On Mon, Sep 12, 2016 at 08:57:29PM +0100, Rob Stradling wrote: > On 12/09/16 18:57, Jakob Bohm wrote: > > On 11/09/2016 07:49, Peter Bowen wrote: > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <[email protected]> wrote: > >>> So when I delegated the DNS service to Cloudflare, Cloudflare have > >>> the privilege to issue the certificate by default? Can I understand > >>> like that? > >> > >> I would guess that they have a clause in their terms of service or > >> customer agreement that says they can update records in the DNS zone > >> and/or calls out that the subscriber consents to them getting a > >> certificate for any domain name hosted on CloudFlare DNS. > > > > This seems another reason for the web to not trust cloudflare as a > > trustworthy domain proxy handler. > > > > Just because their (paid, presumably) job gives them the technical > > ability to requests certificates without the consent of the domain > > owner, this does not given them any legitimate right to do so. > > Hi Jakob. Do you find any fault with Comodo for issuing this cert > (https://crt.sh/?id=31206531) ? > > We validated domain control, but we did not attempt to establish "the > consent of the domain owner"(s) directly. As others have pointed out, > this is compliant with the CABForum BRs.
Are you able, by any chance, to reveal whether the domain control was validated by HTTP request, DNS change, or "other" (please specify <grin>)? At present, it looks like every domain listed in that certificate *other* than the domain at issue (bupt.moe) resolves to Cloudflare IP space, so my working theory is that the domain was previously pointed to a Cloudflare proxy, and has since been moved elsewhere. However, it would be nice, for my peace of mind at least, to know how control was validated in this instance, if that's something you're able to share (I understand you reasonably might not be able, and if so, no problem). If Cloudflare *was*, in fact, obtaining certificates on behalf of all its DNS-using (only) customers on the "off chance" that they might want to use their proxy services in the future, that would be extremely creepy and unpleasant, but so far I don't think there's enough evidence to be able to say such a thing is happening at present. It seems far more likely that bupt.moe was a Cloudflare proxy customer (if only for a *very* brief time), the certificate was issued for that purpose, and now the domain has been pointed elsewhere, and the name is just hanging around in a cert which will expire in six months or so. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
