Cloudflare displays security warning when eSafe is installed

At Smoothwall / eSafe we digitally monitor registered sex offenders (PC’s Mac’s, Android phones), each of which uses a locally installed client/app to monitor. On the PC we use WFP to intercept traffic destined for the browser (MitM type proxy).

On web sites that use Cloudflare it appears that Cloudflare recognizes our client software (MitM) & either blocks access to the site or produces a security message.

We have contacted you before but as we were not a Cloudflare customer only progressed so far. The feedback we got was that this has to be resolved by modifying the settings used by the web site to allowlist the eSafe MitM.

I am not sure if this is the full story, as I mentioned above, we could only progress so far as we were not, at the time, a Cloudflare customer.

We were advised to contact the web sites hosting companies & get them to modify the Cloudflare settings to allow eSafe. If this is the case, as you can imagine, is not a practical or workable solution given the number of web sites using Cloudflare.

What we ideally like is for Cloudflare to allow/ignore eSafe as a MitM. I can provide the technical information& a copy of the software if needed.

As a security vendor, do you not see any problem with allowing ANY software to do what is effectively (and you’ve correctly described as) a MitM attack globally across all websites, even against the wish of site owners?

Or have you chosen to put on the blinders and damn the consequences… because it’s your software in question?

In any case, I’m not aware Cloudflare takes any specific action against such HTTPS interception proxies, or Monsters in the Middle proxies (as Cloudflare calls them). But many, perhaps most, Cloudflare-protected have opted-in to present various “challenges” even to human readers – sometimes even blocking every other country except their local country – and allowing your software to bypass all those restrictions specifically put in place by site owners would be a sad event for the Internet.

Just my two cents though: not a Cloudflare employee.

Hi,
Firstly, we are not asking to allow any software to be able to perform a MitM attack, that would negate the benefit of using products like Cloudflare.

Secondly, we are only asking for our software to not be detected as a threat. We are not just any software we monitor Registered Sex offender on behalf of most Police services in the UK. The monitoring of these individuals is specified in a Court Order & is condition of their terms of release into the public domain.

Thirdly, I doubt if there any web sites that would want to prevent us monitoring these convicted sex offenders but still allowing them to browse their web sites without interference or in some cases not allowing access at all.

I await your considered response to the points above.

Can you share what hard evidence you have to say your software is specifically detected as a threat – other than being challenged generally (as any other user agent would be)?

At best, Cloudflare may be detecting the MitM activity. But it is (and should be) the site owner’s sole right and responsibility to decide whether to block such activity or not… imho.

:smiley:

In any case, I don’t believe this is something that can be handled – if at all – in the community support forum. This may be something to take up at the corporate level. But then again, I wouldn’t hold my breath to a security vendor overriding a customer’s configured security setup to allow a 3rd-party software to do its work – even if it’s to save the planet.

Hi,
Given the nature of what we do we are not legally allowed to divulge information to non partners.

However, I can give an overview of what we have found.

  1. The simplest & most obvious, when our software is installed on a device the user is presented with a security warning when the site is using Cloudflare, this may allow the user to continue by accepting the waring or prevents then completely from accessing the site. If eSafe is disabled then there is no issue accessing the site.

  2. On a more technical level - our development team have identified that this is due to a response from Cloudflare & contacted them, previously, to ask if it was possible for us to add / change our code bases to work round this issue. The response from Cloudflare was that without adding some form of exception in their code it was not possible.

Whilst, we understand & have a level of agreement that it is ultimately up the web site owners but that is not practical or realistic to contact all the sites using Cloudflare (now & in the future) & get them to make a change.

The MITM is just on the device to allow you to proxy (and thus decrypt) from any site I assume.

As @GeorgeAppiah says it’s therefore likely you have challenge from Cloudflare, rather than a security warning. That challenge is either because your proxy IP address has a low reputation score and Cloudflare user security levels trigger the challenge. Or your ASN is from a Cloud provider that a lot of Cloudflare users block or challenge as it is home to lots of bots.

I have a tool almost ready that will test and show you details of this.

Either way, I’m not sure Cloudflare bypassing those customer rules, or asking Cloudflare customers to do it themselves, with a pitch that it is to allow sex offenders to bypass their security to access their site is a good one.

If there is actually a security warning can you
Post a screenshot.

The MitM is to intercept & analyse the Internet content of text, images & videos that the user watches/reads for content that is outside of their Court order. It actually uses WFP.

The image below is typical of what is reported.

That block page is likely from the site’s own settings.

Can you get to this page?
https://cf.sjr.org.uk/tools/connection

If not, can you give the ray ID so I can look why (the site has a number of protections so possible you will trigger them).

If you can, then it can’t be a Cloudflare-wide policy.

Hi,
Thanks for spending your time with this.
Yes, I can access the site - cf.sjr.org.uk :: Cloudflare Things & it shows our certificate, as replaced by our software during inspection.

Cloudflare itself is not detecting or generically blocking your tools then (and that site is using Cloudflare with a security level of high). So any Cloudflare sites that can’t be reached are doing so because the users have actively blocked your request using a setting in their account or rule of their own.

Not sure if your requests come from the client device directly, or you are proxying them through a server, but users could be using IP addresses, ASN, browser user agents, IP reputation/bot scoring, or other Cloudflare WAF features that are causing your requests to be blocked.

You could get a cheap domain, set up a free Cloudflare account and poke around for yourself to find what settings users may be using that are causing them to block your requests.

3 Likes

Since you can access @sjr’s website it’s not Cloudflare that’s blocking the requests, rather it’s the website operators. I’m going to take a stab that since the behavior changes when the software is enabled vs. disabled you’re not ‘just’ performing a MiTM on the local machine but are routing that traffic through your own egress points. It’s entirely possible that website operators are blocking those egress points for a number of reasons.

  1. Threat score… it might be possible that the traffic from those IPs is across the Cloudflare network seen as more malicious or untrustworthy than it would be coming from the user’s own machine,.

  2. ASN… many website operators block traffic from datacenter providers because end users don’t tend to plug their PCs into a datacenter port, but scraping and other malicious bots like DCs very much.

If that is how the software does operate, there’s not anything Cloudflare itself could do. It provides tools to website operators who choose how to configure them to protect their sites from unwanted traffic and/or abuse.

You could advertise your own ASN from these datacenters to potentially get around the second issue, but if there’s a large amount of malicious traffic coming from those IPs (first issue) it may still be limited by sites which block or challenge IPs with low reputation.

Thanks again for any / all feedback it is much appreciated.

We do not route any traffic, the client software just uses WFP to intercept & analyses the content. All this is performed on the device itself.

It does behave like a proxy (replaces certs, etc) but no routing occurs.

Any unsuitable content that is found is uploaded to our servers by a completely separate mechanism which is unaffected.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.