On Thursday, November 3, 2016 at 10:59:53 AM UTC+1, Gervase Markham wrote: > On 02/11/16 23:26, wrote: > > Befor I contacted this group, I contacted Cloudflare and asked them > > to stop creating certificates with my domain. The answer in short > > was, ... they cannot change it and as long as I am using there > > service, they will continue. > > How would you expect the service to work without them doing that? > > > I also contacted Comodo as the CA and asked them. The answer was > > different but also not helping. In short, ... I can use a CAA DNS > > record (not supported by many DNS providers like Cloudflare) to avoid > > it in the future. But in the next sentence telling me that those > > records are not honoured by many CA's. > > Hopefully this will change before too long. > > However, I still don't get why you want to use Cloudflare's SSL > termination services but are unwilling to allow them to get a > certificate for your domain name. > > AIUI their free tier uses certs they obtain, but if you pay, you can > provide your own cert. So if you want to use Cloudflare but don't want > them obtaining certs for you, join the paying tier. > > Gerv
Hi, I guess you never used Cloudflare, right? So let me explain it to you so you understand my concern. I have posted my whole explanation to this group but it is somewhere lost I think. 1.) Yes, Cloudflare offers a kind of MITM as a service. You dont have a certificate, you want there protection, ... etc. So they create it for you, intercept and cache the traffic. 2.) Cloudflare does offer much more. beside other things you can disable all those features and use cloudflare as "DNS-only mode" as they call it. This means the SSL option is switched of by the user. (my expectation would be that there are no ssl certificates issued for my domain in that mode. Now, knowing that, I get back to your questions: > How would you expect the service to work without them doing that? As far as I understand aDNS-only service, a SSL certificate is not required. My expectation would be that Cloudflare honers the settings I set on the account/domain. > However, I still don't get why you want to use Cloudflare's SSL > termination services but are unwilling to allow them to get a > certificate for your domain name. Again, I sue Cloudflare in the DNS-only mode. All the features (except DNS) is disabled. SSL: OFF, Intercepting traffic: OFF, ... > > AIUI their free tier uses certs they obtain, but if you pay, you can > provide your own cert. So if you want to use Cloudflare but don't want > them obtaining certs for you, join the paying tier. As far as I understood you can even upload the cert in the free plan, but beside the point. DNS-Only mpde would not require it. I would have at least expected that they stop issuing certificates after I requested it. But they dont! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
