WHAT. Just stopped working next instant. Showing some Airtel error now? I'm on ACT. LOLOLOL @argvK pic.twitter.com/Ss8VOVanMI
— Shrayas Rajagopal (@shrayasr) July 13, 2016@captn3m0 same iframe on ACT connection in hyd. Let me dig as well.
— Shantanu Goel (@shantanugoel) July 13, 2016One possibility: Is CloudFlare itself serving the notice?
Since this wasn't specific to Airtel's network, but was happening to everyone across India, we figured that maybe CloudFlare itself was blocking it. This would explain why it was served over a valid HTTPS connection.
On the other hand, is there any legal grounds for the Department of Telecom to ask CloudFlare to block anything? They aren't an ISP.
Moreover, why would they embed an iframe that links to Airtel's block message?
That seemed unlikely.
Is CloudFlare's upstream network being censored?
The most plausible explanation then was that CloudFlare was thinking it was talking to The Pirate Bay and was completely unaware that it was actually getting a response from Airtel saying the website was blocked.
There was some evidence that supported this theory,
The iframe's URL had a 'userip' parameter that (we assumed) referred to the client's ip.
@captn3m0 similar. Last octect is 168, i.e. 162.158.54.168
— Shantanu Goel (@shantanugoel) July 13, 2016In this case, all the IPs were CloudFlare's (Their IP range list includes 162.158.0.0/15). Okay so it's likely that Airtel was serving this page between CloudFlare and The Pirate Bay.
How does Airtel know who CloudFlare is talking to?CloudFlare talks to The Pirate Bay directly via its IP, and one of the advantages advertised by CloudFlare is that you can mask (and change) the Origin's IP from the public. You and I (and Airtel) can't know the actual IP of the server, so how would Airtel know which requests to intercept and show the block notice to?
We figured that Airtel probably doesn't know, and was perhaps looking at the 'Host' header of the request to figure who CloudFlare was talking to, and that CloudFlare and The Pirate Bay had to be communicating over unencrypted HTTP for this to be possible, that's the only way Airtel could look at the headers. This was easy enough to test.
We made a request to a random IP address (in this case, GitHub's) with the host as 'thepiratebay.org' and we got a valid response when we ran this this on a non-Airtel networ - a 301 redirect.
>curl -H "Host: thepiratebay.org" http://192.30.253.112/ -i
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://thepiratebay.org/
Connection: close
But when we tried the same thing on Airtel's network, sure enough, we got served the block page.
curl -H "Host: thepiratebay.org http://192.30.253.112/
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0"/><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://pricee.com/api/redirect/t.php?from=gadgets360&redirect=http%3A%2F%2Fwww.airtel.in%2Fdot%2F%3Fdpid%3D1%26amp%3Bdpruleid%3D3%26amp%3Bcat%3D107%26amp%3Bttl%3D0%26amp%3Bgroupname%3D-%26amp%3Bpolicyname%3D-%26amp%3Busername%3D-%26amp%3Buserip%3D122.171.125.65%26amp%3Bconnectionip%3D127.0.0.1%26amp%3Bnsphostname%3DPolicy04-Chennai%26amp%3Bprotocol%3Dpolicyprocessor%26amp%3Bdplanguage%3D-%26amp%3Burl%3Dhttp%253a%252f%252fthepiratebay%252eorg%252f" width="100%" height="100%" frameborder=0></iframe>
So it was clear, Airtel was treating CloudFlare just like any other user, and censoring some pages to them. CloudFlare was undergoing a Man-in-the-middle attack by Airtel and didn't even know it.
Implications
There are some really important conclusions to draw from this.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.