|
|
|
|
|
|
by georgyo
3669 days ago
|
|
|
This is where the breakdown is. Cloudflare will get the certificate for *.github.io, however it is making the request for the custom domain. It is unable to validate the certificate. It is impossible to enable "strict" SSL mode, because it cannot validate the certificate. And as such, a bad if able to trick cloudflare to resolve username.github.io to themselves could use any SSL certificate they choose. This is admittedly an edge case, but in such an event, the end user would see a trusted certificate and be proxied to a bad site. |
|
|