
Ask HN: How Did My ISP MITM a TLS Connection to the Pirate Bay? - tls-intercepted
When I opened https:&#x2F;&#x2F;thepiratebay.se&#x2F; today, I got a blank page. Looking at the source revealed something rather suspicious (slightly reformatted, and removed identifiers):<p><pre><code>  &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0,maximum-scale=1.0&quot;&#x2F;&gt;
  &lt;style&gt;body{margin:0px;padding:0px;}iframe{width:100%;height:100%}&lt;&#x2F;style&gt;
  &lt;iframe src=&quot;http:&#x2F;&#x2F;{isp-ip}:8080&#x2F;webadmin&#x2F;deny&#x2F;index.php?dpid=1&amp;dpruleid=3&amp;cat={some-id}&amp;ttl=0&amp;groupname=-&amp;policyname=-&amp;username=-&amp;userip={my-ip}8&amp;connectionip=127.0.0.1&amp;nsphostname=Policy03-Chennai&amp;protocol=policyprocessor&amp;dplanguage=-&amp;url=http%3a%2f%2fthepiratebay%2ese%2f&quot; width=&quot;100%&quot; height=&quot;100%&quot; frameborder=0&gt;&lt;&#x2F;iframe&gt;
</code></pre>
Here {isp-ip} belongs to my ISP, Airtel (it falls inside the IP range 182.64.0.0 - 182.79.255.255, which belongs to them).<p>The certificate returned for thepiratebay.se (belonging to Cloudflare) was in perfect order, so how could my ISP MITM this connection? Just to be sure that this is indeed an MITM, I checked this URL on the
wayback machine, and this is what I got: http:&#x2F;&#x2F;imgur.com&#x2F;77tbMqy. Nothing wrong here, no trace of the above code.<p>Here&#x27;s the certificate that is returned to me: https:&#x2F;&#x2F;gist.github.com&#x2F;anonymous&#x2F;f01e495cf89de7c72684ebb368cac81b<p>The cipher suite used is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.<p>Is one of Cloudflare or Pirate Bay acting in connivance with Airtel to return the strange response above?<p>Asssuming that&#x27;s not the case, what else could have happened? A closer look at the certificate reveals a lot of DNS names under the certificate subject alt name:<p><pre><code>  Not Critical
  DNS Name: sni33780.cloudflaressl.com
  DNS Name: *.beeeeer.org
  DNS Name: *.durst.io
  DNS Name: *.messedupquotes.com
  DNS Name: *.ohhai.xyz
  DNS Name: *.thepiratebay.se
  ...
</code></pre>
(see the certificate above for the complete list)<p>If my ISP controls one of the domains in this list, could it have carried out a successful attack without Cloudflare&#x27;s help?
======
lightlyused
According to this, the domain name is send unencrypted in the initial
handshake request. [http://security.stackexchange.com/questions/86723/why-do-
htt...](http://security.stackexchange.com/questions/86723/why-do-https-
requests-include-the-host-name-in-clear-text)

------
snug
> If my ISP controls one of the domains in this list, could it have carried
> out a successful attack without Cloudflare's help?

No they cannot.

CloudFlare hold the private keys to those certificates. Did you visit the
iFrame source directly? Doesn't really see like much tbh.

~~~
tls-intercepted
The iframe says:

"Your requested URL has been blocked as per the directions received from
Department of Telecommunications, Government of India. Please contact
administrator for more information."

Interestingly, since the iframe source is on http rather than https, browsers
refuse to load it. So users to this site end up seeing a blank page, which was
probably not what the ISP intended.

------
thesmileyone
You could get a seedbox for your torrents, and use it as a tunnel to browse
the torrent sites?

