I bought the domain passkey.exchange through Cloudflare on 12 April and I didn't set up ANYTHING on it. No DNS records. Nothing. I didn't touch it since
Yet. Exactly at the purchase time. 3 certificates where added to the certificate transparency log:
2 from LetsEncrypt and one from Google. How?
https://crt.sh/?q=passkey.exchange
The only explanation that i have is that Cloudflare is doing some kind of integration testing after you buy a domain from them on Google Cloud and LetsEncrypt before giving you the domain.
But that means they have some private key somewhere for 90 days. Across two different CAs..
Or I have really bad memory. Set up some Infrastructure on Google Cloud and then deprovisioned it again and removed all DNS records.
Or I was hacked.
It's really strange.
Edit: digging further it must've been Cloudflare.
The google cert has
Not Before: Apr 12 22:01:51 2024 GMT
My invoice is dated 22:49 UTC. One hour after the cert was issued?
If you run into this issue, contact the CA directly and not Cloudflare.
The CA is required to handle your request within 24 hours. If they do not, that is an incident for the CA.
The domain is yours, but you let them complete domain validation to get their certificate.
Better instead just to have shorter TTL certs.
https://eprint.iacr.org/2021/818.pdf
For it to be useful, I imagine clients would need to query some central service every time it receives a certificate it has not seen before, which could potentially be a privacy concern. The only other alternative seems to be for clients to sync the entire revocation log, which would quickly grow in size.
Sounds like you should email the private key to the Cloudflare security team as plain text
I've wanted to use their infrastructure for years, but I just can't bring myself to relinquish private key control.
Cloudflare serves an SSL certificate for each site that it MITMs, and they fail to revoke it when the site leaves Cloudflare. A site "leaving" Cloudflare means that the site's DNS no longer points to Cloudflare IP addresses.
What's the problem? The departing site stops serving the Cloudflare certificate. Cloudflare is no longer the destination for visitors to the site, so it won't be serving the certificate either. The only way it could abuse the retained certificate would be if it controlled the site's DNS, so if $SITE_OWNER changes DNS provider, the retained certificate isn't a problem.
What did I miss?
And what is the betrayed-by-a-CF-held-cert scenario that you are worried about here? Given their size, and that you are not exactly a major bank, I'd say that CF has 1000X more skin in this game than you do, if the your-domain-name cert that they hold was put to malicious use.
You want free L7 ddos protection... well that comes with some costs.
The post isn't happy that cloudflare offers free DDOS protection, instead they are so upset that using the free level doesn't allow you to revoke their certificate for your website that they accuse cloudflare of being corrupt.
That's grossly unfair to cloudflare. If you didn't want them to have a certificate for your website, don't give it to them!