>curl -H "Host: thepiratebay.org" http://192.30.253.112/
May be I missed something. Technically it is possible block the traffic by looking at SNI[1] or simply block the ipaddress if it belongs to the blocked site.I always thought that every ISPs had to follow this because all ISPS are asked to block a list of such sites by the Supreme Court .
The point is that many sites using cloudflare talk to cloudflare over HTTP (while users get HTTPS), and airtel is sniffing that.
That's called host header :-)
... and I'm pretty sure that their response will be "We are just a proxy, we are not responsible for anything".
As a frequent Cloudflare freeloader and occasional paying customer (lots of different hats), I really appreciate how the service made it possible to use SSL for free, before it was cool.
With Let's Encrypt being implemented at a lot of hosting providers and hosting automation systems over time, I think the following may become a diminishing problem.
But in cases where, let's say, a "not top tier" hosting solution makes it impossible to use any sort of SSL/TLS back to the origin server (within the customer's budget), my personal choice has been to not defaulting/redirecting sites to Cloudflare's SSL.
And I mean, it's not like crappy hosting without Let's Encrypt automation or the ability to add Cloudflare's origin CA, is going away. One of Cloudflare's selling points at the low end, is how the service stretches the capabilities and resources of less than optimal hosting and apps. I mean, the idea of running Wordpress without Cloudflare or a similar service in front, really gives me the heebie jeebies.
Not going half-way with SSL is sort of an ethical choice for me, exactly for the reason of not wanting to give a false sense of security, even at the cost of Google juice.
I'm technically proficient enough to understand that client -> Cloudflare https connections can stop a lot of ISP/last mile/LAN level tracking and code injection, though. And obvioulsy, Cloudflare is a MiTM. So it's a real choice with tradeoffs.
But I work at a grass-roots level where I usually am the only person tangible IT skills. When it comes down to it, I feel quite strongly that we should avoid messing with people's already vague understanding of what that "green lock" means.
The likelihood of a bad actor between Cloudflare and the origin server seems lower than a bad actor between Cloudflare and the user - where I'd class a coffee shop wifi portal page as a bad actor.
Cloudflare Indian datacentres are hosted on Airtel's networks.
Airtel by default blocks and replaces(with a notice) Piratebay traffic all across it's network due to multiple court orders.
Cloudflare India servers call the piratebay origin servers and ask for a master copy and Airtel instead gives the substitute page on all the http traffic from piratebay to cloudflare servers.
Cloudflare servers display the malformed page they received from Airtel to all clients(all ISP's) asking for piratebay in India.
No, Airtel substitutes Piratebay's response to CloudFlare.
This option is not recommended if you have any sensitive information on your website. It should only be used as a last resort if you are not able to setup SSL on your own web server, but it is less secure than any other option (even “Off”) [1]
So by CF's own admission this is less secure than having SSL disabled. That's of course technically incorrect assuming the visitor is aware that SSL is terminated at CloudFlare, and insecure from there to the origin server. If the visitor is aware of this distinction (and know what it means, which includes knowing where the CF edge and origins are located) then it does add some security (the coffeeshop's Wi-Fi etc).
However it's probably fair to assume that most visitors of CloudFlare-protected sites are not aware of this distinction. They're probably just aware that Green Lock + HTTPS = secure. So instead this product primarily gives a visitor a false sense of security, which in my opinion is much worse and potentially dangerous. I guess CloudFlare agrees with that; why else would they say it's less secure than no SSL?
In the end, CloudFlare should clarify why they continue to offer a seemingly secure encryption product that they themselves consider less secure than no encryption. They say it should only be used "as a last resort", but when is choosing "Flexible SSL" really the last resort? I mean, you can just disable SSL entirely or do it properly (and even get a free certificate from CF), both of which are more secure.
I don't know, but here's an idea: It might be a good product for CloudFlare customers, such as TBP, who don't care enough to actually secure their visitors' traffic, but still want to give the appearance thereof. Which is exactly what the more prominent product page lists as the advantages of "Flexible SSL"[2]:
- You do not need an SSL certificate on your server.
- Visitors will see the SSL lock icon in their browser.
I might be missing something and I'd honestly appreciate if someone can shed some light on this. I respect CloudFlare a lot and appreciate their efforts to improve internet security. It's just difficult to maintain a brand as a company on the forefront of the internet security battle, while also enabling customers to somewhat deceitfully give the appearance of security at the expense of their visitors' security and safety. It seems pretty clear that CF needs to discontinue this product before it hurt their brand as well as unassuming visitors.
[1] https://support.cloudflare.com/hc/en-us/articles/200170416-W...
One one hand, it seriously undermines the meaning of the browser padlock.
On the other hand, this has already been happening in less visible ways - Cloudflare is definitely not the first to do this. Plenty of sites and services terminate SSL early (and plenty of public CDNs offer edge SSL). The idea of end-to-end transport security via TLS is a bit flimsy to begin with tbh.
What I find disappointing is that it encourages the "checklist security" approach. Management/dev/ops sees that this is the simplest way to get the padlock to show up, and the story ends there.
Despite of that my point is that, for the vast majority of visitors, the solution ends up being less secure due to imperfect information; If you access a service over HTTP you can accurately asses the (lack of) security and, based on an informed assessment of the risks, decide wether you want to proceed.
If you access a site over a seemingly secure connection that is terminated prior to reaching the origin, then you most likely don't have the necessary information to assess the security and associated risks relative to what you're doing: Your browser is telling you that you're at the right domain and that the connection is secure with modern cryptography (if the site is using CloudFlare). However that's not the entire story.
The browser is not telling you that the secure connection is terminated at the CloudFlare edge. This leaves it to the CloudFlare-protected site to inform the visitor that the connection is only secure some of the way in order for the visitor to make an accurate assessment of the connection's security.
I don't think most CF customers who pick "Flexible SSL" are thoroughly and accurately informing visitors of these nuances (and even if they are an MITM can modify it). That's why I absolutely do not think it's better than HTTP -- exactly because of the problems outlined in this article.
In this case I'd argue that, from the perspective of a TBP visitor, "Flexible SSL" improves security on less relevant vectors while significantly decreasing security on the vectors that matter. The coffee shop owner probably doesn't care that much about the IP rights of H/Bollywood, but this is the attack vector that Flexible SSL helps mitigate. The government does however care about such rights and CloudFlare's ISP was forced/willing to help them. CFs solution did nothing to mitigate this vector.
Now I'm not saying this is all CloudFlare fault, but I do think they share a part of the responsibility. TBP's recklessness has allowed millions of people around the world to access and use their site under the false assumption that they were protected. What I don't get is why CloudFlare has any interest in enabling such behavior. They know full well the risks associated with this solution and even admit it's inferiority compared to commando-style unencrypted HTTP. It also decreases my trust in other CloudFlare-protected sites - for all I know, as a visitor, the site may or may not be using Flexible (or perhaps just "Broken") SSL.
My suggestion is simply that they use their knowledge to provide a better service to their customers and their visitors. That probably means discontinuing this product - or clarify why the don't think that's necessary.
https://medium.com/@sushubh/when-you-said-they-do-not-even-k...
1. Thanks to them many sites got SSL and sniffing your local network/ISP is source of majority of the problems.
2. Some SSL is better than no SSL, though it can also create illusion of full security.
3. You can configure encryption between CloudFlare and your origin. You probably should do that.
4. CloudFlare this year (May 2016) announce better tooling to encrypt between origin and their own CDN servers: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/
In this scenario the illusion is a much bigger problem than the benefits. If I make a request over https I do not expect my traffic to be sent unencrypted over the open internet.
TPB could and should mitigate this attack with Origin TLS, yes.
The right approach to fix upstream MITM is to drop http+https mix and match mode.
There are basically two important points from this story.
> CF can't tell if it's the actual website or the notice from Airtel, and neither can the user.
> Airtel is implementing this block by looking at the Host: headers of ALL HTTP requests going out of CF, and since everyone in India will hit CF, they are now looking at the headers of all users in India, across ISPs.
It's entirely possible that they know about it. Considering their recent datacenter opening in India (again, not clear on laws but maybe they need to follow the blocking as ordered by DoT/courts?)
They just started operations in China and partnered with an ISP there, so unless they say that they are not involved, I'm sceptical about this.
