On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote:
> On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote:
> > Sadly, the shady behaviour is not with Comodo but with Cloudflare. As
> > cloudflare does not state anywhere that they issue certificates when SSL
> > and CDN features are explicitly switched off from the beginning.
> 
> They do state it: in a blog post from 2014.  They appear to believe this is
> sufficient notice.

Well a blog post is not a TOS or a security policy. But maybe in some far away 
country it is accepted. Any way, can you send me the link to that post??

> 
> > 1. trust issue: Cloudflare issues certificates without asking permission
> > or staing it in TOS or elsewhere.  Doing so when in DNS-only mode appears
> > to me illegal.
> 
> Illegal?  In which jurisdiction(s)?

Well, If you buy a VPS and the provider creates a certificate by validating by 
adding content to your webserver, ... we would agree that this is wrong, right? 
But when I get a service to host MY DNS entries, it is fine if the provider 
manipulates them without my knowledge? ... But I have noticed that in some 
countries the understanding of legal and iligal is different. Sad.

> 
> > 2. trust issue: Cloudflare modifies the DNS entries to validate without
> > consent of the domain owner or account holder.  Again, no mention of it in
> > TOS or anywheer else.  So the modification is not permitted in DNS-only
> > mode.
> 
> So go tell Cloudflare.  Take your business elsewhere.

I understand, go and just lieve with a certificate that is issued without my 
permission. It seems that CT is useless if there are no actions are taken from 
wrong behaviour.

> 
> There is no need to keep banging on about it on this list.  Everyone here
> knows what Cloudflare is doing, they have their opinion of it, and as a
> group this list can do nothing about it.
> 
> > But from the moment on when the CA (Comodo) is informed about this shady
> > behavior by multiple domain owners / account owners, Comodo should start
> > acting.
> 
> As the Wikipedians say: "Citation Needed".
> 
> - Matt

Still sad that wrong behaviour of companies that trick CAs into issuing 
certificates is protected by "go away!" comments. I would have expected more. 

And as this thread shows, I am not alone.


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to