<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0"/>
  <style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style>
  <iframe src="http://{isp-ip}:8080/webadmin/deny/index.php?dpid=1&dpruleid=3&cat={some-id}&ttl=0&groupname=-&policyname=-&username=-&userip={my-ip}8&connectionip=127.0.0.1&nsphostname=Policy03-Chennai&protocol=policyprocessor&dplanguage=-&url=http%3a%2f%2fthepiratebay%2ese%2f" width="100%" height="100%" frameborder=0></iframe>

The certificate returned for thepiratebay.se (belonging to Cloudflare) was in perfect order, so how could my ISP MITM this connection? Just to be sure that this is indeed an MITM, I checked this URL on the wayback machine, and this is what I got: http://imgur.com/77tbMqy. Nothing wrong here, no trace of the above code.

Here's the certificate that is returned to me: https://gist.github.com/anonymous/f01e495cf89de7c72684ebb368cac81b

The cipher suite used is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

Is one of Cloudflare or Pirate Bay acting in connivance with Airtel to return the strange response above?

Asssuming that's not the case, what else could have happened? A closer look at the certificate reveals a lot of DNS names under the certificate subject alt name:

  Not Critical
  DNS Name: sni33780.cloudflaressl.com
  DNS Name: *.beeeeer.org
  DNS Name: *.durst.io
  DNS Name: *.messedupquotes.com
  DNS Name: *.ohhai.xyz
  DNS Name: *.thepiratebay.se
  ...

If my ISP controls one of the domains in this list, could it have carried out a successful attack without Cloudflare's help?