logoalt Hacker News

“Boobs check” – Technique to verify if sites behind CDN are hosted in Iran

225 pointsby deflyyesterday at 8:54 PM77 commentsview on HN

https://xcancel.com/hkashfi/status/1995109785679573167

Comments

vivzkestreltoday at 3:12 AM

I am probably a little dumb, i read the article but dont understand what happened. can some HNer kindly explain?

show 1 reply
shishcatyesterday at 9:58 PM

This behavior only works when the reverse proxy or CDN is configured like this:

Proxy/CDN: HTTPS (443) → Origin server: plain HTTP (80)

(example: Cloudflare in Flexible mode)

If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.

If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP: curl http://www.digiboy.ir/boobs.jpg -v

show 3 replies
losvediryesterday at 10:34 PM

How's this work with https like in the example? The hops along the way shouldn't see the path.

Is this implying that all TLS is terminated at the Iran border and proxied from there? And all Iranian sites are required to host via http? That has significantly more implications than what this post is about.

Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?

show 4 replies
Yokolosyesterday at 9:58 PM

I'm wondering for what purpose one would be interested in finding out if a site is hosted in Iran or not.

show 4 replies
KiranRao0yesterday at 9:44 PM

Does anyone have sample sites that return this?

show 3 replies
bawolfftoday at 1:54 AM

So does this mean 10.x.x.x is publicly routable inside iran? Why wouldn't the Iranian government just use its own ip space for the censorship message?

show 1 reply
JumpCrisscrossyesterday at 11:09 PM

I wonder if this could be broadened to a list of Wikipedia links to humanitarian content folks in repressed regimes are or might get blocked from. Tiananmen Square [1]. Wen Jiabao's staggering corruption [2]. Epstein's e-mails [3]. Et cetera.

Like Netflix launching Fast.com, this would directly weaponise these regimes' censoring tendencies against themselves.

[1] https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests...

[2] https://www.nytimes.com/2012/10/26/business/global/family-of...

[3] https://jmail.world

Aloisiusyesterday at 9:55 PM

So presumably Iran has a reverse proxy in front of the entire internet for HTTP?

I really want to know what's on the webpage for the iframe.

show 1 reply
cluckindanyesterday at 10:33 PM

Wow. The screenshot had the IP address exactly where I placed my finger to scroll, and iOS Safari briefly opened a popup window where it started connecting to that IP.

Fuck this shit, I’m moving to a hovel in the woods.

show 3 replies
gnarlouseyesterday at 11:57 PM

I saw “boobs” so I ran.

-Iran

lovegrenobleyesterday at 9:52 PM

Why not?