[Entry] Figuring Out HTTPS MITM in India

content/posts/figuring-out-https-mitm.md

@@ -0,0 +1,107 @@
++++
+title = "Figuring Out HTTPS MITM in India"
+date = "2021-12-25"
+author = "Ceda EI"
+tags = ["security", "internet"]
+keywords = ["security", "internet"]
+description = "Being served a MITM page over HTTPS"
+showFullContent = false
++++
+
+Belonging to India, I am very used to seeing random websites being blocked.
+However, today was particularly scary because the [MITM (Man In The Middle
+attack)](https://en.wikipedia.org/wiki/Man-in-the-middle\_attack) happened over
+HTTPS. I visited [usebottles.com](https://usebottles.com/) over HTTPS and was
+served with the following page.
+
+![](/images/usebottles\_censored.webp)
+
+Notice the padlock in the address bar. Checking into it, the certificate is
+valid and signed by [Cloudflare](https://cloudflare.com/).
+
+![](/images/usebottles\_certificate.webp)
+
+## Further Exploration and Hypothesis
+
+The initial hypothesis was that the Indian Government or the ISP has
+Cloudflare's signing keys and are serving the blocked page over HTTPS. This
+seems unlikely however and would be a very severe thing and would essentially
+erode all trust in HTTPS at scale as Cloudflare can sign any website's domain
+which essentially means that ISPs could MITM
+
+After a bit of exploration, the DNS entry of
+[usebottles.com](https://usebottles.com) points to `172.67.197.25`  and
+`104.21.92.184`. I checked that both of these IPs were owned by Cloudflare. To
+ensure that the DNS entries weren't being MITM attacked either, I checked for
+the same from my Hetzner Server.
+
+The second possibility that arises from this is that Cloudflare itself was
+serving the blocked page. While more likely than the previous scenario, it is
+still unlikely generally. I looked for any notices from Cloudflare about this
+and could not find any.
+
+At this point, I was mostly out of ideas. I looked into the source of the page
+and found something interesting. The entire page's source was the following
+(invalid) HTML:
+
+```html
+<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0" />
+<style>
+    body {
+        margin: 0px;
+        padding: 0px;
+    }
+
+    iframe {
+        width: 100%;
+        height: 100%
+    }
+</style>
+<iframe src="https://www.airtel.in/dot/" width="100%" height="100%" frameborder=0></iframe>
+```
+
+The most interesting part of this was that the iframe's URL pointed to
+[airtel.in](https://www.airtel.in/). Airtel is an ISP in India, however, I was
+not using internet services from Airtel.
+
+My presumption is based on this.
+
+## Final Hypothesis
+
+This is what I presume is happening.
+
+```
+Me <---> Cloudflare <---> usebottles' server
+     1                2
+```
+
+So far, we have been assuming the MITM is happening at `1` i.e. between Me and
+Cloudflare. However, the fact that `2` is secure isn't guaranteed.
+
+My best guess is that the Cloudflare server I am getting connected to happens
+to be using Airtel as the ISP. When Cloudflare's server tries to connect to
+usebottles' server, Cloudflare gets MITM attacked by their ISP - Airtel.
+Likely, SSL is not enforced between Cloudflare and usebottles' server. Thus,
+Cloudflare connects to usebottles' server over HTTP.
+
+Normally, a connection would happen the following way:
+
+1. I connect to https://usebottles.com/
+2. I get connected to Cloudflare's server.
+3. Cloudflare's server reaches out to usebottle's server.
+4. usebottles' server sends a response.
+5. Cloudflare signs the response with the certificate.
+6. I get a webpage over HTTPS.
+
+What seems to be happening is:
+
+1. I connect to https://usebottles.com/
+2. I get connected to Cloudflare's server.
+3. Cloudflare's server reaches out to usebottle's server.
+4. **Airtel intercepts the request and sends the blocking page**
+5. Cloudflare signs the **blocking page** with the certificate.
+6. I get **blocking page** served over HTTPS.
+
+I would be interested in knowing if there are any alternative explanations to
+this or something I have missed. You can [contact
+me](https://webionite.com/#contact) to let me know!