undefined | Better HN

0 pointsZoneZealot1y ago0 comments

Note that the CA's that Cloudflare uses have not mis-issued any certificates in this case, the certificate was legitimately issued for Cloudflare to front the site in question with their CDN/WAF services. It just happens that the court order will make Cloudflare front them with a HTTP 451 instead, for visitors from the relevant countries.

There is no bypassing of certificate transparency, as there was no additional TLS certificate issued, it was already in use.

If Cloudflare was demanded to block a different site that did not use Cloudflare's WAF service, they would have to do something else at the recursive DNS resolver level. So far that hasn't happened, because Cloudflare is incredibly popular, especially so for less-than-legal sites.

0 comments

2 comments · 1 top-level

JumpCrisscross1y ago· 1 in thread

> There is no bypassing of certificate transparency

Transparency as in their reporting, not the technical details of certificate issuance.

FTA: “Interestingly, Cloudflare maintains in its transparency report that it is not blocking content through its public DNS resolver. Instead, it points out that it uses ‘alternate mechanisms’.”

ZoneZealotOP1y ago

I thought their transparency report was quite clear https://www.cloudflare.com/en-gb/transparency/

> 5. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.

That's accurate, the DNS responses for these domains previously did, and still do, point to Cloudflare's WAF/CDN.

They haven't said anything like '...never blocked access to customer content...'.

1 more reply

j / k navigate · click thread line to collapse