Note: This is largely due to the work done by @captn3m0 and @shantanugoel. I’m merely writing this because they are too lazy to.

TL;DR — Airtel is sniffing and intercepting ALL unencrypted traffic going upstream from CloudFlare’s India data centres, irrespective of what ISP the user is on. This potentially affects everyone in India accessing ANY of the 2 million+ sites on CloudFlare.

It started when we discovered that The Pirate Bay was showing a blank page and was attempting to load an iframe to http://airtel.in/dot, which is a notice saying that the site is blocked as per the Department of Telecom’s orders.

This is fairly routine, there are a ton of sites blocked in India without explanation, and it’s very common to find vague notices like this.

But this one was particularly interesting for a couple of reasons, firstly, we noticed that this was happening on a HTTPS page, with a valid certificate.

We hit https://thepiratebay.org via a VPN and it loaded fine, and we confirmed that the certificate for CloudFlare were the same and valid.

So Airtel couldn’t have changed the page to show that notice. Unless they had CloudFlare’s certificates, which was super unlikely, and in anycase we ruled out since the exact same page was shown to people who on non-Airtel networks as well, with a link to Airtel’s notice.

One possibility: Is CloudFlare itself serving the notice?

Since this wasn’t specific to Airtel’s network, but was happening to everyone across India, we figured that maybe CloudFlare itself was blocking it. This would explain why it was served over a valid HTTPS connection.

On the other hand, is there any legal grounds for the Department of Telecom to ask CloudFlare to block anything? They aren’t an ISP.

Moreover, why would they embed an iframe that links to Airtel’s block message?

That seemed unlikely.