alt Hacker NewsHow's this work with https like in the example? The hops along the way shouldn't see the path.
Is this implying that all TLS is terminated at the Iran border and proxied from there? And all Iranian sites are required to host via http? That has significantly more implications than what this post is about.
Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
Replies
A lot of CF upstreams are (or at least used to be) plaintext. It is one of the criticisms of CF since it "whitewashed" plaintext to look like proper TLS when it was only TLS for client<->CF and then plaintext for CF<->server.
> Is this implying that all TLS is terminated at the Iran border and proxied from there?
Yeah, the law-abiding type on the Iranian National Information Network(NIN), either using the Electronic Commerce Council's I.R.Iran CA for HTTPS or just HTTP.
> Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?
Due to NIN registrations being not very much not anonymous, https://xkcd.com/538/ seems pretty appropriate if you want to use an unapproved certificate authority.
This is referring to something else: to detect whether the backend server host itself is inside or outside Iran. TLS doesn't prevent the backend network from reading the URL of course.