Hello, I noticed that Cloudflare sub CA is issuing certificates with "Cloudflare, Inc." in the subject to websites using their web proxy (example https://crt.sh/?id=5759164956).
I think that this is quite misleading. A user visiting the website of a fake shop could check the certificate and if they don't know what Cloudflare is, they could believe that the shop is operated by an existing company registered in the US and therefore trust the (fake) shop. A user on a phishing site targeting Cloudflare could check the certificate, see Cloudflare in the subject and believe it to be an official Cloudflare website. A user using a website that is using Cloudflare proxy could check the certificate and remember that it has Cloudflare in the subject. Then when he will be on a phishing website, he will check the certificate subject, see the same value and believe it to be oferated by the same entity and enter his credentials. I think that either the subject field should be more restricted to only allow entering details of the end owner/operator of the website or various recommendations explaining how to check certificate details to asses whether a website is trustworthy should be changed. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/34511f67-0167-4039-8ef7-bc80b45b4a88n%40mozilla.org.
