
Ask HN: What to do when CloudFlare is on an Adult block list - nateguchi
We got a call this morning from a client that couldn&#x27;t access his website from his home broadband (Sky UK). After an hour of investigation it turned out that one of the IPs that CloudFlare returns for the DNS query for the site is on an &quot;Adult Content&quot; blocklist.<p>Moving off CloudFlare is difficult now as Google has identified the clients site as SSL and the client doesn&#x27;t have the budget for the $20 a month it costs to add SSL to Heroku.<p>I have contacted CloudFlare about this, but thought I&#x27;d mention to HN that some of the CloudFlare IPs are blocked in the UK on certain ISPs.
======
sublimino
Shared SSL certificates from CloudFlare are also loaded with porn sites. For
[https://www.binarysludge.com](https://www.binarysludge.com)

SANs: sni29282.cloudflaressl.com, _.askporno.com,_.binarysludge.com,
_.dzej.eu,_.grem.eu, _.hmtransportation.com,_.joowaal.com,
_.kuwaitinfo.info,_.le-foie-gras.eu, _.mnmjewellery.com,_.mobxnxx.com,
_.philippines2050.com,_.pornfax.com, _.pornhideaway.com,_.pornmovies101.com,
_.shokweb.com,_.tennistemptation.lt, _.tennistt.lt,_.the-porn-videos.com,
_.timenewroman.com,_.tutoringunlimited.com, askporno.com, binarysludge.com,
dzej.eu, grem.eu, hmtransportation.com, joowaal.com, kuwaitinfo.info, le-foie-
gras.eu, mnmjewellery.com, mobxnxx.com, philippines2050.com, pornfax.com,
pornhideaway.com, pornmovies101.com, shokweb.com, tennistemptation.lt,
tennistt.lt, the-porn-videos.com, timenewroman.com, tutoringunlimited.com

[https://www.sslshopper.com/ssl-
checker.html#hostname=https:/...](https://www.sslshopper.com/ssl-
checker.html#hostname=https://www.binarysludge.com)

Time to finally get that StartSSL cert I've been talking about...

~~~
AlyssaRowan
Wouldn't help in general. Firstly, lots of sites on Sky's default block list
_aren 't_ porn.

Secondly, StartSSL is a terrible certificate authority who charges for
revocations (even after Heartbleed) in clear contravention of CA/B Forum
guidelines. Perhaps wait for Let's Encrypt later in the year instead.

Thirdly, this also affects shared hosting. We are now out of IPv4 addresses in
RIPE, and we need encryption everywhere - IPv6 is one solution but SNI and
shared hosting is an essential transitional tool. That's why CloudFlare have
deployed it the way they have. Censorship simply can't be allowed to stand in
the way.

Sky need to fix their shit here, which is to say, turn it back off by default.

~~~
geographomics
> charges for revocations (even after Heartbleed) in clear contravention of
> CA/B Forum guidelines

The guidelines don't state that revocations must be free of charge, where are
you getting that from?

~~~
claudius
Point 7.1.2.8 states that "the CA Will revoke the Certificate for any of the
reasons specified in these Requirements". This is a warranty made by the CA
towards all "Certificate Beneficiaries", which includes "All Relying Parties
who reasonably rely on a Valid Certificate", i.e. the general public.

Unfortunately, it is not made absolutely clear what "reasons specified in
these Requirements" means. There are a couple of occurrences of "the CA SHALL
revoke if X", but these are obviously not binding.

However, nowhere does it say that failure to pay on the side of the
certificate recipient would be a reason for the CA not to do their job. I
would also find it very weird if the quality of warranties made by a CA
towards me depended on someone else paying the CA some money – in other words,
I’m fine with the CA charging its customers to revoke certs, I’m not fine with
the CA not revoking if its customers fail to pay.

EDIT: Link to PDF: [https://cabforum.org/wp-
content/uploads/BRv1.2.3.pdf](https://cabforum.org/wp-
content/uploads/BRv1.2.3.pdf)

~~~
geographomics
But if you look at the bylaws of the CA/B forum [1], they explicitly exclude
discussion of "pricing policies, pricing formulas, prices or other terms of
sale" as part of their mandate.

So we can't assume a position for or against revocation charges - it's just
not within the scope of the guidelines. Which are non-binding and advisory
anyway.

[1] [https://cabforum.org/wp-content/uploads/CA-Browser-Forum-
Byl...](https://cabforum.org/wp-content/uploads/CA-Browser-Forum-
Bylaws-v.1.2.pdf)

~~~
claudius
I’m not against revocation charges per se, I’m against charges being paid
prior to revocation. So a CA including something like “if we have revoke this
cert, you have to pay 20$, we will revoke under these circumstances: …” would
be perfectly fine with me – terms in legal contracts requiring one party to
pay a certain amount if certain situations arise are not uncommon, so I don’t
think this would have legal issues.

My problem is really that a CA says “we know this cert is bad but won’t revoke
it, sorry about that”, just because the owner of the cert (someone absolutely
irrelevant to me) doesn’t pay up.

~~~
geographomics
Could you outline a scenario where you make a request that someone else's
certificate be revoked, yet it's of such little importance that you refuse to
pay the $25 fee that may possibly be charged?

------
monkeymagic
You can get the client to disable this via the My Sky page here:
[https://secure.sky.com/mysky-homepage/indexb](https://secure.sky.com/mysky-
homepage/indexb)

This is opt-in so they clicked a button somewhere when Sky asked them if they
wanted adult content blocking.

If anyone opts in to blocking; it's their funeral. It doesn't work. Sky's
blocking even kills ThinkPad wiki.

~~~
nateguchi
It seems that for the three people I have contacted, they have no recollection
of being opted in to this adult blocking service

~~~
monkeymagic
It asks you when you first connect the router. I suspect most people you have
contacted are likely to have subconciously (or thoughtlessly) opted in.

If you let me know the URL, I can test from here as I'm on the end of a Sky
connection without the opt in blocking so that would confirm if it is that or
not.

~~~
nateguchi
I can't let you know the URL, but
[http://medfirstalert.com/](http://medfirstalert.com/) is one of the other
seemingly okay domains on this IP

~~~
monkeymagic
That's fair.

The domain above resolves fine with and without the block:
[http://i.imgur.com/AIqtrxF.png](http://i.imgur.com/AIqtrxF.png)

DNS cache was flushed between each hit.

------
andy_boot
I'd spin it differently - "Sky has put some of your site on the Adult block
list."

This way you make it clear that it is Sky's fault and to make it work you just
have to opt-out of the adult blacklist.

~~~
smeyer
Getting the IPs remoed from Sky's list might be a viable solution, but I think
just opting out of the adult blacklist isn't. The client probably cares
substantially about whether his site is visible to the (I assume) many people
in the UK who haven't opted out.

------
quicksilver03
Does anybody else think that $20 a month for a SSL certificate is way too
much, Heroku or not? I can get a domain-validated SSL certificate for $5.95
_per year_ and even providers of shared hosting are able to install it at no
cost (WebFaction and NearlyFreeSpeech come to mind).

~~~
michaelbuckbee
Heroku doesn't do a great job explaining what that $20/mo provides - it's not
for a SSL certificate. It's for a SSL terminating load balancer that sits in
front of your app instances.

~~~
Artemis2
That's still very expensive, Cloudflare offers it for free, with a free
certificate.

~~~
dangrossman
That Cloudflare offers it for free doesn't change the economics for everyone
else. They do a lot for free that anyone else would charge for. IP allocations
are not free, extra load balancers are not free, labor to set up custom certs
on load balancers is not free. If you put a CDN in front of your site and want
SSL termination on it, then _every_ node in every location needs to have that
cert installed and potentially an extra IP address for it, each. Companies
aren't charging extra for SSL solely because they think they can gouge you on
it; it's really not free to deploy.

------
Swifty
If it is his home broadband, why not get your client to speak to sky and opt-
out of the adult blacklist.

~~~
nateguchi
He's worried that other Sky broadband customers cannot access his site.

------
mobiplayer
Happily CloudFlare has offices in the UK, so it is a good thing you brought
this issue up with them. I'm sure they'll have some quick mechanisms to fix
this already.

------
ddorian43
Maybe you can contact the shitty-blacklist and inform them ?

~~~
nateguchi
I'm guessing that there is actually Adult content on this IP, but also 100s of
other websites.

~~~
ddorian43
You can block the domain-name ?

The same thing can be said for shared-hosting.

Even vps recycle ips(ec2) ?

------
nissehulth
Collateral damage from David Cameron putting pressure on ISPs to block
inappropriate content.

~~~
monkeymagic
Actually this is likely Sky's opt-in adult content filtering. It really isn't
mandatory.

Any content blocking is prone to false positives and people will learn that
eventually.

~~~
darkr
Sky's filtering is now opt- _out_ :

> What we’re doing now is simply making sure that the automatic position of
> Sky Broadband Shield is the safest one for all – that’s ‘on’, unless
> customers choose otherwise.

src: [https://corporate.sky.com/media-centre/our-blog/2015/sky-
bro...](https://corporate.sky.com/media-centre/our-blog/2015/sky-broadband-
shield-rolling-out-to-all-our-customers)

~~~
ionwake
When the whole opt-in opt-out thing hit the news I remember all the press was
insisting it was opt-in. Simply insisting, then basing their arguments off
that.

------
azurelogic
Buy a cheap SSL cert from RapidSSL ($11/year via namecheap). Get $5
DigitalOcean server, and reverse proxy whatever you're serving with nginx.
Done for $5/month.

Bonus points: get the guy a private VPN on there too.

------
DanBC
Why did it take an hour of investigating -- I mean, What message was the
client getting from the filter? (And why are clients so terrible at reportin
error messages?)

I submitted the page you get from BT if you try to visit KAT. It might be
useful if there's a collection of similar pages somewhere?

[https://news.ycombinator.com/item?id=8989964](https://news.ycombinator.com/item?id=8989964)

~~~
nateguchi
We had to find some more people on the same ISP to find it was SKY that was
the problem

------
youngtaff
You haven't really stated why they're using CloudFlare - is it for the free
TLS?

To be honest if they can't afford the $240/year to get TLS added to Heroku
perhaps they've got bigger problems?

