{"@attributes":{"version":"2.0"},"channel":{"title":"security on Ceda EI's Blog","link":"https:\/\/cedaei.com\/tags\/security\/","description":"Recent content in security on Ceda EI's Blog","generator":"Hugo -- gohugo.io","language":"en-us","copyright":"CC-BY-SA 4.0","lastBuildDate":"Sat, 25 Dec 2021 00:00:00 +0000","item":{"title":"Figuring Out HTTPS MITM in India","link":"https:\/\/cedaei.com\/posts\/figuring-out-https-mitm\/","pubDate":"Sat, 25 Dec 2021 00:00:00 +0000","guid":"https:\/\/cedaei.com\/posts\/figuring-out-https-mitm\/","description":"<p>Belonging to India, I am very used to seeing random websites being blocked.\nHowever, today was particularly scary because the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle%5c_attack\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>MITM (Man In The Middle\nattack)<\/a>\n happened over\nHTTPS. I visited <a href=\"https:\/\/usebottles.com\/\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>usebottles.com<\/a>\n over HTTPS and was\nserved with the following page.<\/p>\n<p><img src=\"https:\/\/cedaei.com\/images\/usebottles_censored.webp\" alt=\"\"><\/p>\n<p>Notice the padlock in the address bar. Checking into it, the certificate is\nvalid and signed by <a href=\"https:\/\/cloudflare.com\/\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>Cloudflare<\/a>\n.<\/p>\n<p><img src=\"https:\/\/cedaei.com\/images\/usebottles_certificate.webp\" alt=\"\"><\/p>\n<h2 id=\"further-exploration-and-hypothesis\">Further Exploration and Hypothesis<\/h2>\n<p>The initial hypothesis was that the Indian Government or the ISP has\nCloudflare&rsquo;s signing keys and are serving the blocked page over HTTPS. This\nseems unlikely however and would be a very severe thing and would essentially\nerode all trust in HTTPS at scale as Cloudflare can sign any website&rsquo;s domain\nwhich essentially means that ISPs could MITM<\/p>\n<p>After a bit of exploration, the DNS entry of\n<a href=\"https:\/\/usebottles.com\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>usebottles.com<\/a>\n points to <code>172.67.197.25<\/code>  and\n<code>104.21.92.184<\/code>. I checked that both of these IPs were owned by Cloudflare. To\nensure that the DNS entries weren&rsquo;t being MITM attacked either, I checked for\nthe same from my Hetzner Server.<\/p>\n<p>The second possibility that arises from this is that Cloudflare itself was\nserving the blocked page. While more likely than the previous scenario, it is\nstill unlikely generally. I looked for any notices from Cloudflare about this\nand could not find any.<\/p>\n<p>At this point, I was mostly out of ideas. I looked into the source of the page\nand found something interesting. The entire page&rsquo;s source was the following\n(invalid) HTML:<\/p>\n<pre><code class=\"language-html\">&lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0,maximum-scale=1.0&quot; \/&gt;\n&lt;style&gt;\n    body {\n        margin: 0px;\n        padding: 0px;\n    }\n\n    iframe {\n        width: 100%;\n        height: 100%\n    }\n&lt;\/style&gt;\n&lt;iframe src=&quot;https:\/\/www.airtel.in\/dot\/&quot; width=&quot;100%&quot; height=&quot;100%&quot; frameborder=0&gt;&lt;\/iframe&gt;\n<\/code><\/pre>\n<p>The most interesting part of this was that the iframe&rsquo;s URL pointed to\n<a href=\"https:\/\/www.airtel.in\/\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>airtel.in<\/a>\n. Airtel is an ISP in India, however, I was\nnot using internet services from Airtel.<\/p>\n<p>My presumption is based on this.<\/p>\n<h2 id=\"final-hypothesis\">Final Hypothesis<\/h2>\n<p>This is what I presume is happening.<\/p>\n<pre><code>Me &lt;---&gt; Cloudflare &lt;---&gt; usebottles' server\n     1                2\n<\/code><\/pre>\n<p>So far, we have been assuming the MITM is happening at <code>1<\/code> i.e. between Me and\nCloudflare. However, the fact that <code>2<\/code> is secure isn&rsquo;t guaranteed.<\/p>\n<p>My best guess is that the Cloudflare server I am getting connected to happens\nto be using Airtel as the ISP. When Cloudflare&rsquo;s server tries to connect to\nusebottles' server, Cloudflare gets MITM attacked by their ISP - Airtel.\nLikely, SSL is not enforced between Cloudflare and usebottles' server. Thus,\nCloudflare connects to usebottles' server over HTTP.<\/p>\n<p>Normally, a connection would happen the following way:<\/p>\n<ol>\n<li>I connect to <a href=\"https:\/\/usebottles.com\/\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>https:\/\/usebottles.com\/<\/a>\n<\/li>\n<li>I get connected to Cloudflare&rsquo;s server.<\/li>\n<li>Cloudflare&rsquo;s server reaches out to usebottle&rsquo;s server.<\/li>\n<li>usebottles' server sends a response.<\/li>\n<li>Cloudflare signs the response with the certificate.<\/li>\n<li>I get a webpage over HTTPS.<\/li>\n<\/ol>\n<p>What seems to be happening is:<\/p>\n<ol>\n<li>I connect to <a href=\"https:\/\/usebottles.com\/\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>https:\/\/usebottles.com\/<\/a>\n<\/li>\n<li>I get connected to Cloudflare&rsquo;s server.<\/li>\n<li>Cloudflare&rsquo;s server reaches out to usebottle&rsquo;s server.<\/li>\n<li><strong>Airtel intercepts the request and sends the blocking page<\/strong><\/li>\n<li>Cloudflare signs the <strong>blocking page<\/strong> with the certificate.<\/li>\n<li>I get <strong>blocking page<\/strong> served over HTTPS.<\/li>\n<\/ol>\n<p>I would be interested in knowing if there are any alternative explanations to\nthis or something I have missed. You can <a href=\"https:\/\/webionite.com\/#contact\" \n  \n   target=\"_blank\" rel=\"noreferrer noopener\" \n>contact\nme<\/a>\n to let me know!<\/p>\n"}}}