Cloudflare does authenticate Eve. It provided her a pair of nameservers to configure at the registrar. She will not be able to do that because I own the example.com domain. As such she will never be able to get an SSL cert issued or orange cloud a record she creates. The zone will never move beyond pending nameserver updates and will ultimately be deleted and purged from Cloudflare.
Ok, so my Italian loafer example didn’t resonate. How about this… lets say you have a website running on a virtual server 192.0.2.1 and you point your website www.coolsite.com to that IP using an A record. You then stop paying your bill for the virtual server, the service deletes your virtual machine. I use the same service and they reuse the IP 192.0.2.1 and I stand up a website on that host which accepts any host header. Have I hijacked your website or have you misconfigured your system? Where is the hosting company’s culpability?
No it’s not bypassed. In your example OG introduced a security issue that is being exploited by pointing his domain to a service he is not using.
Here try this… go to freenom and register a domain. Set it’s nameserver pair to ian.ns.cloudflare.com and amy.ns.cloudflare.com at freenom. Then add the zone to your Cloudflare account. The nameserver pair doesn’t match, the zone will never activate. The misconfiguration at your registrar is not Cloudflare’s issue, that is 100% under your control.