How is Airtel Blocking Even https:// Sites?

Sushubh

Administrator
Messages
425,227
Location
Gurugram
i guess excitel users are not getting the data from leetx through airtel datacenters!
 

Sushubh

Administrator
Messages
425,227
Location
Gurugram
shows vsnl.

actually it even goes to singapore. not even sure if cloudflare is coming anywhere :p
 


apuw

Member
Messages
72
Interesting analogy but it falls flat as Airtel is not only reading which websites the traffic is going to and blocking them but also injecting said sites with the DOT notice even on https://.
Remember, they aren't injecting data into your https stream, which is what https is mainly used for, end to end data security/integrity. They are simply redirecting you to a block page in the event you are accessing a webpage on the block list.
But they are injecting data into the https:// stream by showing the DOT notice on the https:// page itself without redirecting.
 

apuw

Member
Messages
72
Edit: I was wrong! I stand corrected thanks to @Karan who's been on fire with the links and info he has posted. According to the great blog post that was linked what Airtel is doing is it terminates the connection to the blacklisted website as soon as it realizes and adds the DOT iframe. So it is not directly injecting data into https:// websites.

They indeed seem to be using Netsweeper to do this. We can confirm this by looking at the example provided in the article (Though Julius Plenz identified the equipment being used as Cisco in the blog it is indeed Netsweeper as we'll see below).

Article iframe example:
Code:
<iframe src="http://94.201.7.202:8080/webadmin/deny/index.php?dpid=20&
  dpruleid=7&cat=105&ttl=0&groupname=Du_Public_IP_Address&policyname=default&
  username=94.XX.0.0&userip=94.XX.XX.XX&connectionip=1.0.0.127&
  nsphostname=YYYYYYYYYY.du.ae&protocol=nsef&dplanguage=-&url=http%3a%2f%2f
  pastehtml%2ecom%2fview%2fc336prjrl%2ertxt"
  width="100%" height="100%" frameborder=0></iframe>
Airtel iframe currently being loaded:
Code:
<iframe src="http://www.airtel.in/dot/?dpid=1&amp;dpruleid=3&amp;cat=107&amp;dplanguage=-&amp;url=http%3a%2f%2f1337x%2eto%2f" width="100%" height="100%" frameborder="0"></iframe>
We can see above that many URL parameters match such as: dpid, dpruleid,
dplanguage, url=
and the width and height being 100%. These values are attributed to Netsweeper in the Citizelab report about Netsweeper:
These values: dpid, dpruleid, cat and dplanguage are identical parameters used by Netsweeper installations we have seen in Pakistan, Somalia, and Yemen.

Boom there you have it @Karan was correct and Airtel is indeed using Netsweeper to block websites in India. @Sushubh hope you can put this information somewhere for future visitors.

Also recommend reading the Citizen Lab report: https://citizenlab.ca/2016/09/tender-confirmed-rights-risk-verifying-netsweeper-bahrain/
 

apuw

Member
Messages
72
@itzmynet Your linked source was also correct as Airtel is not directly injecting any data into https:// (not sure if that can even be done). I apologize.
 


Karan

I am a n00b
Messages
1,342
Location
Gurgaon
Edit: I was wrong!
------------------------------------------snip-----------------------------------------------------
Also recommend reading the Citizen Lab report: https://citizenlab.ca/2016/09/tender-confirmed-rights-risk-verifying-netsweeper-bahrain/
Haha! nicely done, you basically found all the details that led me to this as well. It was the Citizen Lab report that actually gave me the name to company that has developed the tech, Netsweeper. I was just being too lazy to publish my full findings. :p

The interesting part is, earlier, the airtel URL was basically the same and did include further details like your IP, your DSL user ID and even the location of the server, Mumbai! They seem to have truncated it, a bit. But it was indeed the "dpruleid" "dpid" etc that led me down this rabbit hole.
 

apuw

Member
Messages
72
The interesting part is, earlier, the airtel URL was basically the same and did include further details like your IP, your DSL user ID and even the location of the server, Mumbai!
@Karan They still do, even as I was looking at the Airtel DOT iframe I got all the URL parameters for the site with the server being Chennai. But they do so intermittently and infrequently.
 

Karan

I am a n00b
Messages
1,342
Location
Gurgaon
Oh, I see. I have gotten so used to of it, I actually have the iframe blocked by adblock so haven't paid much attention to it off late. Whenever the page loads blank, I assume it is the block page, I turn on my proxy and browse the blocked webpage. :p
 

apuw

Member
Messages
72
@Karan That isn't really useful though is it? At least without blocking it with adblock you actually know if the website is blocked by Airtel.


@Sushubh Is quoting the last message blocked? Why so?
 

Similar threads


Top