[crtasm]

New certs have to be sent to Certificate Transparency logs, any company mis-issuing them would be taking a colossal risk.

[nora-puchreiner]

A MITM-attack which starts from DNS could be narrow targeted, forged DNS responses could be sent to a single person or an organization. Certificate Transparency monitors are futile here.

Also, if the reputation risks is the only thing which could prevent them from doing so... it is not the security we expect from the cryptographic protocols. A subpoena/warrant could be a more "colossal" threat to their business.

[crtasm]

If the user is running Chrome the cert will not be trusted if it's not been sent to public CT logs.

I'll give you that - based on a brief search - this does not appear to apply to other browsers yet.

They risk losing their status as a trusted CA.

[nora-puchreiner]

I'd compare the current Cloudflare's power to Kaspersky's ability to steal any file from computers their antivirus is installed on. If they can do it then one day they will have a strong reason to do it, risking the trust and sales volume.

[nora-puchreiner]

> They risk losing their status as a trusted CA.

There are tons of goals more important than the trusted status. Killing Osama, arresting Silk Road, performing or exposure of election fraud, ...

Losing of the status might happen sometimes later while the traffic interception/modification is what they can do right now. And it could be ordered by someone who do not care on those statuses at all.