On 17/09/16 16:38, Florian Weimer wrote:
> * Peter Bowen:
>> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gmail.com>
>> wrote:
>>> So when I delegated the DNS service to Cloudflare, Cloudflare 
>>> have the privilege to issue the certificate by default? Can I 
>>> understand like that?
>> I would guess that they have a clause in their terms of service or 
>> customer agreement that says they can update records in the DNS 
>> zone and/or calls out that the subscriber consents to them getting
>> a certificate for any domain name hosted on CloudFlare DNS.
> I find it difficult to believe that the policies permit Cloudflare's 
> behavior, but are expected to prevent the issue of interception 
> certificates.  Aren't they rather similar, structurally?

I don't see how they're similar. Interception certificates are issued
without the knowledge and permission of the domain owner. Someone
signing up for CloudFlare willingly chooses to trust a CDN provider with
all their web traffic and DNS (in order to enable CloudFlare for a
domain, the NS record for that domain needs to point to CloudFlare.)

I could understand this argument if they'd somehow pretend to be a
DNS-only provider and then abuse that to issue certificates. However,
nothing about their site (or their marketing approach in general) gives
me that impression - it's made quite clear that they're primarily a CDN
with SSL support.
dev-security-policy mailing list

Reply via email to