I'm struggling to understand the mindset in which this seems "corrupt".

The post isn't happy that cloudflare offers free DDOS protection, instead they are so upset that using the free level doesn't allow you to revoke their certificate for your website that they accuse cloudflare of being corrupt.

That's grossly unfair to cloudflare. If you didn't want them to have a certificate for your website, don't give it to them!

I ran into a similarly weird issue with CloudFlare. This post made me check my domain that I recently bought.

I bought the domain through Cloudflare on 12 April and I didn't set up ANYTHING on it. No DNS records. Nothing. I didn't touch it since

Yet. Exactly at the purchase time. 3 certificates where added to the certificate transparency log:

2 from LetsEncrypt and one from Google. How?

The only explanation that i have is that Cloudflare is doing some kind of integration testing after you buy a domain from them on Google Cloud and LetsEncrypt before giving you the domain.

But that means they have some private key somewhere for 90 days. Across two different CAs..

Or I have really bad memory. Set up some Infrastructure on Google Cloud and then deprovisioned it again and removed all DNS records.

Or I was hacked.

It's really strange.

Edit: digging further it must've been Cloudflare.

The google cert has

Not Before: Apr 12 22:01:51 2024 GMT

My invoice is dated 22:49 UTC. One hour after the cert was issued?

Disclaimer: I’ve been an engineer on various CAs in the past.

If you run into this issue, contact the CA directly and not Cloudflare.

The CA is required to handle your request within 24 hours. If they do not, that is an incident for the CA.

It's not your certificate, it's theirs and they're letting you use it.

The domain is yours, but you let them complete domain validation to get their certificate.

Revocation for random domains is kind of a moo point as chrome doesn’t do OCSP default, just CRLsets that are pushed out with browser releases, that probably won’t include your domain.

Better instead just to have shorter TTL certs.

This paper seems relevant. It describes a new CT log with additional revocation transparency.

For it to be useful, I imagine clients would need to query some central service every time it receives a certificate it has not seen before, which could potentially be a privacy concern. The only other alternative seems to be for clients to sync the entire revocation log, which would quickly grow in size.

I recently noticed that Cloudflare issued multiple, year-long certificates for one of my domains that has NOTHING to do with Cloudflare services. Trying to get them revoked has been an exercise in frustration and futility.
> In fact, the official stance of the SSL team at CloudFlare is that they won’t revoke unless the team has “determined the private key was compromised.”

Sounds like you should email the private key to the Cloudflare security team as plain text

Another example of pay-to-play is their Keyless SSL for Enterprise only customers:

I've wanted to use their infrastructure for years, but I just can't bring myself to relinquish private key control.

I’ve been wanting to move off Cloudflare for a while for some self hosted things (I bought the domain on CF and had to wait a few months for it to be allowed to transfer). What registrar do people recommend? (other than porkbun which refuses to let me sign up with a VPN)
Have I got this right?

Cloudflare serves an SSL certificate for each site that it MITMs, and they fail to revoke it when the site leaves Cloudflare. A site "leaving" Cloudflare means that the site's DNS no longer points to Cloudflare IP addresses.

What's the problem? The departing site stops serving the Cloudflare certificate. Cloudflare is no longer the destination for visitors to the site, so it won't be serving the certificate either. The only way it could abuse the retained certificate would be if it controlled the site's DNS, so if $SITE_OWNER changes DNS provider, the retained certificate isn't a problem.

What did I miss?

I hate how necessary CF is.
Meh. While Cloudflare certainly isn't perfect...neither are their services provided by North Pole Elves. Doing Stuff for you is not free on their end.

And what is the betrayed-by-a-CF-held-cert scenario that you are worried about here? Given their size, and that you are not exactly a major bank, I'd say that CF has 1000X more skin in this game than you do, if the your-domain-name cert that they hold was put to malicious use.

Sounds 100% reasonable to me.

You want free L7 ddos protection... well that comes with some costs.