Domain validation has been available from multiple CAs by placing a root-level file on your webserver for years. If your domain points to a server controlled by a third party, they have always been able to pass domain validation.
Does cloudflare require A records or NS records to point to them before issuing the cert? I guess maybe that could work. I'm still a little skeptical about the whole no-interaction-required part.
Is there no way this is open to abuse? Could a third party sign up to cloudflare for a domain they do not own and somehow spoof the checks? Maybe it's no different than regular automatic domain validation though.
Hopefully the backend that requests and retrieves new SSL certificates from the CA cannot be compromised.
I guess you're right about that, but it still feels a bit weird that a third party can just allocate a private key and a valid certificate without the actual owner of the domain requesting it.
If you've given up control of the DNS on your domain to a third party, they can do whatever they want with that domain - they ultimately control email, web, and any other services on that domain. so if you use cloudflare, you've already given up that control and trust them completely with your domain.
This is what makes me hesitant about using cloudflare or recommending it to clients; you give up a lot of control over your data and domains.
That's always going to be true at some level—even if you're hosting DNS yourself. I self-host the DNS for many of my domains on a Linode VPS. If Linode decides that they don't like me (or they just make a mistake) and re-allocates my IP addresses to someone else, they could set up their own DNS server to direct my domains however they please. However, I trust Linode to not do this, based on their track record and reputation.
You're always at the mercy of at least one vendor, unless you own your own block of IP addresses and advertise it via BGP (and even then, someone could make their own malicious advertisement of your IP block).
You can't eliminate the risk. At some point, you have to set the threshold for what risk you consider acceptable. For many organizations, using Cloudflare provides enough benefit to outweigh the slightly higher risk of something going wrong.
Well having a website hosted on Cloudflare implies that you had more interaction than most CAs will ever ask you to get a certificate, that is beside giving them the money.
"The CA MUST ensure that the certificate is issued with the consent of, and according to procedures established by,
the owner of each Domain Name"
EDIT: Here are the established authorization procedures:
"11.1.1 Authorization by Domain Name Registrant
For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or hascontrol over the FQDN by:
1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar;
2. Communicating directly with the Domain Name Registrant using an address, email, or telephone number provided by the Domain Name Registrar;
3. Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field;
4. Communicating with the Domain’s administrator using an email address created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ inthe local part, followed by the at-sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;
5. Relying upon a Domain Authorization Document;
6. Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN;
or
7. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the FQDN to at least the same level of assurance as those methods previously described. "
IANAL and I'm sure that CF has had this double checked, but I still think it's a bold move to issue certs on their own account.
> Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN
CloudFlare arguably has the consent of the domain holder (gray area but probably in CF's favor) and can pass the required validation.
I do partially agree that the domain holder (CloudFlare's customer) should have been sent an opt-in email, but I think the positives outweigh the negatives.
Edit: If so, then what little trust still existed in the HTTPS PKI CA space just went out the window.