January 25, 2021

Cloudflare is now Emitting – and Refusing to Revoke – certificates without domain’s owners consent.


​

​

: [https://community.cloudflare.com/t/revoke-and-prevent-the-issuing-of-certificates/235478/24](https://community.cloudflare.com/t/revoke-and-prevent-the-issuing-of-certificates/235478/24)

​

​

@btdig:

So, the resume is: unlike all the other SSL-certificates, those issued by Cloudflare during onboarding process are not revokable because there is a Catch-22: DigiCert requires a private key to do the revocation (assuming the domain owner has it) which Cloudflare prefer to “keep safe” from its users.

When Cloudflare kicks a website (what will be the next after DailyStormer? likely Gab) it is able to do man-in-the-middle into SSL traffic for many months after the divorce.

If after the divorce Cloudflare still has private keys, that means that the keys are compromised: Cloudflare becomes a unauthorized (and likely malignant in case of forceful divorce) party which has the private keys. It is a serious security issue.

​

@matthew.mtw:

The thing with Cloudflare is there is no way to revoke SSL once you leave.

It is not acceptable for Cloudflare to have a valid cert to a website with no way of getting it revoked. As Cloudflare is getting themselves set as the default DOH provider, they have the power to redirect my site’s traffic which has not used the service in months and have a valid cert for it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.