captn3m0 / hello-cloudflare Goto Github PK

A public letter to Cloudflare to fix their snoopy vendor

hello-cloudflare's Introduction

A public letter to Cloudflare to fix their snoopy vendor.

What

For the last few years, various websites hosted on GitHub Pages/Google App Engine and fronted using Cloudflare have been blocked in India due to Cloudflare relying on a upstream network provider with a misconfigured network (Airtel). The network flow looks like this:

User -> Any ISP -> Cloudflare -> Airtel (Cloudflare peering partner) -> (GitHub Pages|Google App Engine)

If a website is using "Flexible SSL" or "No SSL" as configured on Cloudflare, the connection between Cloudflare and (GitHub|Google) isn't encrypted, and Airtel blocks many such websites. Because Cloudflare terminates the TLS connection at their end, the browser shows a padlock, thus giving more authenticity to this incorrect block.

Impact

These are just a few of the many websites blocked. This disproportionately impacts the developer community, and especially older websites that had a reason to use Cloudflare on top of GitHub Pages - TLS support. Now that GitHub Pages natively offers SSL, most of these websites can directly be hosted on GitHub Pages.

Here's a list of various such reports: (Click to expand)

Website	Reports
teachyourselfcs.com	https://twitter.com/oznova_/status/1467957261221830657
neovim.io	https://twitter.com/sanchayan_maity/status/1479131300040564737 neovim/neovim.github.io#254
usebottles.com	https://news.ycombinator.com/item?id=29358915 bottlesdevs/website#12
reactcommunity.org	reactjs/reactjs.github.io#1 https://twitter.com/tecoholic/status/1480528265068515332 https://twitter.com/chiku__p/status/1465988817773481985
thephpleague.com	https://www.reddit.com/r/india/comments/r3bc78/hey_anyone_facing_issues_with_airtel/ thephpleague/thephpleague.github.io#102
tldr.sh	https://www.reddit.com/r/developersIndia/comments/p3kxi4/why_are_some_nonporn_dev_related_websites_blocked/ tldr-pages/tldr#7626
draftjs.org	facebookarchive/draft-js#3086 https://twitter.com/vaishnavs0/status/1480403158631260161
pennapps.com	https://twitter.com/skxrxn/status/1479520588955742209?s=20
termux.com	https://twitter.com/geekodour/status/1478963440412626946 termux/termux.github.io#56
rsms.me	https://twitter.com/sahilk/status/1479489063874752512 https://twitter.com/sahilk/status/1441104954408587264
shantanugoel.com	https://twitter.com/prohack/status/1422233887522975744 https://forum.internetfreedom.in/t/website-blocking-report-and-wynk-ads-shantanugoel-com/2318
codewithrockstar.com	RockstarLang/codewithrockstar.com#11 https://news.ycombinator.com/item?id=29481644
web.mightyme.in	https://stackoverflow.com/questions/70420313/getting-the-website-has-been-blocked-as-per-order-of-ministry-of-electronics-an
buyday.in	https://stackoverflow.com/a/70426860
boxbilling.org	boxbilling/boxbilling#1178 https://twitter.com/MichaelAnandR/status/1471935979787194373
Node-OS.com	NodeOS/nodeos.github.io#28
konvajs.com	konvajs/konva#1161
breaks.eu.org	https://www.reddit.com/r/developersIndia/comments/rg4fqb/airtel_blocked_my_projects_website_please_help/
platesphp.com	thephpleague/plates#288 https://www.reddit.com/r/india/comments/r3bc78/hey_anyone_facing_issues_with_airtel/
coreui.io	https://old.reddit.com/r/india/comments/p12qtq/why_did_govt_of_india_blocked_a_html_template/ coreui/coreui-website#19
4fw.pw	#2
mpp.su	#2
about.hacktohell.org	https://twitter.com/hacktohell/status/1479484933785538562
one9x.org	https://twitter.com/Ramank775/status/1465979965002846209
kossiitkgp.org	https://twitter.com/OrkoHunter/status/1425089684535975937
orkohunter.net	https://twitter.com/OrkoHunter/status/1425089684535975937
treyhunner.com	https://twitter.com/abdulmuneer/status/1466289536833523714
wowjs.uk	https://twitter.com/rahulrrnair/status/1465629811368357888
akshatmittal.com	https://twitter.com/iakshatmittal/status/1479517378455040002
garudahacks.com	https://twitter.com/skxrxn/status/1479520588955742209?s=20
noflojs.org	noflo/noflo#863
docs.pixelfed.org	pixelfed/docs#80
nodered.org	https://community.cloudflare.com/t/website-blocked-for-some-users-in-india/300620
catalogue.nodered.org	https://community.cloudflare.com/t/website-blocked-for-some-users-in-india/300620
codeception.com	Codeception/codeception.github.com#591
srijanshetty.in	https://twitter.com/srijanshetty/status/1468523289467179008
awesome-python.com	https://github.com/vinta/awesome-python/issues/1909
bryanbraun.github.io	bryanbraun/bryanbraun.github.io#42
pdm.fming.dev	pdm-project/pdm#786 pdm-project/pdm#844
seaql.github.io	SeaQL/seaql.github.io#12
pramod.io	#10 Blocked even on Google App Engine

Several of these websites are critical to many developers, and none of these deserve to get blocked in India. Some of the above website are no longer blocked, because the website owner switched away from Flexible SSL to Strict SSL. However, this only happens when someone notices the block, debugs the issue correctly, and the website owner understands and fixes the issue. This is not a viable solution in this case.

There's hundreds reports on Twitter and GitHub

Call to Cloudflare

Hey @Cloudflare, please take care of this. Indian developers have been blocked out various critical websites because your upstream vendor (peering partner) has a misconfiguration. This has been going on for years, with no action or update at your end.

Here's a few simple requests:

Get Airtel to fix the issue at their end.
Switch to a different upstream (peer) if that doesn't happen.
Publish a transparency report acknowledging the issue and confirming how many websites were incorrectly blocked without a court-order.
Notify Flexible SSL users that their websites are getting blocked in India.

Flexible SSL is a decade-old product that has no place in the modern web. Users should get a big red warning when enabling such a product in today's times with free SSL certificates.

Help, my website is blocked

If you got a report about your website being blocked in India, with a message that reads:

The website has been blocked as per order of Ministry of Electronics and Information Technology under IT Act, 2000.

Here's a number of ways to fix the issue:

Switch from Cloudflare to direct GitHub Pages, which supports TLS now.
Enable HTTPS on GitHub pages, and switch the upstream on Cloudflare to get strict SSL instead of flexible.
Switch to a different hosting provider altogether (CloudFlare Pages, Netlify, ...)

If you aren't using Cloudflare, please open an issue.

If you'd like to notify a site owner, please send them this link: https://github.com/captn3m0/hello-cloudflare/blob/main/README.md#help-my-website-is-blocked

Help fight Censorship in India

If you'd like to support the fight to fix the state of Internet censorship in India, and bring more transparency on how it works, please donate to the Internet Freedom Foundation. You will need a valid Indian PAN Card.

hello-cloudflare's People

Contributors

Stargazers

Watchers

Forkers

tapsboy xorl electron0zero timrobinnet sreekaransrinath ignoramous mahtin abhi4578 ameintjes hercules261188 kazu0617 amirulandalib

hello-cloudflare's Issues

noflojs.org is blocked; issue raised

Issue link: noflo/noflo#863

Add Past response from cloudflare

I have in the past reported this issue to Cloudflare through their Hackerone page (due to the lack of appropriate platform to reach them out on), this is the response I got (if you wanna add it to the readme):

Enabling SSL/TLS between Cloudflare and the origin site is a customer decision. When this protection is not enabled, as is the case here, an ISP can manipulate the requests before they reach Cloudflare. If this behavior is
not desired, the customer must change the settings for the site in the Cloudflare dashboard.

Full report attached:
2022-02-10_report_1438600.pdf

Cloudflare is spelled with a lowercase "f"

Cloudflare is spelled with a lowercase "f". See their blog entry from five plus years ago.

pramod.io blocked intermittently

https://pramod.io is blocked intermittently. It uses Flexible SSL by Cloudflare and the site is hosted on Google App Engine

Looks as though the issue is similar to #2

Here's the log

➜  ~ curl -vvv https://pramod.io
*   Trying 104.21.46.98...
* TCP_NODELAY set
* Connected to pramod.io (104.21.46.98) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Jul  6 00:00:00 2021 GMT
*  expire date: Jul  5 23:59:59 2022 GMT
*  subjectAltName: host "pramod.io" matched cert's "pramod.io"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe84a80b000)
> GET / HTTP/2
> Host: pramod.io
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Mon, 10 Jan 2022 15:47:54 GMT
< content-type: text/html
< pragma: no-cache
< cache-control: no-cache
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=czqWJfM8RpOL57j%2BcPH9p2%2FlH6ni1TTEHiHdXa%2Bxq%2FRlqJB%2B%2FieWk6D%2Bb0g%2FnqGOXjnL1rEFb2Mn3YSsNRXC%2BDjspgTX21Shhxlh%2FgzvqV2Re20aO2wRlVMvLnE%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6cb70be94b411da1-BLR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
* Connection #0 to host pramod.io left intact
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0"/><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://www.airtel.in/court-orders/ " width="100%" height="100%" frameborder=0></iframe>* Closing connection 0

Transparency issue at Airtel

Behavior of Airtel is quite problematic & controversial.

They are blocking genuine sites without any illegal content matching with name of blocked sites without giving rights of being heard to the domain owner. There is no Notice or public procedures available regarding that to appeal against action taken illegal action taken.

More over they do not provide any reason, Notice, Govt Order Copy , etc.. to blocked domain owner. This is against Right of Domain Owner. Moreover, They are abusing their dominate position while taking one-way action.

I have also raised complain regarding that, They failed to provide any written replay & Resolve complain. I have also Demonstrated issue with Airtel Broadband support executive, but he said nothing in our Hand & Failed to provide written reason of doing so.

Kindly raise Voice Against such Action by ISP. If any action taken by ISP against any domain, It must be available in public platform/Domain with method to appeal against such act.

slightly offtopic, ubuntu.com blocked?

Just noticed this some hours ago, any idea why ubuntu.com is blocked? Unable to build docker images locally on Airtel Prepaid and Fiber. Does anyone have contact with Airtel? apt uses http:// by default in /etc/apt/sources.list

Affects:

ubuntu.com
archive.ubuntu.com
security.ubuntu.com
ports.ubuntu.com

curl -v http://ubuntu.com
*   Trying 185.125.190.21:80...
* Connected to ubuntu.com (185.125.190.21) port 80 (#0)
> GET / HTTP/1.1
> Host: ubuntu.com
> User-Agent: curl/7.88.1
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Length: 262
< Content-Type: text/html
< 
* Closing connection 0
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0"/><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="http://www.airtel.in/court-orders/ " width="100%" height="100%" frameborder=0></iframe>

Searched online, noticed someone has the same issue on linuxmint https://www.reddit.com/r/linuxmint/comments/1cbc8o2/error/

Cloudflare Pages

Switch from GitHub Pages to Cloudflare Pages. Then you just configure Cloudflare Pages to connect to your GitHub Repositories.

Anytime you commit to your repositories that are connected to Cloudflare Pages, Pages will automatically kick off a build and your site will be updated within a couple of minutes or so.

Add tldr.sh

tldr.sh also doesn't load on my ISP (Airtel, Delhi).

4fw.pw and mpp.su blocked intermittently

4fw.pw: Everything under / gets blocked, intermittently.
mpp.su: / never gets blocked, at least this page gets blocked, intermittently.
I'm able to load both the sites as on Fri Jan 7 21:19:00 IST 2022.
Both are gh-pages hosted with flexible-tls.