If you run into this issue, contact the CA directly and not Cloudflare.
The CA is required to handle your request within 24 hours. If they do not, that is an incident for the CA.
I don't think it makes a significant difference (I believe browsers don't implement revocation in any meaningful way), but the option exists.
And CF has no obligation to revoke the cert when it's no longer needed, nor to act as a free middleman between domain owner and CA.
Cloudflare could make this much easier by revoking the cert when the customer moves away from them. They probably should do this.
My main gripe with Cloudflare is not that they issued these certificates. It's the fact that they are valid for one(1) year and I don't have an easy, preferably automated way to have them revoked.
Don’t bother going through Cloudflare.
If they don’t respond to you within 24 hours, let me know and we can start an incident against that CA.
I reached out to Digicert at revoke@digicert.com. They responded almost immediately and directed me to Cloudflare's abuse report form, where I was met with a wall. Now I'm back to Digicert asking them to please revoke them.
Note that this isn't an urgent security situation, as the domain in question isn't in use currently. It's more of an annoyance, since the certs are valid for 1 year.
Certificates in question: https://crt.sh/?id=11447235791 https://crt.sh/?id=11447092451
Cloudflare serves an SSL certificate for each site that it MITMs, and they fail to revoke it when the site leaves Cloudflare. A site "leaving" Cloudflare means that the site's DNS no longer points to Cloudflare IP addresses.
What's the problem? The departing site stops serving the Cloudflare certificate. Cloudflare is no longer the destination for visitors to the site, so it won't be serving the certificate either. The only way it could abuse the retained certificate would be if it controlled the site's DNS, so if $SITE_OWNER changes DNS provider, the retained certificate isn't a problem.
What did I miss?
They’ve got a pretty large vector for intercepting real traffic from a substantial number of users.
I use Bunny CDN for DNS services.
Though I do use CloudFlare for DNS and pages - I use EasyDNS purely as a registrar.
You want free L7 ddos protection... well that comes with some costs.
We get something for free but lose some control over our site, domain and data. CF gains insight into potentially valuable data like client information, traffic, attack and request patterns.
The costs and risks should be applicable as long as they enjoy the benefits but anything beyond a certain grace period doesn't sound reasonable.
I can understand if CF didn't prioritize it enough to spend development resources on revoking a cert but I don't see an upside for CF to continue keeping the certificate after a customer exits. They are unnecessarily taking on extra (reputation) risk if the still valid cert is compromised and used by someone else.
We have no idea if cloudflare retained the cert. The blog post is just claiming that cloudflare did not revoke the certificate and instead is just letting it expire naturally. (That said, i wouldn't be surprised if they retained it)
Potential upside for cloudflare is that if the client disabled ddos protection just temporarily to test something but intends to reenable it, this allows the reenable to happen instantly (assuming they kept the cert).
Which would be nice but honestly most browsers don't even do revocation checks so... ya
The post isn't happy that cloudflare offers free DDOS protection, instead they are so upset that using the free level doesn't allow you to revoke their certificate for your website that they accuse cloudflare of being corrupt.
That's grossly unfair to cloudflare. If you didn't want them to have a certificate for your website, don't give it to them!
I'd wager the reason why this feature doesn't exist is because - by the time someone will want to revoke it, the private key for the certificate will have already been deleted, making revocation impossible.
Honestly, this article has probably been written by someone that doesn't actually know how the certificates are created and revoked, forgot to remove a cname entry on their DNS and now wants to drum up controversy for clicks from ppl that probably shouldn't participate in the discussion either, as they're most likely not as informed as they think they're.
And while I was a sysadmin around 10 yrs ago, which gives me a rudimentary understanding of the lifecycle of these certificates... I wouldn't call myself an expert either .
I bought the domain passkey.exchange through Cloudflare on 12 April and I didn't set up ANYTHING on it. No DNS records. Nothing. I didn't touch it since
Yet. Exactly at the purchase time. 3 certificates where added to the certificate transparency log:
2 from LetsEncrypt and one from Google. How?
https://crt.sh/?q=passkey.exchange
The only explanation that i have is that Cloudflare is doing some kind of integration testing after you buy a domain from them on Google Cloud and LetsEncrypt before giving you the domain.
But that means they have some private key somewhere for 90 days. Across two different CAs..
Or I have really bad memory. Set up some Infrastructure on Google Cloud and then deprovisioned it again and removed all DNS records.
Or I was hacked.
It's really strange.
Edit: digging further it must've been Cloudflare.
The google cert has
Not Before: Apr 12 22:01:51 2024 GMT
My invoice is dated 22:49 UTC. One hour after the cert was issued?
The timestamp difference is probably just Google backdating the certificate by an hour or 30 minutes to deal with clients whose clocks lag behind.
(edit: although I'm a DevOps engineer and I wrote my own subdomain registration service, so my preference will certainly not match others).
Better instead just to have shorter TTL certs.
I've wanted to use their infrastructure for years, but I just can't bring myself to relinquish private key control.
https://eprint.iacr.org/2021/818.pdf
For it to be useful, I imagine clients would need to query some central service every time it receives a certificate it has not seen before, which could potentially be a privacy concern. The only other alternative seems to be for clients to sync the entire revocation log, which would quickly grow in size.
Sounds like you should email the private key to the Cloudflare security team as plain text
The domain is yours, but you let them complete domain validation to get their certificate.
And what is the betrayed-by-a-CF-held-cert scenario that you are worried about here? Given their size, and that you are not exactly a major bank, I'd say that CF has 1000X more skin in this game than you do, if the your-domain-name cert that they hold was put to malicious use.
