Open letter to CloudFlare

I wrote up a letter to CloudFlare asking them to fix their snoopy vendor (Airtel).

As many folks on the Internet have noticed recently, a large number of developer focused websites seem to be blocked across India while being hosted by CloudFlare.

Here’s the letter: GitHub - captn3m0/hello-cloudflare: A public letter to CloudFlare to fix their snoopy vendor

I wrote a short thread on Twitter as well: https://twitter.com/captn3m0/status/1479473512783826948

Hopefully, this results in some action at CloudFlare/Airtel end.

8 Likes

Hey @nemo great work as usual!

I was wondering if this issues persists if we’re using Cloudflare pages instead of GitHub pages. If I’m not wrong, Cloudflare issues Full (strict) SSL for sites hosted on Cloudflare Pages.

1 Like

Cloudflare Pages is directly hosted on Cloudflare, so there is no upstream involved for Airtel to MITM the connection through. (There’s some scenarios where Cloudflare might fetch the data from outside India, but I’m guessing these are also encrypted so Airtel can’t MITM - this was a core PRISM finding in fact).

Moreover, these issues are happening because Airtel doesn’t like connections that go towards GitHub Pages specifically for some reason.

As such, if your site is hosted on Cloudflare Pages, it shouldn’t be impacted.

1 Like

Any updates on this?

Also, I’d like to add that airtel is doing something very shady.
Airtel happens to be my ISP, and I’ve noticed that random websites are blocked with the airtel notice (shamelessly plugging wink on the same page as well) randomly. Out of boredom, I wrote a shitty script to fetch a few common websites a bunch of times to check for the notice. Every once in a while, a site that usually isn’t blocked (youtube.com, google.com, wikipedia.org) also gives you the airtel notice for a tiny while. The opposite happens for blocked websites too (pornhub.com, xvideos.com, bannedthought.net): keep reloading the page and sometimes it messes up and lets you in.

Dunno how this piece of info would be useful (especially since it only happens with http; the blocked websites go through sometimes with https tho) but I’m just leaving this here.