cedaei.com/content/posts/figuring-out-https-mitm.md

+++
title = "Figuring Out HTTPS MITM in India"
date = "2021-12-25"
author = "Ceda EI"
tags = ["security", "internet"]
keywords = ["security", "internet"]
description = "Being served a MITM page over HTTPS"
showFullContent = false
+++

Belonging to India, I am very used to seeing random websites being blocked.
However, today was particularly scary because the [MITM (Man In The Middle
attack)](https://en.wikipedia.org/wiki/Man-in-the-middle\_attack) happened over
HTTPS. I visited [usebottles.com](https://usebottles.com/) over HTTPS and was
served with the following page.

![](/images/usebottles\_censored.webp)

Notice the padlock in the address bar. Checking into it, the certificate is
valid and signed by [Cloudflare](https://cloudflare.com/).

![](/images/usebottles\_certificate.webp)

## Further Exploration and Hypothesis

The initial hypothesis was that the Indian Government or the ISP has
Cloudflare's signing keys and are serving the blocked page over HTTPS. This
seems unlikely however and would be a very severe thing and would essentially
erode all trust in HTTPS at scale as Cloudflare can sign any website's domain
which essentially means that ISPs could MITM

After a bit of exploration, the DNS entry of
[usebottles.com](https://usebottles.com) points to `172.67.197.25`  and
`104.21.92.184`. I checked that both of these IPs were owned by Cloudflare. To
ensure that the DNS entries weren't being MITM attacked either, I checked for
the same from my Hetzner Server.

The second possibility that arises from this is that Cloudflare itself was
serving the blocked page. While more likely than the previous scenario, it is
still unlikely generally. I looked for any notices from Cloudflare about this
and could not find any.

At this point, I was mostly out of ideas. I looked into the source of the page
and found something interesting. The entire page's source was the following
(invalid) HTML:

```html
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0" />
<style>
    body {
        margin: 0px;
        padding: 0px;
    }

    iframe {
        width: 100%;
        height: 100%
    }
</style>
<iframe src="https://www.airtel.in/dot/" width="100%" height="100%" frameborder=0></iframe>
```

The most interesting part of this was that the iframe's URL pointed to
[airtel.in](https://www.airtel.in/). Airtel is an ISP in India, however, I was
not using internet services from Airtel.

My presumption is based on this.

## Final Hypothesis

This is what I presume is happening.

```
Me <---> Cloudflare <---> usebottles' server
     1                2
```

So far, we have been assuming the MITM is happening at `1` i.e. between Me and
Cloudflare. However, the fact that `2` is secure isn't guaranteed.

My best guess is that the Cloudflare server I am getting connected to happens
to be using Airtel as the ISP. When Cloudflare's server tries to connect to
usebottles' server, Cloudflare gets MITM attacked by their ISP - Airtel.
Likely, SSL is not enforced between Cloudflare and usebottles' server. Thus,
Cloudflare connects to usebottles' server over HTTP.

Normally, a connection would happen the following way:

1. I connect to https://usebottles.com/
2. I get connected to Cloudflare's server.
3. Cloudflare's server reaches out to usebottle's server.
4. usebottles' server sends a response.
5. Cloudflare signs the response with the certificate.
6. I get a webpage over HTTPS.

What seems to be happening is:

1. I connect to https://usebottles.com/
2. I get connected to Cloudflare's server.
3. Cloudflare's server reaches out to usebottle's server.
4. **Airtel intercepts the request and sends the blocking page**
5. Cloudflare signs the **blocking page** with the certificate.
6. I get **blocking page** served over HTTPS.

I would be interested in knowing if there are any alternative explanations to
this or something I have missed. You can [contact
me](https://webionite.com/#contact) to let me know!