Here is what is happening:<p>Cloudflare Indian datacentres are hosted on Airtel's networks.<p>Airtel by default blocks and replaces(with a notice) Piratebay traffic all across it's network due to multiple court orders.<p>Cloudflare India servers call the piratebay origin servers and ask for a master copy and Airtel instead gives the substitute page on all the http traffic from piratebay to cloudflare servers.<p>Cloudflare servers display the malformed page they received from Airtel to all clients(all ISP's) asking for piratebay in India.
All I'm hearing is that Cloudflare allows their customers to configure client facing TLS without enforcing it upstream over the internet, providing a false sense of security. Thanks Cloudflare!<p>... and I'm pretty sure that their response will be "We are just a proxy, we are not responsible for anything".
I see a lot of people bashing CloudFlare, but to be fair:<p>1. Thanks to them many sites got SSL and sniffing your local network/ISP is source of majority of the problems.<p>2. Some SSL is better than no SSL, though it can also create illusion of full security.<p>3. You can configure encryption between CloudFlare and your origin. You probably should do that.<p>4. CloudFlare this year (May 2016) announce better tooling to encrypt between origin and their own CDN servers:
<a href="https://blog.cloudflare.com/cloudflare-ca-encryption-origin/" rel="nofollow">https://blog.cloudflare.com/cloudflare-ca-encryption-origin/</a>
Not just "an Indian ISP". It's the largest ISP in the country, and one with an increasingly larger footprint in Africa. It had revenues of close to $15B last year
Hi, OP here.<p>There are basically two important points from this story.<p>> CF can't tell if it's the actual website or the notice from Airtel, and neither can the user.<p>> Airtel is implementing this block by looking at the Host: headers of ALL HTTP requests going out of CF, and since everyone in India will hit CF, they are now looking at the headers of all users in India, across ISPs.
In the article,testing the host header with different IP is done over http and not https.so i so it does not prove that Airtel is sniffing https traffic,isn't it ?<p>>curl -H "Host: thepiratebay.org" <a href="http://192.30.253.112/" rel="nofollow">http://192.30.253.112/</a><p>May be I missed something. Technically it is possible block the traffic by looking at SNI[1] or simply block the ipaddress if it belongs to the blocked site.I always thought that every ISPs had to follow this because all ISPS are asked to block a list of such sites by the Supreme Court .<p>[]1 <a href="https://en.wikipedia.org/wiki/Server_Name_Indication" rel="nofollow">https://en.wikipedia.org/wiki/Server_Name_Indication</a>
I know I'm being a bit cynical here but do we know that Cloudflare doesn't know about it?<p>It's entirely possible that they know about it. Considering their recent datacenter opening in India (again, not clear on laws but maybe they need to follow the blocking as ordered by DoT/courts?)<p>They just started operations in China and partnered with an ISP there, so unless they say that they are not involved, I'm sceptical about this.
Is there any way for cloudflare to detect wether or not their connection has been modified by a third party besides certificates? I could only think of loading the site from more than one location and comparing the responses. However that might not be a trivial task, as most websites will not be static enough.
In cases like this, where the upstream of some of Cloudflare's servers is known to be non-transparent (dropping or modifying data going through it), couldn't they tunnel everything to Cloudflare servers with a working upstream, and connect to the origin servers from there? They would still benefit from caching near the users, while avoiding the broken upstream.
I've never understood CloudFlare's position on this issue/feature. They generally do a great job at improving, caring and fighting for internet security, yet continue to offer a product (Flexible SSL) that they know is insecure:<p><i>This option is not recommended if you have any sensitive information on your website. It should only be used as a last resort if you are not able to setup SSL on your own web server, but it is less secure than any other option (even “Off”)</i> [1]<p>So by CF's own admission this is less secure than having SSL disabled. That's of course technically incorrect assuming the visitor is aware that SSL is terminated at CloudFlare, and insecure from there to the origin server. If the visitor is aware of this distinction (and know what it means, which includes knowing where the CF edge and origins are located) then it does add some security (the coffeeshop's Wi-Fi etc).<p>However it's probably fair to assume that most visitors of CloudFlare-protected sites are not aware of this distinction. They're probably just aware that Green Lock + HTTPS = secure. So instead this product primarily gives a visitor a false sense of security, which in my opinion is much worse and potentially dangerous. I guess CloudFlare agrees with that; why else would they say it's less secure than no SSL?<p>In the end, CloudFlare should clarify why they continue to offer a seemingly secure encryption product that they themselves consider less secure than no encryption. They say it should only be used "as a last resort", but when is choosing "Flexible SSL" really the last resort? I mean, you can just disable SSL entirely or do it properly (and even get a free certificate from CF), both of which are more secure.<p>I don't know, but here's an idea: It might be a good product for CloudFlare customers, such as TBP, who don't care enough to actually secure their visitors' traffic, but still want to give the appearance thereof. Which is exactly what the more prominent product page lists as the advantages of "Flexible SSL"[2]:<p>- <i>You do not need an SSL certificate on your server.</i><p>- <i>Visitors will see the SSL lock icon in their browser.</i><p>I might be missing something and I'd honestly appreciate if someone can shed some light on this. I respect CloudFlare a lot and appreciate their efforts to improve internet security. It's just difficult to maintain a brand as a company on the forefront of the internet security battle, while also enabling customers to somewhat deceitfully give the appearance of security at the expense of their visitors' security and safety. It seems pretty clear that CF needs to discontinue this product before it hurt their brand as well as unassuming visitors.<p>[1] <a href="https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-" rel="nofollow">https://support.cloudflare.com/hc/en-us/articles/200170416-W...</a><p>[2] <a href="https://www.cloudflare.com/ssl/" rel="nofollow">https://www.cloudflare.com/ssl/</a>
Seems like it's not just airtel:<p><a href="https://medium.com/@sushubh/when-you-said-they-do-not-even-know-it-i-thought-you-meant-airtel-was-quite-confusing-9954b7afc8ac" rel="nofollow">https://medium.com/@sushubh/when-you-said-they-do-not-even-k...</a>