On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote: > 在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道: > > If Cloudflare *was*, in fact, obtaining certificates on behalf of all its > > DNS-using (only) customers on the "off chance" that they might want to use > > their proxy services in the future, that would be extremely creepy and > > unpleasant, but so far I don't think there's enough evidence to be able to > > say such a thing is happening at present. It seems far more likely that > > bupt.moe was a Cloudflare proxy customer (if only for a *very* brief time), > > the certificate was issued for that purpose, and now the domain has been > > pointed elsewhere, and the name is just hanging around in a cert which will > > expire in six months or so. > > I am the owner of BUPT.MOE and I just use DNS service.
And you've never ticked (or unticked[1]) the little "cloud" icon to the right of *any* record in bupt.moe? - Matt [1] I took a support request today for a "DNS only" Cloudflare customer, and it appeared that their root record was being passed through Cloudflare. I haven't heard back as to whether someone at their end knowingly enabled it, but there's the possibility that Cloudflare automagically enables proxying by default -- which is deplorable, IMO, from a user experience perspective, but not something that is relevant from an SSL perspective. -- The main advantages of Haynes and Chilton manuals are that they cost $15, where the factory manuals cost $100 and up, and that they will tell you how to use two hammers, a block of wood, and a meerkat to replace "special tool no. 2-112-A" -- Matt Roberds in asr. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy