TL;DR — Airtel is sniffing and intercepting ALL unencrypted traffic going upstream from CloudFlare’s India data centres, irrespective of what ISP the user is on. This potentially affects everyone in India accessing ANY of the 2 million+ sites on CloudFlare.
An unknown agency in India, possibly telco Airtel, is quietly capitalising on encryption gaps in sites tended by DDOS-buster CloudFlare to intercept and redirect users.
Little is yet known about the attacks, so far detected targeting piracy torrent site The Pirate Bay and a handful of other outfits.
CloudFlare engineers have, at the time of writing, emerged from an emergency meeting to investigate the now verified claims that traffic to their customer sites is being intercepted.
Visitors to intercepted websites are redirected to an AirTel page which reads that the "requested URL has been blocked as per the directions received from Department of Telecommunications, Government of India".
The redirect page does not necessarily confirm that the interception is the handiwork of AirTel.
India has blocked sites for nearly two decades without formal policy, but it is the first time it has so directly capitalised on absent security measures to deny access to a URL.
Some of CloudFlare's sites include those run by political dissidents, hacking forums, and piracy sites. Such sites are often in the crosshairs of governments.
India-based developer Abhay Rana (@captn3m0) and security researcher Shantanu Goel (@shantanugoel) discovered Pirate Bay traffic interception which they suspected may be thanks to cooperation between CloudFlare and the Indian Government, or due to security flaws on behalf of the anti-distributed denial of service attack provider.
CloudFlare founder Matthew Prince told The Register that the company concluded a meeting less than an hour ago and says there are no security flaws on its side, but that the company was blind-sided by the interception.
Prince says the attacks occurred at CloudFlare's Chennai and New Delhi data centres but not at its Mumbai point of presence.
"It appears to only affect traffic that is being passed over an unencrypted link," Prince says.
"Whatever the system is that is looking for the requests might not be installed in Mumbai, we don't know, but it appears to be triggered off the host header in requests.
"It suggests there is some system that is running either at the edge of India's network or within AirTel that is at least conducting infection of host headers in requests."
Prince says the company is examining "all traffic" to locate other affected customer sites, but did not name impacted clients.
The company offers free and paid distributed denial of service attack mitigation and uptime and anonymity services to a host of web properties.
The Indian Government may have reason to target CloudFlare customers.
The tech company has
since 2014 offered its paid enterprise distributed denial-of-service mitigation services to established political blogs, news sites, and other public interest organisations for free under Project Galileo.
AirTel representatives contacted by CloudFlare were not aware of the interception but are investigating the matter.
The Register has contacted the company for comment.
Prince says interception is seemingly possible only for sites that do not use encryption on origin servers.
CloudFlare
in May asked customers to install its free certificate to help admins accomplish the task.
Writer Karthik Balakrishnan has
further analysis of the attacks which CloudFlare has largely vetted as accurate, sans its claimed intentional involvement or security flaws.
Medianama's chit chat with Cloudflare CEO:
In response to MediaNama’s queries, Airtel sent a boilerplate response and hasn’t responded to further queries. The response, attributable to “An Airtel spokesperson”, says:
“This is completely baseless and incorrect. As a policy, Airtel does not block/sniff any content. Only in the case of instructions/orders from the Government or the Courts, specified URLs are blocked. Blocking of any page [as per instructions from relevant authorities] is done at the URL level and not whether it is http/https. This also has nothing to do with the validity of any certificate.”
Cloudflare CEO Matthew Prince spoke with MediaNama in detail about the issue:
MediaNama: What’s going on?
Matthew Prince, Cloudflare: We saw that blog post yesterday. It’s the first time we had any notice of anything like that. We’ve only ever seen this happen with one particular customer, and you can probably figure out who that is (Piratebay). What appeared to be happening was that something for that particular customer was interfering with traffic from the edge of our network, to the origin of that particular customer outside of India.
Cloudflare is a proxy. There’s a client, the browser, Cloudflare and the origin server where the content is actually hosted. Something was affecting our ability to connect directly to the customers origin. We are in 3 cities in India: Chennai, Delhi and Mumbai.
It was only happening in Chennai and Delhi, and not in Mumbai, even across Airtel’s network. We don’t have an explanation of why that was happening.
We reached out to Airtel, who is a vendor of ours, and initially denied that they were doing anything to interfere with the traffic.
They said that this particular customer had a government request, to block access to the site. We see that from time to time in other countries around the world. Specifically, it affects requests connecting to Cloudflare. It doesn’t affect requests from Cloudflare to the customers origin.
Our contract with Airtel specifies that they may not modify or intercept any of our traffic on either side, but there’s an exception that if they are ordered to by the government, that they can do so. They have let us know that in this particular case there was an order that came from the government to restrict access to this particular site.
That particular customer had set up their configuration in such a way that the connection from Cloudflare back to the customers origin was not passed over an encrypted link. Clouldflare has the ability to pass that over an encrypted link. We don’t have any idea why this particular customer chose to do that, but that’s the customers decision.
We verified that what was happening from a technical perspective and it appears to be that either Airtel or some gateway after Airtel is sniffing for particular closed headers. For instance if we send a request to Google’s infrastructure, or we set a host header for a domain that we know is being blocked, then that gets the redirect as well. If that connection is over an an encrypted connection, then it isn’t able to pull that host header out for the redirect and unable to redirect the traffic going through the system. Most of our customers are set up in a manner that the traffic from Cloudflare servers back to their origin is encrypted. I don’t know why this customer did that, but that would have prevented the type of intercept.
Cloudflare being involved or not being involved doesn’t matter all that much. Usually what happens is that the intercept happens in front of our network. In this case, the intercept happened behind our network, which is the first time we’ve seen that. We’ve done some investigation across our network to see if there are other sites.
Cloudflare has over 5 million sites on it, including some very large organizations in India. We have not found any other site where this is happening, although, it’s not particularly easy for us to. We haven’t not received any other reports for any other site. Speculation is that there is another site which received a government request and they’re passing their origin traffic over a unencrypted link, there would be this potential of the traffic being intercepted.
MediaNama: You’ve said that Airtel is allowed to block traffic if there’s a government order. But what we have read, privacy is being compromised because in order to block the site, the header of every unencrypted packet is being read.
Matthew Prince, Cloudflare: That is something that we’re following up with Airtel about. We’re not sure if they’re sniffing every unencrypted packet, or if they’re sniffing an unencrypted packet to a particular IP address. Obviously if they were sniffing every unencrypted packet, then that is something which we would find very problematic.
MediaNama: What do you plan to do about this?
Matthew Prince, Cloudflare: At some level, there is not much for us to do. If the customer wants to they can encrypt the connection back to the origin. My hunch is that that would just kick the can down the road, and ISPs would block traffic to Cloudflare for particular ISPs that the customer was using. That is something that we see from government around the world. What we try to do is not let the policies of one government affect the people outside that country.
And if this is something that people of India think is irresponsible for the government to be doing, that duty of fixing that law falls upon on people like you. We are have to comply with what the local laws are and we not doing anything to assist the censoring of any part of the network, but at the same time, we are not going to do anything to actively subvert an Indian law, even if this is something that we disagree with.
I’m hopeful that this will spur a dialog in your country, whether ISPs should play a role in picking what can and cannot be accessed online.
However barring any legal request, they are not supposed to be intercepting or modifying the content from our network.
MediaNama: As far as I understand, they wouldn’t know the IP address of the host server?
Matthew Prince, Cloudflare: They should not. That is true.
MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
MediaNama: If there’s any change in how Cloudflare deals with traffic, in the light of this incident, do let us know.
Matthew Prince, Cloudflare: In this particular case, if the customer were to change the setting the situation would be resolved likely for them, but again, that is not our role, to do this on their behalf.
Source:
http://www.medianama.com/2016/07/223-cloudflare-ceo-matthew-prince-airtel-sniffing-data-packets/
