TIL Cloudflare sovrascrive il record CAA aprendo ad attacchi MiTM in caso di BGP hijacking, e anche se a conoscenza del problema l'ha sempre ignorato:
When a BGP leak occurs (malicious or accidental), an attacker can intercept traffic to satisfy an ACME http-01 challenge. This allows them to issue a valid SSL certificate for a victim’s domain.
The IETF standard RFC 8657 was created specifically to stop this by using accounturi in CAA records to bind issuance to a specific account.
Issue: But Cloudflare’s Universal SSL automatically injects permissive CAA records that override user-defined accounturi bindings.
Ignoring, Cloudflare is saying like: “We know BGP leaks happen constantly, but we will force a configuration that allows those leaks to be used for valid certificate issuance by malicious attackers.”
Qua la spiegazione completa.