Indian ISPs: We already give govt full access to web traffic

People really underestimate the full scale of this, specially today with so many sites using cloudflare without strict ssl reverse proxy connection, Cloudflare Endpoints in India are INSIDE ISP networks [1], what this means is the ISP (and therefore by extension the government) sees EVERYTHING going out of cloudflare servers over http in plaintext. Worse ISP will also modify that content so you get the &quot;This site has been blocked in India under diretions from [...]&quot; over https! cause that&#x27;s what cloudflare saw when it did it&#x27;s (insecure) http request<p>1. <a href="https:&#x2F;&#x2F;github.com&#x2F;captn3m0&#x2F;hello-cloudflare" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;captn3m0&#x2F;hello-cloudflare</a>

The real canary in the coalmine was actually a movie from 1999 called &quot;Enemy of the State.&quot;<p>The plot for the movie was actually based on an account from an NSA employee who tipped one of the producers or director (I forget which) of the mass surveillance the agency was involved in.<p>To me this movie is iconic just because it predicted events so vividly almost a quarter of a century ago.

Yes they do, mainly because it’s the law.<p>That it’s a misguided law is open for debate, but I don’t believe there is any state in the world that doesn’t monitor and control tele-communications (internet is regulated as tele-communications WW).

An important point is whether legislation exists which allows such &quot;monitoring&quot;.<p>Edit:<p>I would also like to add, one of the latest news was about malicious access of administrative data in Australia - which surely has in general more funds to invest in security than others. I would be concerned about personal data being copied in more repositories (multiplying chances of malicious access).

Ok so how is it different from what the USA does?

Many, if not most, nations have similar provisions to this. I think it&#x27;s wrong and just over the top. However, encrypting everything and using multi-hop routing wherever possible at least will add noise to this sort of dragnet surveillance. Personally, I&#x27;ve taken steps to obsfucate my traffic since similar legislation was introduced in the UK.

But how... I mean presumably they don&#x27;t install a root cert on every client device?

Curious how this works technically, does the Indian government have control over ca certs and every ISP uses them to MiTM it?

I&#x27;m confused, are they actually getting the plaintext content of HTTPS traffic, or are they just harvesting connection metadata? Not that bulk metadata collection isn&#x27;t bad, but getting access to unencrypted data would be much worse.

This came as a surprise to me considering when the Indian court orders to take down particular content of particular site, ISPs still uses dns blocking instead of more granular blocking which resulted in blanket site blockings of popular sites

What is India turning into China lite?

Don&#x27;t all ISPs do this? They can be stubborn and lose connecting with the rest of the net.

5 days ago i wrote about UK govt doing scans of all websites hosted in UK for &quot;security&quot; reasons and i was downvoted for &quot; Stop lying and not relevant, you clearly came here with an agenda&quot;... i guess we really do have an agenda when the government has access to full internet web traffic and they can pick and choose their targets with impunity<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33470079#33470409" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33470079#33470409</a>

And US and UK and Australian and basically all countries at this point.

Use VPNs. Most are quire expensive from Indian standards.

we need a decentralized list for holding key pair signatures.<p>it could something like adblocker list, No more central CA.

GNU Net [0] seems more relevant than ever:<p>&quot;The Internet is broken.&quot;<p>&quot;The conventional Internet is currently like a system of roads with deep potholes and highwaymen all over the place. Even if you still can use the roads (e.g. send emails, or browse websites) your vehicle might get hijacked, damaged, or long arms might reach into its back and steal your items (data) to use it against you and sell it to others - while you can&#x27;t even notice the thievery nor accuse and hold the scroungers accountable. The Internet was not designed with security in mind: protecting against address forgery, routers learning metadata, or choosing trustworthy third parties is nontrivial and sometimes impossible.&quot;<p>[0] <a href="https:&#x2F;&#x2F;www.gnunet.org&#x2F;en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.gnunet.org&#x2F;en&#x2F;</a>

This happens because the Indian government does not yet have the infrastructure of NSA and or GCHQ :) They have to demand for the information instead :)

I think we must all agree that national governments have a duty of care towards their citizens.<p>From the Indian govt perspective, the dominance of the Internet by foreign owned businesses means that the country is vulnerable to malfeasance should those foreign governments mean India harm or come to decide - <i>over the head of the government</i> - what the Indian people want or need.<p>This is about national sovereignty and national security. We have seen how those values trump privacy concerns for individuals in any country, including the US, so must accord the same understanding for other nations also.