On Thu, 23 Nov 2017 00:50:04 +0100 Quirin Scheitle via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> 2) Cloudflare FreeSSL certificates issued by Comodo > Batch: https://misissued.com/batch/30/ > Description: We are not aware that Cloudflare and Comodo are > affiliated, or that Comodo runs the DNS infrastructure of Cloudflare > customers — so these certificates should be checked like any other? My understanding is that Cloudflare CDN (usually? always?) is enabled by giving Cloudflare control over DNS for the names you want given CDN treatment, either a CNAME or direct name server control. I assume Comodo's arrangement with Cloudflare to permit bulk issuance is streamlined significantly by this control over DNS and in exchange Cloudflare gets a very good deal on those certificates, with the exact details presumably commercially sensitive. It doesn't seem unlikely that Comodo skip some checks for names that Cloudflare control in this way. It would be concerning if as a result of the streamlining it is /ever/ possible for Cloudflare to obtain certificates for names that were not actually assigned by the above mechanism to Cloudflare, even if this only happened accidentally - because responsibility for correct issuance must lie with Comodo, not Cloudflare, any abdication of decision making power to an untrusted third party can be a Big Problem, just as we saw with Symantec. It would be less concerning, but still problematic if Cloudflare allowed a situation to exist in which their customers could use Cloudflare CDN for a name (so Cloudflare would ask Comodo to issue certificates for this name) while also setting CAA to forbid issuance by Comodo for the name, and then get a certificate issued anyway. This is clearly a violation of the rules as written, and shouldn't happen, but I'd be comfortable seeing this as basically a goof, a mismatch between intention and implementation, just needing a software fix and maybe some better documentation from Cloudflare so that it doesn't happen again. Can we have a comment from Comodo about this? And if appropriate they can invite someone technical from Cloudflare to comment too. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy