[Anunayj]

People really underestimate the full scale of this, specially today with so many sites using cloudflare without strict ssl reverse proxy connection, Cloudflare Endpoints in India are INSIDE ISP networks [1], what this means is the ISP (and therefore by extension the government) sees EVERYTHING going out of cloudflare servers over http in plaintext. Worse ISP will also modify that content so you get the "This site has been blocked in India under diretions from [...]" over https! cause that's what cloudflare saw when it did it's (insecure) http request

1. https://github.com/captn3m0/hello-cloudflare

[dvno42]

If I'm understanding you correctly, you are saying that the origin servers only listen on HTTP and that is where the ISP intercepts. Is it not common practice for the origin servers to also being using HTTPS? Afaik there's no simple way for the end user to know this though.

[NavinF]

People who run the origin servers often use a CDN to do TLS termination because they are too incompetent to do it themselves. Not having to enable TLS is a major value-add for certain types and you'll see this advertised prominently by every CDN

[roncesvalles]

There is another value add - being able to use self-signed certs and therefore not have to worry about renewals. Last I checked (~12 months ago), there still isn't a good story for doing automated SSL renewals if your application is completely containerized.

[NavinF]

Terminating TLS for an HTTP app running on localhost is trivial. Something like this:

echo "example.com \n reverse_proxy localhost:8000" > Caddyfile; docker run caddy --net host -v $PWD:/config caddy run

It's slightly more complicated if you need redundancy, but not by much.

[switch007]

It’s unethical of CloudFlare et al to offer such a feature.

[cute_boi]

Why are we even blaming Cloudflare? Aren't web developers the ones who haven't enabled strict SSL? Cloudflare should recommend the user use stick SSL but calling it unethical is quite a bit of a stretch... Sometimes it is useful like hosting node js app or docker container app without using a reverse proxy like Nginx.

[roody15]

Do you honestly believe the US government doesn't have the same access to cloudflare data within the states?

[JumpCrisscross]

> the US government doesn't have the same access to cloudflare data within the states?

Yes. There is almost certainly access. But it’s partial and adversarial, not automatic as in India.

[somenameforme]

PRISM [1] didn't end when the media stopped reporting on it. If anything it's likely only become more emboldened given people's tepid response. This [2] is one of my favorite documents that was leaked. It's a user manual, "User's Guide For PRISM Skype Collection", for NSA agents spying on Skype "peer to peer" connections in real time.

It even includes a helpful FAQ like agents wondering why they might receive copies of the same message multiple times. What happens there is when somebody they're spying on logs in via another device, their resync process involves everything being sent right on over directly, automatically, and in real time to the NSA again. They can even spy on video/audio in real time, with some promises to agents frustrated about audio falling out of sync with video - that they were working on a technical solution.

The companies at the time participating in PRISM were Apple, Google, Microsoft, Facebook, and others. That's undoubtedly been long since expanded.

[1] - https://en.wikipedia.org/wiki/PRISM

[2] - https://www.aclu.org/sites/default/files/field_document/Guid...

[JumpCrisscross]

PRISM is a good example of the difference between America and India. One, there's vocal and empowered opposition, opposition granted relief by the courts from time to time. Two, there was opposition–MUSCULAR involved hacking Google and Yahoo's clouds. Three, there is a warrant process. It's broken. It needs reform. But it exists.

[somenameforme]

What empowered opposition or successes? Many seem to have confused the highly publicized 'telephone metadata collection is unconstitutional' ruling with PRISM. That was related to other domestic spying bills - section 215 of the Patriot Act and its subsequent renewal under another spying act, the "USA Freedom Act." These cases/acts had nothing to do with PRISM.

Numerous cases have been filed against the NSA in regards to PRISM, with nothing even remotely close to success. They are invariably thrown out because the NSA acting illegally or unconstitutionally can only be challenged by somebody with standing. You only have standing if you can prove you have been surveilled and affected because of such. Nobody can prove standing, so it's impossible to legally challenge a likely illegal program. Great system we have.

[tptacek]

A reminder that whatever else we might want to say about the comparative safeguards of the US and Indian "lawful intercept" systems, access to Indian servers for the US IC is fully automatic. You can't improve your resilience against the NSA by offshoring your data; offshore is where the NSA's authority is at its zenith.

[themitigating]

No where in the parent's comment did they mention the US. What's the point of your comment?

It's like if we were discussing a serial killer and you were like "don't you think other people have killed?"

The second reply to this post and someone is already redirecting the conversation to a country not mention in the story. Are you upset because you think India is being singled out? No where on the article or the comment does it imply that.

On HN there are a massive amount of discussion about US government spying already, it's not something that people aren't aware of.

[kshacker]

The parent comment is valid. The GP comment specially highlighted the Indian networks as different so that factoid being challenged (in efficacy rather than implementation) is a pretty valid stance.

[xfer]

Do you see a green lock with message saying "your access is restricted" in the US?

Do you see any TLS connection resets based on SNI? If not, most(all?) indian ISPs already visibly do far more than average American ISP.

[MichaelZuo]

Does cloudflare mention this anywhere?

[gsatic]

pfft it's India. Ppl with access to sensitive data get paid peanuts. So you too can see "everything" by giving the right person a bag of nice mangoes.