If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.
If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP:
curl http://www.digiboy.ir/boobs.jpg -v
Wow. The screenshot had the IP address exactly where I placed my finger to scroll, and iOS Safari briefly opened a popup window where it started connecting to that IP.
Fuck this shit, I’m moving to a hovel in the woods.
How's this work with https like in the example? The hops along the way shouldn't see the path.
Is this implying that all TLS is terminated at the Iran border and proxied from there? And all Iranian sites are required to host via http? That has significantly more implications than what this post is about.
Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
I wonder if this could be broadened to a list of Wikipedia links to humanitarian content folks in repressed regimes are or might get blocked from. Tiananmen Square [1]. Wen Jiabao's staggering corruption [2]. Epstein's e-mails [3]. Et cetera.
Like Netflix launching Fast.com, this would directly weaponise these regimes' censoring tendencies against themselves.
A long time ago, my friends and I found a "scary"-looking image, written in a mixture of English and Arabic, warning the viewer that they'd come afoul of ... I forget, some Iranian government department of censorship?
Naturally, we made it so that 1% of the requests to a forum we ran at the time displayed it to the viewer. :)
19 comments
[ 1.9 ms ] story [ 40.4 ms ] threadIt's behind CF
I really want to know what's on the webpage for the iframe.
Proxy/CDN: HTTPS (443) → Origin server: plain HTTP (80)
(example: Cloudflare in Flexible mode)
If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.
If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP: curl http://www.digiboy.ir/boobs.jpg -v
Fuck this shit, I’m moving to a hovel in the woods.
Is this implying that all TLS is terminated at the Iran border and proxied from there? And all Iranian sites are required to host via http? That has significantly more implications than what this post is about.
Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
Like Netflix launching Fast.com, this would directly weaponise these regimes' censoring tendencies against themselves.
[1] https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests...
[2] https://www.nytimes.com/2012/10/26/business/global/family-of...
[3] https://jmail.world
-Iran
Naturally, we made it so that 1% of the requests to a forum we ran at the time displayed it to the viewer. :)