On Thu, Nov 03, 2016 at 03:39:11PM -0700, gerhard.tin...@gmail.com wrote: > On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote: > > On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote: > > > Sadly, the shady behaviour is not with Comodo but with Cloudflare. As > > > cloudflare does not state anywhere that they issue certificates when SSL > > > and CDN features are explicitly switched off from the beginning. > > > > They do state it: in a blog post from 2014. They appear to believe this is > > sufficient notice. > > Well a blog post is not a TOS or a security policy. But maybe in some far > away country it is accepted. Any way, can you send me the link to that > post??
https://blog.cloudflare.com/introducing-universal-ssl/ > > > 1. trust issue: Cloudflare issues certificates without asking permission > > > or staing it in TOS or elsewhere. Doing so when in DNS-only mode appears > > > to me illegal. > > > > Illegal? In which jurisdiction(s)? > > Well, If you buy a VPS and the provider creates a certificate by > validating by adding content to your webserver, ... we would agree that > this is wrong, right? It would depend on the circumstances. However that is not what happened. > But when I get a service to host MY DNS entries, it > is fine if the provider manipulates them without my knowledge? ... But I > have noticed that in some countries the understanding of legal and iligal > is different. Sad. Which country or countries (or other legal jurisdiction) has an understanding that Cloudflare's behaviour as described in this thread is illegal? You've made a fairly specific claim, I would be interested to see the rationale for it. > > > 2. trust issue: Cloudflare modifies the DNS entries to validate without > > > consent of the domain owner or account holder. Again, no mention of it in > > > TOS or anywheer else. So the modification is not permitted in DNS-only > > > mode. > > > > So go tell Cloudflare. Take your business elsewhere. > > I understand, go and just lieve with a certificate that is issued without > my permission. It seems that CT is useless if there are no actions are > taken from wrong behaviour. There are actions taken for wrong behaviour. It's just that not every wrong behaviour results in the same action. I'm actually interested in what specific action you think should be taken here, and how keeping on about it on this list will help that action to occur. Please, state exactly what you think should be done. > > There is no need to keep banging on about it on this list. Everyone here > > knows what Cloudflare is doing, they have their opinion of it, and as a > > group this list can do nothing about it. > > > > > But from the moment on when the CA (Comodo) is informed about this shady > > > behavior by multiple domain owners / account owners, Comodo should start > > > acting. > > > > As the Wikipedians say: "Citation Needed". > > > > - Matt > > Still sad that wrong behaviour of companies that trick CAs into issuing > certificates What trickery was involved with the CA? Comodo requires proof of control over the domain to issue a certificate. $DEITY knows there are enough perfectly legitimate reasons to look askance at Comodo, but this isn't one of them. Cloudflare demonstrated the required domain control to Comodo, because YOU GAVE CONTROL TO CLOUDFLARE. Cloudflare may well have acted in bad faith, by taking an action you deemed unexpected or illegitimate, however that isn't something that a browser vendor or root store program can do anything about. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy