captn3m0
commented
2 years ago Wrote a letter to CloudFlare detailing the issue: https://github.com/captn3m0/hello-cloudflare
Open captn3m0 opened 2 years ago
captn3m0
commented
2 years ago Wrote a letter to CloudFlare detailing the issue: https://github.com/captn3m0/hello-cloudflare
First reported on Reddit
CloudFlare servers in India get MITMd by the network provider (Airtel) if the upstream is GitHub Pages and configured without end-to-end TLS.
Here is a curl log as proof that this happens even over HTTPS.
curl log
curl -vvv https://platesphp.com/ * Trying 172.67.147.246... * TCP_NODELAY set * Connected to platesphp.com (172.67.147.246) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Unknown (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Client hello (1): * TLSv1.3 (OUT), TLS Unknown, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Jul 4 00:00:00 2021 GMT * expire date: Jul 3 23:59:59 2022 GMT * subjectAltName: host "platesphp.com" matched cert's "platesphp.com" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * Using Stream ID: 1 (easy handle 0x556e4d012600) * TLSv1.3 (OUT), TLS Unknown, Unknown (23): > GET / HTTP/2 > Host: platesphp.com > User-Agent: curl/7.58.0 > Accept: */* > * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS Unknown, Unknown (23): * Connection state changed (MAX_CONCURRENT_STREAMS updated)! * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * TLSv1.3 (IN), TLS Unknown, Unknown (23): * TLSv1.3 (IN), TLS Unknown, Unknown (23): < HTTP/2 200 < date: Fri, 07 Jan 2022 13:57:35 GMT < content-type: text/html < pragma: no-cache < cache-control: no-cache < cf-cache-status: DYNAMIC < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yNTsYU5MJc0ZELL2ztaW8egU1HroWVV9fqrUSmUPGms9Rd7CGCo0XQmC3ucspUSxifcmBxdUIqcbl5Q100MfZGE7zvtw3h1KeX12CqO7c1309o7eEf8VncwAhuVcf6QL"}],"group":"cf-nel","max_age":604800} < nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} < server: cloudflare < cf-ray: 6c9db2309cd626bd-BLR < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 < * TLSv1.3 (IN), TLS Unknown, Unknown (23): * Connection #0 to host platesphp.com left intactCloudFlare has known about this issue for years (actively hostile ISPs) and they don't seem to be doing anything about it. The two fixes here are:
You can see this thread on twitter for more details