New Delhi: Airtel, one of India’s leading telecom service providers is spying on the traffic of millions of web users in the country. This has been revealed through a report by a leading tech website Medium.
The report said that Airtel is snooping on traffic that is routed through CloudFlare, putting at risk the privacy of millions of web users, including those who don't even use Airtel services.
"Airtel is sniffing and intercepting ALL unencrypted traffic going upstream from CloudFlare's India data centres, irrespective of what ISP the user is on. This potentially affects everyone in India accessing ANY of the 2 million+ sites on CloudFlare," Karthik Balakrishnan wrote on Medium.com.
Balakrishnan, who is also an activist of SaveTheInternet group, reached at the conclusion after tests carried out by him and his friends while they were trying to access PirateBay website.
“It started when we discovered that The Pirate Bay was showing a blank page and was attempting to load an iframe to http://airtel.in/dot, which is a notice saying that the site is blocked as per the Department of Telecom’s orders,” the report said.
“This is fairly routine, there are a ton of sites blocked in India without explanation, and it’s very common to find vague notices like this. But this one was particularly interesting for a couple of reasons, firstly, we noticed that this was happening on a HTTPS page, with a valid certificate,” it said.
"Airtel was treating CloudFlare just like any other user, and censoring some pages to them. CloudFlare was undergoing a Man-in-the-middle attack by Airtel and didn't even know it,” Karthik wrote.
Pointing out the implications of Airtel’s actions, Karthik wrote, “Airtel is sniffing traffic of ALL of CloudFlare’s websites that don’t have Full SSL enabled (which is the default setting on CloudFlare).”
“All Indian users, even if they are not on Airtel’s network, who access any of 2 million+ websites on CloudFlare have their traffic inspected and sniffed by Airtel,” he added.
CloudFlare has acknowledged that analysis by Karthik’s team is largely accurate and has claimed that “there are no security flaws on its side”, according a post by The Register.
Airtel responded to the allegation by calling it “baseless & incorrect”.
“This is completely baseless & incorrect. As a policy, Airtel does not block/sniff any content. Only in the case of instructions/orders from the Government or the Courts, specified URLs are blocked. Blocking of any page [as per instructions from relevant authorities] is done at the URL level and not whether it is http/https. This also has nothing to do with the validity of any certificate,” Airtel said in a statement.