Technique to verify whether a site behind CDN is hosted in Iran

[qurbat]

Hamid Kashfi shared this on X.

The post reads:

Let me introduce you to my most novel and oldest technique to verify if sites behind CDN are hosted in Inside Iran or not. Works most of the time. I call it the BOOBS CHECK.

curl -i https://domain/boobs.jpg

If your response is a 403 with 10.10.34.x IP in body, you're landing inside IR. Result of basic censorship filtering applied on traffic.

[UjuiUjuMandan]

So the triggering word is boobs or boobs.jpg? More triggering words are needed!

And what if the traffic between CDN and origin server are encrypted in HTTPS, too?

[FelixLange1998]

For plaintext HTTP, I would agree with the method of putting a censored keyword in the path. This definitely works. However, the post suggests that HTTPS is used with curl, and that does not really make sense to me.

When using TLS, censors typically inspect the ServerNameIndication (SNI) extension in the ClientHello (domain in this example) and make a censoring decision based on that. The HTTP request (and path) is encrypted afterwards and cannot be used because of that by the censor. Also, the injection of a block page is not possible then.

I am wondering whether this was a typo in the URL and the author meant to put "http" there instead.

[UjuiUjuMandan]

I am wondering whether this was a typo in the URL and the author meant to put "http" there instead.

No, even the traffic between user and CDN are encrypted, it between the CDN and origin server are still possibly in HTTP.