The Irrevocable SSL Certificates of Cloudflare

I&#x27;m struggling to understand the mindset in which this seems &quot;corrupt&quot;.<p>The post isn&#x27;t happy that cloudflare offers free DDOS protection, instead they are so upset that using the free level doesn&#x27;t allow you to revoke their certificate for your website that they accuse cloudflare of being corrupt.<p>That&#x27;s grossly unfair to cloudflare. If you didn&#x27;t want them to have a certificate for your website, don&#x27;t give it to them!

I ran into a similarly weird issue with CloudFlare. This post made me check my domain that I recently bought.<p>I bought the domain passkey.exchange through Cloudflare on 12 April and I didn&#x27;t set up ANYTHING on it. No DNS records. Nothing. I didn&#x27;t touch it since<p>Yet. Exactly at the purchase time. 3 certificates where added to the certificate transparency log:<p>2 from LetsEncrypt and one from Google. How?<p><a href="https:&#x2F;&#x2F;crt.sh&#x2F;?q=passkey.exchange" rel="nofollow">https:&#x2F;&#x2F;crt.sh&#x2F;?q=passkey.exchange</a><p>The only explanation that i have is that Cloudflare is doing some kind of integration testing after you buy a domain from them on Google Cloud and LetsEncrypt before giving you the domain.<p>But that means they have some private key somewhere for 90 days. Across two different CAs..<p>Or I have really bad memory. Set up some Infrastructure on Google Cloud and then deprovisioned it again and removed all DNS records.<p>Or I was hacked.<p>It&#x27;s really strange.<p>Edit: digging further it must&#x27;ve been Cloudflare.<p>The google cert has<p>Not Before: Apr 12 22:01:51 2024 GMT<p>My invoice is dated 22:49 UTC. One hour after the cert was issued?

Disclaimer: I’ve been an engineer on various CAs in the past.<p>If you run into this issue, contact the CA directly and not Cloudflare.<p>The CA is required to handle your request within 24 hours. If they do not, that is an incident for the CA.

It&#x27;s not your certificate, it&#x27;s theirs and they&#x27;re letting you use it.<p>The domain is yours, but you let them complete domain validation to get their certificate.

Revocation for random domains is kind of a moo point as chrome doesn’t do OCSP default, just CRLsets that are pushed out with browser releases, that probably won’t include your domain.<p>Better instead just to have shorter TTL certs.

This paper seems relevant. It describes a new CT log with additional <i>revocation transparency</i>.<p><a href="https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2021&#x2F;818.pdf" rel="nofollow">https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2021&#x2F;818.pdf</a><p>For it to be useful, I imagine clients would need to query some central service every time it receives a certificate it has not seen before, which could potentially be a privacy concern. The only other alternative seems to be for clients to sync the entire revocation log, which would quickly grow in size.

I recently noticed that Cloudflare issued multiple, year-long certificates for one of my domains that has NOTHING to do with Cloudflare services. Trying to get them revoked has been an exercise in frustration and futility.

&gt; In fact, the official stance of the SSL team at CloudFlare is that they won’t revoke unless the team has “determined the private key was compromised.”<p>Sounds like you should email the private key to the Cloudflare security team as plain text

Another example of pay-to-play is their Keyless SSL for Enterprise only customers: <a href="https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;ssl&#x2F;keyless-ssl&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;ssl&#x2F;keyless-ssl&#x2F;</a><p>I&#x27;ve wanted to use their infrastructure for years, but I just can&#x27;t bring myself to relinquish private key control.

I’ve been wanting to move off Cloudflare for a while for some self hosted things (I bought the domain on CF and had to wait a few months for it to be allowed to transfer). What registrar do people recommend? (other than porkbun which refuses to let me sign up with a VPN)

Have I got this right?<p>Cloudflare serves an SSL certificate for each site that it MITMs, and they fail to revoke it when the site leaves Cloudflare. A site &quot;leaving&quot; Cloudflare means that the site&#x27;s DNS no longer points to Cloudflare IP addresses.<p>What&#x27;s the problem? The departing site stops serving the Cloudflare certificate. Cloudflare is no longer the destination for visitors to the site, so it won&#x27;t be serving the certificate either. The only way it could abuse the retained certificate would be if it controlled the site&#x27;s DNS, so if $SITE_OWNER changes DNS provider, the retained certificate isn&#x27;t a problem.<p>What did I miss?

I hate how necessary CF is.

(2021)

(2021)

Meh. While Cloudflare certainly isn&#x27;t perfect...neither are their services provided by North Pole Elves. Doing Stuff for you is not free on their end.<p>And what is the betrayed-by-a-CF-held-cert scenario that you are worried about here? Given their size, and that you are not exactly a major bank, I&#x27;d say that CF has 1000X more skin in this game than you do, if the your-domain-name cert that they hold was put to malicious use.

Sounds 100% reasonable to me.<p>You want free L7 ddos protection... well that comes with some costs.