In cases like this, where the upstream of some of Cloudflare's servers is known ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cesarb on July 14, 2016 \| parent \| context \| favorite \| on: Airtel is sniffing and censoring CloudFlare’s traf... In cases like this, where the upstream of some of Cloudflare's servers is known to be non-transparent (dropping or modifying data going through it), couldn't they tunnel everything to Cloudflare servers with a working upstream, and connect to the origin servers from there? They would still benefit from caching near the users, while avoiding the broken upstream.

gnurag on July 14, 2016 [–]

The lesson learnt from this fiasco is that CF can't trust its upstream ISPs, so tunneling traffic over to another ISP in a different geo adds additional overhead without actually solving the problem.

The right approach to fix upstream MITM is to drop http+https mix and match mode.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact