A public letter to Cloudflare to fix their snoopy vendor.
What
For the last few years, various websites hosted on GitHub Pages/Google App Engine and fronted using Cloudflare have been blocked in India due to Cloudflare relying on a upstream network provider with a misconfigured network (Airtel). The network flow looks like this:
User -> Any ISP -> Cloudflare -> Airtel (Cloudflare peering partner) -> (GitHub Pages|Google App Engine)
If a website is using "Flexible SSL" or "No SSL" as configured on Cloudflare, the connection between Cloudflare and (GitHub|Google) isn't encrypted, and Airtel blocks many such websites. Because Cloudflare terminates the TLS connection at their end, the browser shows a padlock, thus giving more authenticity to this incorrect block.
Impact
These are just a few of the many websites blocked. This disproportionately impacts the developer community, and especially older websites that had a reason to use Cloudflare on top of GitHub Pages - TLS support. Now that GitHub Pages natively offers SSL, most of these websites can directly be hosted on GitHub Pages.
Here's a list of various such reports: (Click to expand)
There's hundreds reports on Twitter and GitHub
Call to Cloudflare
Hey @Cloudflare, please take care of this. Indian developers have been blocked out various critical websites because your upstream vendor (peering partner) has a misconfiguration. This has been going on for years, with no action or update at your end.
Here's a few simple requests:
- Get Airtel to fix the issue at their end.
- Switch to a different upstream (peer) if that doesn't happen.
- Publish a transparency report acknowledging the issue and confirming how many websites were incorrectly blocked without a court-order.
- Notify Flexible SSL users that their websites are getting blocked in India.
Flexible SSL is a decade-old product that has no place in the modern web. Users should get a big red warning when enabling such a product in today's times with free SSL certificates.
Help, my website is blocked
If you got a report about your website being blocked in India, with a message that reads:
The website has been blocked as per order of Ministry of Electronics and Information Technology under IT Act, 2000.
Here's a number of ways to fix the issue:
- Switch from Cloudflare to direct GitHub Pages, which supports TLS now.
- Enable HTTPS on GitHub pages, and switch the upstream on Cloudflare to get strict SSL instead of flexible.
- Switch to a different hosting provider altogether (CloudFlare Pages, Netlify, ...)
If you aren't using Cloudflare, please open an issue.
If you'd like to notify a site owner, please send them this link: https://github.com/captn3m0/hello-cloudflare/blob/main/README.md#help-my-website-is-blocked
Help fight Censorship in India
If you'd like to support the fight to fix the state of Internet censorship in India, and bring more transparency on how it works, please donate to the Internet Freedom Foundation. You will need a valid Indian PAN Card.