Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Website blocked in India #7626

Closed
captn3m0 opened this issue Jan 7, 2022 · 4 comments
Closed

Website blocked in India #7626

captn3m0 opened this issue Jan 7, 2022 · 4 comments

Comments

@captn3m0
Copy link

captn3m0 commented Jan 7, 2022

First reported on Reddit

CloudFlare servers in India get MITMd by the network provider (Airtel) if the upstream is GitHub Pages and configured without end-to-end TLS.

Here is a curl log as proof that this happens even over HTTPS.

curl log 
curl https://tldr.sh -vvv
* Rebuilt URL to: https://tldr.sh/
*   Trying 104.21.44.67...
* TCP_NODELAY set
* Connected to tldr.sh (104.21.44.67) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Jul  5 00:00:00 2021 GMT
*  expire date: Jul  4 23:59:59 2022 GMT
*  subjectAltName: host "tldr.sh" matched cert's "tldr.sh"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55f2f34af600)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: tldr.sh
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200
< date: Fri, 07 Jan 2022 14:01:53 GMT
< content-type: text/html
< pragma: no-cache
< cache-control: no-cache
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KgMAgmQxJX3BV3lHSYM4N0otvDqY1GiUQaraoHpYvM5JKhpEzNyQFI%2FyoxsfF2DEkZTG1XGbRQgSpC4YeJCbF2FVwGQ9C8PzpK%2FMvDYCStMCwqNxPyVwu8pC"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 6c9db87c8c3b1da1-BLR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection #0 to host tldr.sh left intact
<style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://www.airtel.in/dot/" width="100%" height="100%" frameborder=0></iframe>

CloudFlare has known about this issue for years (actively hostile ISPs) and they don't seem to be doing anything about it. The two fixes here are:

  1. Switch from CloudFlare to direct GitHub Pages, which supports TLS now.
  2. Enable HTTPS on GitHub pages, and switch the upstream on CloudFlare to get strict SSL instead of flexible.

You can see this thread on twitter for more details
@captn3m0
Copy link
Author

captn3m0 commented Jan 7, 2022

Wrote a letter to CloudFlare detailing the issue: https://github.com/captn3m0/hello-cloudflare

@captn3m0 captn3m0 mentioned this issue Jan 7, 2022
Closed
@CleanMachine1
Copy link
Member

@captn3m0 Has this been addressed?

@captn3m0
Copy link
Author

captn3m0 commented Apr 4, 2022

This is hard to validate externally due to the issue being intermittent. Since it's still pointing to Cloudflare, this can be closed if Flexible SSL is turned off in the Cloudflare settings.

I'm unable to reproduce it currently (tried a few different ISPs).

@github-actions github-actions bot added the Stale label Jun 13, 2022
@pixelcmtd pixelcmtd removed the Stale label Jun 23, 2022
@marchersimon
Copy link
Collaborator

@captn3m0 please just reopen this issue if it appears again. I'll close this for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@captn3m0 @pixelcmtd @marchersimon @CleanMachine1