16 comments

[ 2.8 ms ] story [ 47.6 ms ] thread
>MITM-as-a-Service switches CA.
I'm honestly surprised they didn't roll out their own CA.
They said “today, we’re not a Certificate Authority” — seems to strongly suggest they might be working to become one.
Well they just missed like a best casus belli ever.
Seems an unlikely solution to the present problem to me, unless they can get a cross signed CA as well, they’d need a lot of years to distribute that.
If you’re worried about MITM, then TLS with unpinned certificates / third party roots of trust is a poor choice.
It's hard to criticize them for this in this context and I think that's the point. Otherwise, "We are dumping Lets Encrypt and switching to some CA" doesn't sound quite as nice.
Someone should tell cloudlare that certificates expire for a reason.
What reason is that in this context?
Old Androids and other systems where you don't get to update your root CAs mean that you can never add new CAs because too few devices trust them, or enfore new TLS versions because you have to assume that too many people use very old devices, maybe, I don't know, I'm not an expert, if someone can explain what really is at stake here.
I'm surprised they basically choose to ignore explicitly made CAA records, if they don’t match any of their CAs. Why bother with setting up CAA records at all if they will be silently ignored?
Indeed. That seems wrong unless the clients have explicitly agreed to let CF manage CAA records
Most big changes like this get rolled out gradually, but an expiration date causes things to break everywhere at once. They can minimize that impact with this change. Other websites will break first.

But I wonder if they will start using Let's Encrypt again later, in a more gradual way? For example, on any new websites that launch after the expiration date?

Read this as LE = Law Enforcement

What a poor title change.