On 17/09/16 16:38, Florian Weimer wrote: > * Peter Bowen: > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gmail.com> >> wrote: >>> So when I delegated the DNS service to Cloudflare, Cloudflare >>> have the privilege to issue the certificate by default? Can I >>> understand like that? >> >> I would guess that they have a clause in their terms of service or >> customer agreement that says they can update records in the DNS >> zone and/or calls out that the subscriber consents to them getting >> a certificate for any domain name hosted on CloudFlare DNS. > > I find it difficult to believe that the policies permit Cloudflare's > behavior, but are expected to prevent the issue of interception > certificates. Aren't they rather similar, structurally?
I don't see how they're similar. Interception certificates are issued without the knowledge and permission of the domain owner. Someone signing up for CloudFlare willingly chooses to trust a CDN provider with all their web traffic and DNS (in order to enable CloudFlare for a domain, the NS record for that domain needs to point to CloudFlare.) I could understand this argument if they'd somehow pretend to be a DNS-only provider and then abuse that to issue certificates. However, nothing about their site (or their marketing approach in general) gives me that impression - it's made quite clear that they're primarily a CDN with SSL support. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy