Airtel Said to Be 'Sniffing and Censoring' CloudFlare's Traffic in India

Advertisement
By Karthik Balakrishnan | Updated: 14 July 2016 14:46 IST
Highlights
  • Like all good things, it started with a visit to The Pirate Bay
  • CloudFlare is a popular CDN
  • All CloudFlare traffic from India seems impacted

Editor's note: This post was originally published by @karthikb351 on Medium and has been reproduced here with permission in full without any edits save for some formatting related changes for better readability and to fix a couple of typos. Gadgets 360 has reached out to both Airtel and CloudFlare for comment on this story and we will update it with their reaction when we hear back from them.

Update at 14:15 - Airtel has responded with the following statement sent to Gadgets 360: "This is completely baseless and incorrect. As a policy, Airtel does not block/ sniff any content. Only in the case of instructions/ orders from the Government or the Courts, specified URLs are blocked. Blocking of any page [as per instructions from relevant authorities] is done at the URL level and not whether it is http/ https. This also has nothing to do with the validity of any certificate."

Advertisement

Airtel is sniffing and censoring CloudFlare's traffic in India and CloudFlare doesn't even know it by Karthik Balakrishnan

Note: This is largely due to the work done by @captn3m0 and @shantanugoel. I'm merely writing this because they are too lazy to.

Advertisement
TL;DR Some (or all) of CloudFlare's India Data Centers use Airtel's network to connect to servers upstream, and Airtel is sniffing all unencrypted traffic going upstream from CloudFlare, and even censoring some

It started when we discovered that The Pirate Bay was showing a blank page and was attempting to load an iframe to https://pricee.com/api/redirect/t.php?from=gadgets360&redirect=http%3A%2F%2Fairtel.in%2Fdot, which is a notice saying that the site is blocked as per the Department of Telecom's orders.

This is fairly routine, there are a ton of sites blocked in India without explanation, and it's very common to find vague notices like this.

Advertisement

But this one was particularly interesting for a couple of reasons, firstly, we noticed that this was happening on a HTTPS page, with a valid certificate.

We hit https://thepiratebay.org via a VPN and it loaded fine, and we confirmed that the certificate for CloudFlare were the same and valid.

Advertisement

@oddtazz Updated the gist to include the valid log (over a US server). Same cert in both cases: https://t.co/fV1HrL1aWj

— Nemo (@captn3m0) July 13, 2016

So Airtel couldn't have changed the page to show that notice. Unless they had CloudFlare's certificates, which was super unlikely, and in anycase we ruled out since the exact same page was shown to people who on non-Airtel networks as well, with a link to Airtel's notice.

@karthikb351 Nopes, fails silently. pic.twitter.com/6NnqP0BKJM

— Anurag (@gnurag) July 13, 2016

@karthikb351 LOL WHAT. Just stopped working next instant. Showing some Airtel error now? I'm on ACT. LOLOLOL @argvK pic.twitter.com/Ss8VOVanMI

— Shrayas Rajagopal (@shrayasr) July 13, 2016

@captn3m0 same iframe on ACT connection in hyd. Let me dig as well.

— Shantanu Goel (@shantanugoel) July 13, 2016

One possibility: Is CloudFlare itself serving the notice?
Since this wasn't specific to Airtel's network, but was happening to everyone across India, we figured that maybe CloudFlare itself was blocking it. This would explain why it was served over a valid HTTPS connection.

On the other hand, is there any legal grounds for the Department of Telecom to ask CloudFlare to block anything? They aren't an ISP.

Moreover, why would they embed an iframe that links to Airtel's block message?

That seemed unlikely.

Is CloudFlare's upstream network being censored?
The most plausible explanation then was that CloudFlare was thinking it was talking to The Pirate Bay and was completely unaware that it was actually getting a response from Airtel saying the website was blocked.

There was some evidence that supported this theory,

The iframe's URL had a 'userip' parameter that (we assumed) referred to the client's ip.

@captn3m0 similar. Last octect is 168, i.e. 162.158.54.168

— Shantanu Goel (@shantanugoel) July 13, 2016

In this case, all the IPs were CloudFlare's (Their IP range list includes 162.158.0.0/15). Okay so it's likely that Airtel was serving this page between CloudFlare and The Pirate Bay.

How does Airtel know who CloudFlare is talking to?
CloudFlare talks to The Pirate Bay directly via its IP, and one of the advantages advertised by CloudFlare is that you can mask (and change) the Origin's IP from the public. You and I (and Airtel) can't know the actual IP of the server, so how would Airtel know which requests to intercept and show the block notice to?

We figured that Airtel probably doesn't know, and was perhaps looking at the 'Host' header of the request to figure who CloudFlare was talking to, and that CloudFlare and The Pirate Bay had to be communicating over unencrypted HTTP for this to be possible, that's the only way Airtel could look at the headers. This was easy enough to test.

We made a request to a random IP address (in this case, GitHub's) with the host as 'thepiratebay.org' and we got a valid response when we ran this this on a non-Airtel networ - a 301 redirect.

>curl -H "Host: thepiratebay.org" http://192.30.253.112/ -i
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://thepiratebay.org/
Connection: close

But when we tried the same thing on Airtel's network, sure enough, we got served the block page.

curl -H "Host: thepiratebay.org http://192.30.253.112/
<meta name="viewport" /><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://pricee.com/api/redirect/t.php?from=gadgets360&redirect=http%3A%2F%2Fwww.airtel.in%2Fdot%2F%3Fdpid%3D1%26amp%3Bdpruleid%3D3%26amp%3Bcat%3D107%26amp%3Bttl%3D0%26amp%3Bgroupname%3D-%26amp%3Bpolicyname%3D-%26amp%3Busername%3D-%26amp%3Buserip%3D122.171.125.65%26amp%3Bconnectionip%3D127.0.0.1%26amp%3Bnsphostname%3DPolicy04-Chennai%26amp%3Bprotocol%3Dpolicyprocessor%26amp%3Bdplanguage%3D-%26amp%3Burl%3Dhttp%253a%252f%252fthepiratebay%252eorg%252f" width="100%" height="100%" frameborder=0></iframe>

So it was clear, Airtel was treating CloudFlare just like any other user, and censoring some pages to them. CloudFlare was undergoing a Man-in-the-middle attack by Airtel and didn't even know it.

Implications
There are some really important conclusions to draw from this.

  1. The Pirate Bay has surprisingly chosen not to enforce SSL between CloudFlare and itself, and they talk to each other over HTTP.
  2. CloudFlare has chosen to run on an ISP that is censoring traffic upstream and they don't have mechanisms to detect it, completely defeating the purpose of SSL and providing users (and websites) with a false sense of security. Airtel could modify the response, add tracking codes, etc, and nobody would know.
  3. Airtel is sniffing traffic of ALL of CloudFlare's websites that don't have Full SSL enabled (which is the default setting on CloudFlare).
  4. All Indian users, even if they are not on Airtel's network, who access any of 2 million+ websites on CloudFlare have their traffic inspected and sniffed by Airtel.
Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Airtel, CloudFlare, India, Internet, Privacy
Advertisement

Related Stories

Popular Mobile Brands
  1. Amazon Prime Day Sale: Early Deals on Smartphones From Top Brands Revealed
  2. Amazon Prime Day 2026 Sale: Top Deals on Smartphones Under Rs. 50,000
  3. Here's Our First Look of the Nothing Phone 4b 'RCB Edition' Variant
  4. OTT Releases This Week: Elle, Super Subbu, Enola Holmes 3, and More
  5. Moto G77 Power Will Launch in India on This Date
  6. Oppo Reno 16, Reno 16c Make Their Debut in India at These Prices
  7. Call of Duty: Modern Warfare 3 Is Coming to PS Plus in July
  1. PS Plus Monthly Games for July Include Call of Duty: Modern Warfare 3, For the King 2 and CrossCode
  2. Nothing Phone 4b RCB Edition Design, Colour Revealed Days Ahead of Debut
  3. Garmin Forerunner 70, Forerunner 170, Forerunner 170 Music Launched in India With 1.2-Inch Display, Up to 13 Days Battery Life
  4. Redmi Note 17 Series Launch Timeline Teased, Company Touts Display Upgrades and Longer Battery Life
  5. Lava Probuds T51, Xscape 13° Neckband With Up to 70 Hours Battery Life Launched in India: Price, Features
  6. Best Noise Cancellation Headphones in India to Buy This Amazon Prime Day: boAt Rockerz 650 Pro, JBL Tune 520 BT and More
  7. Oppo Enco Air 5 With Up to 52dB ANC, Up to 54 Hours Battery Launched in India: Price, Features
  8. Apple Reportedly Cuts iPhone 17 Series Production Plans by 15 Percent as Demand Softens
  9. Moto G77 Power Set to Launch in India Next Week; Price Range, Specifications Revealed
  10. CMF's Himanshu Tandon Announces Exit Weeks After Firm Confirms 2026 Phone Strategy
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.