[nora-puchreiner]

Since 1.1.1.1 introduction, Cloudflare is able to perform HTTPS man-in-the middle attacks even for the websites which do not use Cloudflare CDN: they could forge DNS answer and proxy HTTPS traffic of any website via their CDN, instantaneously issuing a valid HTTPS certificate, as they have root certs and could issue certs for any domain.

Since ODoH they could perform such attacks without being spotted by ISPs. Nice.

[olliej]

Of course intentionally issuing a fraudulent cert would get them kicked out of every root program, and given a good part of their revenue is from being an automated https CDN that would probably have a significant negative impact.

[nora-puchreiner]

It is too weak a guarantee. We already have seen as risk of revenue losing did not stop Kaspersky.

[crtasm]

New certs have to be sent to Certificate Transparency logs, any company mis-issuing them would be taking a colossal risk.

[nora-puchreiner]

A MITM-attack which starts from DNS could be narrow targeted, forged DNS responses could be sent to a single person or an organization. Certificate Transparency monitors are futile here.

Also, if the reputation risks is the only thing which could prevent them from doing so... it is not the security we expect from the cryptographic protocols. A subpoena/warrant could be a more "colossal" threat to their business.

[crtasm]

If the user is running Chrome the cert will not be trusted if it's not been sent to public CT logs.

I'll give you that - based on a brief search - this does not appear to apply to other browsers yet.

They risk losing their status as a trusted CA.

[nora-puchreiner]

I'd compare the current Cloudflare's power to Kaspersky's ability to steal any file from computers their antivirus is installed on. If they can do it then one day they will have a strong reason to do it, risking the trust and sales volume.

[nora-puchreiner]

> They risk losing their status as a trusted CA.

There are tons of goals more important than the trusted status. Killing Osama, arresting Silk Road, performing or exposure of election fraud, ...

Losing of the status might happen sometimes later while the traffic interception/modification is what they can do right now. And it could be ordered by someone who do not care on those statuses at all.