“Boobs check” – Technique to verify if sites behind CDN are hosted in Iran
(twitter.com)324 points by defly 3 days ago
324 points by defly 3 days ago
Ah, Cloudflare. The world's most widely deployed encryption remover.
Could someone help me understand. I looked at: https://developers.cloudflare.com/ssl/origin-configuration/s... it seems to support multiple modes.
I didn't quite get if Automatic TLS (https://developers.cloudflare.com/ssl/origin-configuration/s...) could use plain transfers.
So:
* Is it insecure by default or you have to be intentionally insecure?
* Why would anyone pick the flexible/potentially-insecure option?
> Why would anyone pick the flexible/potentially-insecure option?
Because having a connection that's encrypted between a user and Cloudflare, then unencrypted between Cloudflare and your server is often better than unencrypted all the way. Sketchy ISPs could insert/replace ads, and anyone hosting a free wifi hotspot could learn things your users wouldn't want them to know (e.g. their address if they order a delivery).
Setting up TLS properly on your server is harder than using Cloudflare (disclaimer: I have not used Cloudflare, though I have sorted out a certificate for an https server).
The problem is that users can't tell if their connection is encrypted all the way to your server. Visiting an https url might lead someone to assume that no-one can eavesdrop on their connection by tapping a cross-ocean cable (TLS can deliver this property). Cloudflare breaks that assumption.
Cloudflare's marketing on this is deceptive: https://www.cloudflare.com/application-services/products/ssl... says "TLS ensures data passing between users and servers is encrypted". This is true, but the servers it's talking about are Cloudflare's, not the website owner's.
Going through to "compare plans", the description of "Universal SSL Certificate" says "If you do not currently use SSL, Cloudflare can provide you with SSL capabilities — no configuration required." This could mislead users and server operators into thinking that they are more secure than they actually are. You cannot get the full benefits of TLS without a private key on your web server.
Despite this, I would guess that Cloudflare's "encryption remover" improves security compared to a world where Cloudflare did not offer this. I might feel differently about this if I knew more about people who interact with traffic between Cloudflare's servers and the servers of Cloudflare's customers.
Historically?
1. Because TLS certificates were not free
2. Because firewall was "enough" in most people's minds
3. Because TLS was the most CPU intensive part of serving a static site
4. Because some people were using cheap shared hosting providers that upcharged for TLS
To be fair, Cloudflare is also the reason why most sites even have TLS at all, because it offered free certs (through letsencrypt I think?) in a fairly easy to set up way.
Certs used to be expensive, and had way more operational overhead and quirks (even setting up ACME/LE)
Absolutely not, no. That is all thanks to Let's Encrypt.
People on this website will just type any wild lie. I kinda love it.
The sky is purple! Charlie Brown had hoes! Cloudflare invented Let's Encrypt! Just say anything you want! We live in a post-truth world- there's no need for anything you say to correspond to any external reality!
I'm not going to give them credit for the work that Lets Encrypt did.
Are we witch hunting Cloudflare now? What have they done? I think overall CF seems like a pretty decent company? Lol I'm a bit out of the loop it seems.
Also what mis-information (other than the claiming CF integrated with LE, but it turns out CF offered free certs before LE even existed lol) did I spread?
Interesting. I was just setting up a LB like this: client ->LB(nginx) ->TLS terminate for LB conn -> proxy_pass to backend which is behind nginx and has separate TLS certs. it's surprisingly easy to configure. Wonder why people still use HTTP at all. Even at home, I have setup LE certs for all local domains
On a side note, nginx doesn't support HTTP/2 for https load balancing so I am thinking of switching to haproxy which supports it
What do you mean? I used self-signed for communication b/w LB and the nginx serving backend
Edit: I don't see any "machine name" on crt.sh for public LB which uses LE
Ah, you meant the DNS address is on CT now. You think I wouldn't know that? Regardless, a dns01 challenge is far better than using self-signed at home
I don't think this is true... a reverse proxy/CDN can see the full request URL even if the origin server is using TLS (unless you're using mTLS, which almost nobody is), and we don't even know if it's the proxy/CDN or the origin that is filtering based on keywords... but all of them could be doing it.
It'll also work DigiNotar-style, when using the only root CA blessed by the National Information Network for general use: I.R. Iran.
Digiboy is a treasure trove of enterprise software. Where else would I get a pirated hpe ilo license from?
How's this work with https like in the example? The hops along the way shouldn't see the path.
Is this implying that all TLS is terminated at the Iran border and proxied from there? And all Iranian sites are required to host via http? That has significantly more implications than what this post is about.
Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
Again, you are assuming a normal situation. The point is the country itself is operating (or has a heavy grip and perhaps even subsidizes) the backend CDN and enforcing that stuff in a rudimentary way.
"TLS between backend connections" usually involves termination and decryption on the frontend webserver and re-encryption of the upstream traffic, whatever it may be.
Has anything ever prevented you from having TLS on your origin server? You can even get a certificate from Cloudflare.
Have they started to use per-domain certificates for this, or can anyone who finds the origin bypass the check by creating their own (different) Cloudflare domain and pointing it at your origin?
Edit: Looks still the same by default, but at least they're (somewhat obscurely) documenting the issue and providing the option to use a custom cert now...
https://developers.cloudflare.com/ssl/origin-configuration/a...
> Is this implying that all TLS is terminated at the Iran border and proxied from there?
Yeah, the law-abiding type on the Iranian National Information Network(NIN), either using the Electronic Commerce Council's I.R.Iran CA for HTTPS or just HTTP.
> Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
Due to NIN registrations being not very much not anonymous, https://xkcd.com/538/ seems pretty appropriate if you want to use an unapproved certificate authority.
I'm wondering for what purpose one would be interested in finding out if a site is hosted in Iran or not.
Would assume it's to check if a site is foreign propaganda. A lot of the lesser-known news sites that you see linked on social media are actually psy-ops pushing an agenda, many of them foreign-based. Follow the technique in the article and you can easily blacklist Iranian ones.
Why are people in the (presumed) West particularly afraid of the propaganda of a Middle Eastern country? Is the intelligence/propaganda unit there so good that they can program minds from a different continent better than Western oligarchs? This has got “Russia stole American democracy with millions worth of FB ads” vibes to it.
But if there is an easy technical implement to avoid some propaganda then good on them I guess. Why not. One less thing to worry about.
Dozens of Scottish independence X accounts ‘went dark’ after Iranian internet blackout (https://www.telegraph.co.uk/politics/2025/06/25/scottish-ind...)
Iran is actively working hard to make us hate our fellow citizens. That matters.
Ask the person you are arguing with to denounce certain things and the response is often informative
If you’re in any western democracy you should worry about propaganda bots from Iran, DPRK, Russia, and China.
They have well known active operations of helping fuel the flames of political division by amplifying both sides of extremely divisive topics.
If you’ve ever engaged in flame wars about abortion, brexit, Scottish independence, the Ukraine war, the Gaza war, etc, there is a really good chance there were many participants from one of those parties.
Are you asking if there are pictures of boobs on the internet?
> So presumably Iran has a reverse proxy in front of the entire internet for HTTP?
Standard DPI firewalls can do that for you. Absolutely no issue.
It's a CDN, not an IP router. CDNs usually terminate TCP+TLS as close to the client as possible. This used to be done right at the edge - within the NIC for a long time, but CPUs have been more than capable for the last decade+
Few guesses:
1) CDN connects to backend server over TLS, using the national I.R. Iran root CA
2) CDN connects to backend server over HTTP
3) Backend server is running a nationally blessed Linux OS
For 1 & 2, the National Information Network would be implementing this DigiNotar style but they already own the root keys. For #3, the backend does so itself. These are the people who p0wned DigiNotar after all.
A long time ago, my friends and I found a "scary"-looking image, written in a mixture of English and Arabic, warning the viewer that they'd come afoul of ... I forget, some Iranian government department of censorship?
Naturally, we made it so that 1% of the requests to a forum we ran at the time displayed it to the viewer. :)
I am probably a little dumb, i read the article but dont understand what happened. can some HNer kindly explain?
I guess that if you GET https://somedomain.com/boobs.jpg you get a 404 (not found) from a web server hosted outside of Iran but if the server for the domain is hosted in Iran, you get a 403 (forbidden) because the request is intercepted by a firewall that detect the word "boobs" and reject it with a 403 without forwarding it to the webserver that would usually return the 404.
> Why wouldn't the Iranian government just use its own ip space for the censorship message?
IP addresses are expensive if you're not the US. Also they might be reusing a standard corporate filtering product that expects to be deployed on a private network (and in a way, that's what the Iranian internet is).
I just tried this on a few Iranian websites and never got a 403, let alone an iframe.
I wonder if this could be broadened to a list of Wikipedia links to humanitarian content folks in repressed regimes are or might get blocked from. Tiananmen Square [1]. Wen Jiabao's staggering corruption [2]. Epstein's e-mails [3]. Et cetera.
Like Netflix launching Fast.com, this would directly weaponise these regimes' censoring tendencies against themselves.
[1] https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests...
[2] https://www.nytimes.com/2012/10/26/business/global/family-of...
Wow. The screenshot had the IP address exactly where I placed my finger to scroll, and iOS Safari briefly opened a popup window where it started connecting to that IP.
Fuck this shit, I’m moving to a hovel in the woods.
Along the same lines, I occasionally find myself cursing iOS for its willingness to just bring up the dialer and call a number. I really, really wish that it would confirm any dialing before doing it, especially if you didn't click on a phone number on a contact. Couple times I've ended up dialing a recent spam caller, which is the last thing I ever want to do.
There are a few options available if you press and hold it (Call, Message, Add to Existing Contact, Create New Contact, Delete).
I feel this only make the fact that tapping calls without confirmation more annoying though.
That's assuming there is something I can press and hold, e.g. a phone number displayed in Safari or an email.
Some apps seem to call some "make a phone call now" API, and that opens a modal pop-up with exactly two options – make the call or don't.
One workaround is to take a screenshot of the number being displayed, but... Come on, Apple.
Occasionally, if you're lucky enough, an option to copy the phone number shows up, it seems like completely at the whim of the OS. And that's after accidentally starting to dial the number, of course.
That may be specific to a web browser hyperlink. Click on an entry in your recent calls list and it'll immediately dial the number that called you.
Thanks for posting this. I mostly gave up on viewing the one or two Twitter feeds that interest me after nitter stopped working. It wasn't ideological, I just wasn't able to reliably view and navigate without an account, and when I made an account it just kept showing me like "black HS football player bad sportsmanship".
Look like I've got about two years of James Cage White story arcs to check in on.
This has been so useful to me that I've created a filter in URLCheck[0] that automatically converts all X-related links.
> XCancel is an instance of Nitter.
> Nitter is a free and open source alternative Twitter front-end focused on privacy and performance.
Where is the mission statement about wanting X gone?
This behavior only works when the reverse proxy or CDN is configured like this:
Proxy/CDN: HTTPS (443) → Origin server: plain HTTP (80)
(example: Cloudflare in Flexible mode)
If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.
If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP: curl http://www.digiboy.ir/boobs.jpg -v