Re: Cerificate Concern about Cloudflare's DNS

Mon, 12 Sep 2016 11:07:30 -0700 

On 11/09/2016 07:49, Peter Bowen wrote:

On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <[email protected]> wrote:

So when I delegated the DNS service to Cloudflare, Cloudflare have the 
privilege to issue the certificate by default? Can I understand like that?


I would guess that they have a clause in their terms of service or
customer agreement that says they can update records in the DNS zone
and/or calls out that the subscriber consents to them getting a
certificate for any domain name hosted on CloudFlare DNS.



This seems another reason for the web to not trust cloudflare as a
trustworthy domain proxy handler.

Just because their (paid, presumably) job gives them the technical
ability to requests certificates without the consent of the domain
owner, this does not given them any legitimate right to do so.

Just because a (non-negotiable, presumably) set of "terms of service"
contains a clause to allow them to obtain necessary certificates for
customers hosting HTTPS on their shared proxy, does not given them any
legitimate (even if legal) right to obtain such certificates for those
customer domains where HTTPS hosting has not been requested by the
customer.

CA policies and BR requirements should reflect that occasionally a
person or company acting on behalf of another entity might request
certificates against the will of the legitimate entity, and that the
legitimate entity might thus need to request revocation on a first
party basis, regardless what a third party may have done in their
name.

P.S.

Those of us who run white-list based security plugins in Mozilla-
derived browsers are already faced with the frequent need to guess if a
"number-url" under cloudflare's own domains represents a proxy cache of
a trustworthy site or not.  If cloudflare itself starts to play fast
and loose with the identity of the proxied domains, that becomes a
security concern in itself, unrelated to CA inclusion policy.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to