Yesterday, Karthik Balakrishnan, a volunteer with SaveTheInternet.in, wrote about how Airtel was possibly checking each and every unencrypted packet of data going to sites connected with popular Content Delivery Network Cloudflare. The analysis published suggested that since Cloudflare was using Airtel for connectivity with host servers, every packet of data between Cloudflare and the host server (in this case for the PirateBay) was being checked by Airtel for its destination, and if it were in violation of government orders, it was being blocked. What this means is that even if you’re not an Airtel user, merely by virtue of Cloudflare’s partnership with Airtel, every single unencrypted connection between Cloudflare and the content servers – thus, in this case, for every user accessing The Pirate Bay torrent site, was being monitored and blocked by Airtel by inserting an iframe, even if the end user isn’t an Airtel customer.
In response to MediaNama’s queries, Airtel sent a boilerplate response and hasn’t responded to further queries. The response, attributable to “An Airtel spokesperson”, says:
“This is completely baseless and incorrect. As a policy, Airtel does not block/sniff any content. Only in the case of instructions/orders from the Government or the Courts, specified URLs are blocked. Blocking of any page [as per instructions from relevant authorities] is done at the URL level and not whether it is http/https. This also has nothing to do with the validity of any certificate.”
Cloudflare CEO Matthew Prince spoke with MediaNama in detail about the issue:
MediaNama: What’s going on?
Matthew Prince, Cloudflare: Wesaw that blog post yesterday. It’s the first time we had any notice of anything like that. We’ve only ever seen this happen with one particular customer, and you can probably figure out who that is (Piratebay). What appeared to be happening was that something for that particular customer was interfering with traffic from the edge of our network, to the origin of that particular customer outside of India.
Cloudflare is a proxy. There’s a client, the browser, Cloudflare and the origin server where the content is actually hosted. Something was affecting our ability to connect directly to the customers origin. We are in 3 cities in India: Chennai, Delhi and Mumbai. It was only happening in Chennai and Delhi, and not in Mumbai, even across Airtel’s network. We don’t have an explanation of why that was happening. We reached out to Airtel, who is a vendor of ours, and initially denied that they were doing anything to interfere with the traffic. They said that this particular customer had a government request, to block access to the site. We see that from time to time in other countries around the world. Specifically, it affects requests connecting to Cloudflare. It doesn’t affect requests from Cloudflare to the customers origin.
Our contract with Airtel specifies that they may not modify or intercept any of our traffic on either side, but there’s an exception that if they are ordered to by the government, that they can do so. They have let us know that in this particular case there was an order that came from the government to restrict access to this particular site.
That particular customer had set up their configuration in such a way that the connection from Cloudflare back to the customers origin was not passed over an encrypted link. Clouldflare has the ability to pass that over an encrypted link. We don’t have any idea why this particular customer chose to do that, but that’s the customers decision.
We verified that what was happening from a technical perspective and it appears to be that either Airtel or some gateway after Airtel is sniffing for particular closed headers. For instance if we send a request to Google’s infrastructure, or we set a host header for a domain that we know is being blocked, then that gets the redirect as well. If that connection is over an an encrypted connection, then it isn’t able to pull that host header out for the redirect and unable to redirect the traffic going through the system. Most of our customers are set up in a manner that the traffic from Cloudflare servers back to their origin is encrypted. I don’t know why this customer did that, but that would have prevented the type of intercept.
Cloudflare being involved or not being involved doesn’t matter all that much. Usually what happens is that the intercept happens in front of our network. In this case, the intercept happened behind our network, which is the first time we’ve seen that. We’ve done some investigation across our network to see if there are other sites.
Cloudflare has over 5 million sites on it, including some very large organizations in India. We have not found any other site where this is happening, although, it’s not particularly easy for us to. We haven’t not received any other reports for any other site. Speculation is that there is another site which received a government request and they’re passing their origin traffic over a unencrypted link, there would be this potential of the traffic being intercepted.
MediaNama: You’ve said that Airtel is allowed to block traffic if there’s a government order. But what we have read, privacy is being compromised because in order to block the site, the header of every unencrypted packet is being read.
Matthew Prince, Cloudflare: That is something that we’re following up with Airtel about. We’re not sure if they’re sniffing every unencrypted packet, or if they’re sniffing an unencrypted packet to a particular IP address. Obviously if they were sniffing every unencrypted packet, then that is something which we would find very problematic.
MediaNama: What do you plan to do about this?
Matthew Prince, Cloudflare: At some level, there is not much for us to do. If the customer wants to they can encrypt the connection back to the origin. My hunch is that that would just kick the can down the road, and ISPs would block traffic to Cloudflare for particular ISPs that the customer was using. That is something that we see from government around the world. What we try to do is not let the policies of one government affect the people outside that country.
And if this is something that people of India think is irresponsible for the government to be doing, that duty of fixing that law falls upon on people like you. We are have to comply with what the local laws are and we not doing anything to assist the censoring of any part of the network, but at the same time, we are not going to do anything to actively subvert an Indian law, even if this is something that we disagree with.
I’m hopeful that this will spur a dialog in your country, whether ISPs should play a role in picking what can and cannot be accessed online.
However barring any legal request, they are not supposed to be intercepting or modifying the content from our network.
MediaNama: As far as I understand, they wouldn’t know the IP address of the host server?
Matthew Prince, Cloudflare: They should not. That is true.
MediaNama: So the only way they can understand what to block via this route is by sniffing every packet?
Matthew Prince, Cloudflare: That is what I’m concerned about, but we don’t have a satisfactory answer at this point. But you are correct, that is what I infer.
MediaNama: If there’s any change in how Cloudflare deals with traffic, in the light of this incident, do let us know.
Matthew Prince, Cloudflare: In this particular case, if the customer were to change the setting the situation would be resolved likely for them, but again, that is not our role, to do this on their behalf.