undefined | Better HN

0 pointsffsm82y ago0 comments

But that's not really what's happening here, is it? Theyre complaining that cloudflare doesn't have a way to revoke certificates after the user specifically asked cloudflare to create one for them - transparently, so they dont have to bother with the keys to this certificate.

I'd wager the reason why this feature doesn't exist is because - by the time someone will want to revoke it, the private key for the certificate will have already been deleted, making revocation impossible.

Honestly, this article has probably been written by someone that doesn't actually know how the certificates are created and revoked, forgot to remove a cname entry on their DNS and now wants to drum up controversy for clicks from ppl that probably shouldn't participate in the discussion either, as they're most likely not as informed as they think they're.

And while I was a sysadmin around 10 yrs ago, which gives me a rudimentary understanding of the lifecycle of these certificates... I wouldn't call myself an expert either .

0 comments

5 comments · 2 top-level

5e92cb50239222b2y ago· 2 in thread

Certificates are created regardless of whether you ask for them by using features like proxying traffic through CF. Just using them as a DNS service provider is enough for certs to be issued (with "proxy=off" or no A/CNAME records at all, it doesn't matter).

ffsm8OP2y ago

> Just using them as a DNS service provider is enough

With a cname you yield the control of one domain name, by setting an NS record you're literally passing over any and all control to cloudflare.

That's at a level of entering a shop that advertises itself as "diverse" and then complain that the male cashier was wearing makeup...

It's not like cloudflare makes it a secret that their goal is to take care of everything for their users. It's kinda the while point of using cloudflare, because theyre so easily to use... Because they're doing everything for you.

asimops2y ago

Not if you disable Universal SSL

https://developers.cloudflare.com/ssl/edge-certificates/univ...

cchance2y ago· 1 in thread

This honestly i never even thought about this, i mean sure Cloudflare COULD MITM them, but if the dns is already running through cloudflare, they could just reissue a new DNS challenged LetsEncrypt cert, they don't need your old cert to reissue a new one if they're the MITM and DNS hoster lol.

Bitching about a cert not being revoked, is kinda silly since the guys running like 50% of the internet could easily just reissue a new letsencrypt cert to replace the one you "revoked" if they were mischeveous.

tempay2y ago

> could easily just reissue a new letsencrypt cert

This would be visible in certificate transparency logs. MITM with the certificate they already have would be impossible to observe unless you had access to the client that was being attacked.

j / k navigate · click thread line to collapse