Airtel Said to Be 'Sniffing and Censoring' CloudFlare's Traffic in India

Advertisement
By Karthik Balakrishnan | Updated: 14 July 2016 14:46 IST
Highlights
  • Like all good things, it started with a visit to The Pirate Bay
  • CloudFlare is a popular CDN
  • All CloudFlare traffic from India seems impacted

Editor's note: This post was originally published by @karthikb351 on Medium and has been reproduced here with permission in full without any edits save for some formatting related changes for better readability and to fix a couple of typos. Gadgets 360 has reached out to both Airtel and CloudFlare for comment on this story and we will update it with their reaction when we hear back from them.

Update at 14:15 - Airtel has responded with the following statement sent to Gadgets 360: "This is completely baseless and incorrect. As a policy, Airtel does not block/ sniff any content. Only in the case of instructions/ orders from the Government or the Courts, specified URLs are blocked. Blocking of any page [as per instructions from relevant authorities] is done at the URL level and not whether it is http/ https. This also has nothing to do with the validity of any certificate."

Airtel is sniffing and censoring CloudFlare's traffic in India and CloudFlare doesn't even know it by Karthik Balakrishnan

Advertisement

Note: This is largely due to the work done by @captn3m0 and @shantanugoel. I'm merely writing this because they are too lazy to.

TL;DR Some (or all) of CloudFlare's India Data Centers use Airtel's network to connect to servers upstream, and Airtel is sniffing all unencrypted traffic going upstream from CloudFlare, and even censoring some

It started when we discovered that The Pirate Bay was showing a blank page and was attempting to load an iframe to https://pricee.com/api/redirect/t.php?from=gadgets360&redirect=http%3A%2F%2Fairtel.in%2Fdot, which is a notice saying that the site is blocked as per the Department of Telecom's orders.

This is fairly routine, there are a ton of sites blocked in India without explanation, and it's very common to find vague notices like this.

Advertisement

But this one was particularly interesting for a couple of reasons, firstly, we noticed that this was happening on a HTTPS page, with a valid certificate.

We hit https://thepiratebay.org via a VPN and it loaded fine, and we confirmed that the certificate for CloudFlare were the same and valid.

Advertisement

@oddtazz Updated the gist to include the valid log (over a US server). Same cert in both cases: https://t.co/fV1HrL1aWj

— Nemo (@captn3m0) July 13, 2016

So Airtel couldn't have changed the page to show that notice. Unless they had CloudFlare's certificates, which was super unlikely, and in anycase we ruled out since the exact same page was shown to people who on non-Airtel networks as well, with a link to Airtel's notice.

Advertisement

@karthikb351 Nopes, fails silently. pic.twitter.com/6NnqP0BKJM

— Anurag (@gnurag) July 13, 2016

@karthikb351 LOL WHAT. Just stopped working next instant. Showing some Airtel error now? I'm on ACT. LOLOLOL @argvK pic.twitter.com/Ss8VOVanMI

— Shrayas Rajagopal (@shrayasr) July 13, 2016

@captn3m0 same iframe on ACT connection in hyd. Let me dig as well.

— Shantanu Goel (@shantanugoel) July 13, 2016

One possibility: Is CloudFlare itself serving the notice?
Since this wasn't specific to Airtel's network, but was happening to everyone across India, we figured that maybe CloudFlare itself was blocking it. This would explain why it was served over a valid HTTPS connection.

On the other hand, is there any legal grounds for the Department of Telecom to ask CloudFlare to block anything? They aren't an ISP.

Moreover, why would they embed an iframe that links to Airtel's block message?

That seemed unlikely.

Is CloudFlare's upstream network being censored?
The most plausible explanation then was that CloudFlare was thinking it was talking to The Pirate Bay and was completely unaware that it was actually getting a response from Airtel saying the website was blocked.

There was some evidence that supported this theory,

The iframe's URL had a 'userip' parameter that (we assumed) referred to the client's ip.

@captn3m0 similar. Last octect is 168, i.e. 162.158.54.168

— Shantanu Goel (@shantanugoel) July 13, 2016

In this case, all the IPs were CloudFlare's (Their IP range list includes 162.158.0.0/15). Okay so it's likely that Airtel was serving this page between CloudFlare and The Pirate Bay.

How does Airtel know who CloudFlare is talking to?
CloudFlare talks to The Pirate Bay directly via its IP, and one of the advantages advertised by CloudFlare is that you can mask (and change) the Origin's IP from the public. You and I (and Airtel) can't know the actual IP of the server, so how would Airtel know which requests to intercept and show the block notice to?

We figured that Airtel probably doesn't know, and was perhaps looking at the 'Host' header of the request to figure who CloudFlare was talking to, and that CloudFlare and The Pirate Bay had to be communicating over unencrypted HTTP for this to be possible, that's the only way Airtel could look at the headers. This was easy enough to test.

We made a request to a random IP address (in this case, GitHub's) with the host as 'thepiratebay.org' and we got a valid response when we ran this this on a non-Airtel networ - a 301 redirect.

>curl -H "Host: thepiratebay.org" http://192.30.253.112/ -i
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://thepiratebay.org/
Connection: close

But when we tried the same thing on Airtel's network, sure enough, we got served the block page.

curl -H "Host: thepiratebay.org http://192.30.253.112/
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0"/><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://pricee.com/api/redirect/t.php?from=gadgets360&redirect=http%3A%2F%2Fwww.airtel.in%2Fdot%2F%3Fdpid%3D1%26amp%3Bdpruleid%3D3%26amp%3Bcat%3D107%26amp%3Bttl%3D0%26amp%3Bgroupname%3D-%26amp%3Bpolicyname%3D-%26amp%3Busername%3D-%26amp%3Buserip%3D122.171.125.65%26amp%3Bconnectionip%3D127.0.0.1%26amp%3Bnsphostname%3DPolicy04-Chennai%26amp%3Bprotocol%3Dpolicyprocessor%26amp%3Bdplanguage%3D-%26amp%3Burl%3Dhttp%253a%252f%252fthepiratebay%252eorg%252f" width="100%" height="100%" frameborder=0></iframe>

So it was clear, Airtel was treating CloudFlare just like any other user, and censoring some pages to them. CloudFlare was undergoing a Man-in-the-middle attack by Airtel and didn't even know it.

Implications
There are some really important conclusions to draw from this.

  1. The Pirate Bay has surprisingly chosen not to enforce SSL between CloudFlare and itself, and they talk to each other over HTTP.
  2. CloudFlare has chosen to run on an ISP that is censoring traffic upstream and they don't have mechanisms to detect it, completely defeating the purpose of SSL and providing users (and websites) with a false sense of security. Airtel could modify the response, add tracking codes, etc, and nobody would know.
  3. Airtel is sniffing traffic of ALL of CloudFlare's websites that don't have Full SSL enabled (which is the default setting on CloudFlare).
  4. All Indian users, even if they are not on Airtel's network, who access any of 2 million+ websites on CloudFlare have their traffic inspected and sniffed by Airtel.
Affiliate links may be automatically generated - see our ethics statement for details.
 
Post your comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Airtel, CloudFlare, India, Internet, Privacy
Twitter Gets Support for Unicode 9.0's New Emojis, Including Selfie and Facepalm
Facebook's 13,000 Employees to Shift to Microsoft's Office 365
Advertisement

Related Stories

Airtel Offers Free Data, Calls and Roaming to Customers Impacted by Floods across Jammu, Kashmir, Ladakh, and Himachal Pradesh
27 August 2025
Airtel Restores Service in Several Areas Including Bengaluru, Kolkata, Chennai After Second Outage in a Week
25 August 2025
JioSaavn Pro on Jio vs Apple Music Free Subscription on Airtel: Which is Better?
23 August 2025
[Updated] Reliance Jio's Rs. 799 Recharge Plan With 1.5GB Daily Data Usage, 84 Days Validity Remains Available via App, Site
21 August 2025
Airtel Discontinues Rs. 249 Prepaid Recharge Plan Which Offered 1GB Daily Data, 24-Day Validity
20 August 2025
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Junior OTT Now Streaming Online: What to Know About Sreeleela and Kireeti Reddy's Romantic
#Latest Stories
  1. SpaceX Launches NROL-48 for NRO’s Proliferated Satellite Architecture
  2. Bizarre New Computer Mouse Designs Aim to Cut Wrist Injuries, Scientists Say
  3. Artemis 2 Orion Capsule Named “Integrity” for Upcoming Moon Flyby
  4. SpaceX Launches IMAP, CGO, SWFO-L1 to Probe Solar Frontier and Space Weather
  5. Study Reveals How Humans Touch Unfamiliar Objects, Shaping Human–Robot Interaction Research
  6. NASA Targets February 2026 Window for Historic Artemis 2 Moon Mission
  7. NASA’s Chandra Finds Black Hole Growing Beyond Known Limits
  8. Earth’s Oxygen Explains Mysterious Rust Formation on the Moon
  9. Maatonda Heluve Now Streaming Online: Know Everything About Cast, Plot, and More
  10. Tulsa King Season 3 Now Streaming Online: Know Everything About Sylvester Stallone Action Series
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.