In theory, what if —

• Exhibit a

• Exhibit b

— The attached exhibits were the current reality, i.e. https://Cloudflare.com/ & https://www.cloudflare.com/ have expired certs - untrusted by Mozilla, Apple, Android, Java, & Microsoft and despite attempts to bring it quietly to the attention of Cloudflare through the proper channels, you are told that for some unknown reason they’ve no understanding of my issue and to bring it instead to the attention this community. It’s as if their eyes and ears are shut to what is Cloudflare’s issue. Why is this not being dealt with? And what would you do?

Cloudflare.com and www.cloudflare.com - !important

Request #1685058

admin Saturday at 18:19

Click here to expand

Certificate #3: RSA 2048 bits (SHA1withRSA)

Server Key and Certificate #1Download server certificate
Subject Cloudflare.com
Fingerprint SHA256: bad392e96d1e8c5772d3ab26b5ef1034b40f760bdc6bbc075265b17020602899
Pin SHA256: rRsdDkE45mUhoDOPYiawiI2IAiK8ZonAYpWRGCBXjfs=
Common names Cloudflare.com
Alternative names Cloudflare.com www.cloudflare.com
Serial Number 05c3d9ebe33efdcd6c9777a694aec7e5
Valid from Fri, 04 Nov 2016 00:00:00 UTC
Valid until Wed, 08 Aug 2018 12:00:00 UTC (expired 9 months and 3 days ago) EXPIRED
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Compatibility Intermediate CA
AIA: http://cacerts.digicert.com/CompatibilityIntermediateCA.crt
Signature algorithm SHA1withRSA INSECURE
Extended Validation No
Certificate Transparency No
OCSP Must Staple No
Revocation information CRL, OCSP
CRL: http://crl3.digicert.com/CompatibilityIntermediateCA.crl
OCSP: http://ocsp.digicert.com
Revocation status Unchecked (only trusted certificates can be checked)
DNS CAA No (more info)
Trusted No NOT TRUSTED
Mozilla Apple Android Java Windows

Additional Certificates (if supplied)Download server chain
Certificates provided 2 (2472 bytes)
Chain issues Incomplete
#2
Subject Compatibility Intermediate CA
Fingerprint SHA256: a755805d87ba432a3e607303b08d36a4a1f8abf6b741f9b2b428306127af1592
Pin SHA256: FLx2NL2ElaELHP6cRfdkeHTStod2awmY0MeCNycnFo8=
Valid until Fri, 10 Aug 2018 12:00:00 UTC (expired 9 months and 1 day ago) EXPIRED
Key RSA 2048 bits (e 65537)
Issuer GTE CyberTrust Global Root
Signature algorithm SHA1withRSA INSECURE

[Hide Certification Paths] [Show Certification Paths] Certification Paths
Mozilla Apple Android Java Windows
No trust paths available
Issuer unknown, or intermediate certificate(s) missing.
No trust paths available
Issuer unknown, or intermediate certificate(s) missing.
No trust paths available
Issuer unknown, or intermediate certificate(s) missing.
No trust paths available
Issuer unknown, or intermediate certificate(s) missing.
Path #1: Not trusted (validity check failed) Download chain
1 Sent by server Cloudflare.com
Fingerprint SHA256: bad392e96d1e8c5772d3ab26b5ef1034b40f760bdc6bbc075265b17020602899
Pin SHA256: rRsdDkE45mUhoDOPYiawiI2IAiK8ZonAYpWRGCBXjfs=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Wed, 08 Aug 2018 12:00:00 UTC
EXPIRED INSECURE SIGNATURE
2 Sent by server Compatibility Intermediate CA
Fingerprint SHA256: a755805d87ba432a3e607303b08d36a4a1f8abf6b741f9b2b428306127af1592
Pin SHA256: FLx2NL2ElaELHP6cRfdkeHTStod2awmY0MeCNycnFo8=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Fri, 10 Aug 2018 12:00:00 UTC
EXPIRED INSECURE SIGNATURE
3 In trust store GTE CyberTrust Global Root Self-signed
Fingerprint SHA256: a53125188d2110aa964b02c7b7c6da3203170894e5fb71fffb6667d5e6810a36
Pin SHA256: EGn6R6CqT4z3ERscrqNl7q7RC//zJmDe9uBhS/rnCHU=
RSA 1024 bits (e 65537) / MD5withRSA
Valid until: Mon, 13 Aug 2018 23:59:00 UTC
EXPIRED WEAK KEY IN WINDOWS’S TRUST STORE
Weak or insecure signature, but no impact on root certificate

Sent from ProtonMail Mobile

–
You received this message because you are subscribed to the Google Groups “Help/Feedback” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/Cloudflare.com/d/msgid/help/l0gpUIcw17FWUmZptpq_UBBAsPzUk5bK6MCEiIPEs4LaPrDk602YA5-t1lKCr8Gbc_X3igjdruzDAHVuo_u9AmXW4OFLY6i5QA-_XWwx2lo%3D%40intr0.com.

• publicKey - [email protected] - ca04f762bf69348d05e30d2bde125b4e2d10e361.asc (3 KB)

• 

Kevin K. Saturday at 18:23

Hi admin,

Thank you for contacting Cloudflare Support. We’re sorry to read that you’re experiencing difficulties.

In order to better assist you with the problem you are experiencing, we will need some additional information from you.

Can you please share the following with us:

• The specific error messages being returned and/or behaviours where you are seeing issues while on the website.
• Specific step by step instructions on how to reproduce on our end - e.g. if this issue is only replicable behind a login, can you provide a temporary test account for us
• A screenshot of the errors you are seeing.
• Any relevant access logs from your web server.
• A HAR file demonstrating the issue.

Please respond with that information as soon as you can so we can continue to work with you to resolve your issue.

Helpful resources

• Cloudflare Error Messages (and what they mean)
• How do I check my server’s response directly without Cloudflare?
• Reporting a bug

Best,

Search the Cloudflare Community for advice and insight.

admin Saturday at 18:27

Sent from ProtonMail Mobile

On Sat, May 11, 2019 at 18:23, Cloudflare wrote:

Hi Kevin,

This is an issue with Cloudflare’s own server’s expired certificates still being used. This issue has nothing to do with my site, it has to do with https://Cloudflare.com and https://www.cloudflare.com - as the attached information clearly shows.

• publicKey - [email protected] - ca04f762bf69348d05e30d2bde125b4e2d10e361.asc (3 KB)

• 

Saturday at 20:49

Hi,

We appreciate the feedback. I have forwarded this to the appropriate team about this expired SHA1 certificate.

Thank you again for notifying us.

admin Saturday at 20:51

• intr0

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

Of course.

• publickey - [email protected] - 0xCA04F762.asc (3 KB)

• signature.asc (855 Bytes)

• 

Saturday at 21:04

Hi,

This ticket will mark as solved but do let us know if you have any further questions or issues by replying to this e-mail or ticket.

Thank you for contacting Cloudflare Support.

admin Saturday at 21:42

• intr0

Sent from ProtonMail Mobile

The expired cert(s) have been disabled already? Good.

• publicKey - [email protected] - ca04f762bf69348d05e30d2bde125b4e2d10e361.asc (3 KB)

• 

admin Saturday at 22:25

Info

• 979CA6A8-1747-4B41-9BA0-6E4EDD9FE123.png (300 KB)

• 4E2851C9-FDBF-472C-BB0B-E2D01A61EF6D.png (300 KB)

• 

Hi there,

Thank you for contacting Cloudflare Support.

Unfortunately, the screenshot attached does not help us understand what issue you’re facing. Can you please give me more context here?

Please let us know if you have any questions.

Thanks!

admin Today at 02:20

The issue that Cloudflare is facing is of a security nature. It’s not I who is facing this unless it somehow impacts the security of my account or my site security. Though the issue at hand as I said is the fact that Cloudflare has expired certs still in use on Cloudflare.com and www.cloudflare.com. I’d think that this would be something that Cloudflare would want to deal with ASAP. I don’t know how I can make myself any clearer - Cloudflare’s DOMAIN IS INSECURE DUE TO ITS EXPIRED TLS CERTIFICATES AS CAN BE CLEARLY SEEN IN THE PICS IVE GIVEN. If preferable, I’m fine with discussing this publicly within the community though I highly doubt that would do anyone any good.

Sent from ProtonMail Mobile

• publicKey - [email protected] - ca04f762bf69348d05e30d2bde125b4e2d10e361.asc (3 KB)

The current certificate of Cloudflare.com

Where did you get these screenshots from? It would not appear to be an issue of your local browser, right?

Current scans from SSLLabs…

Their exists more than a single cert; there’s a root, signing, leaf, and others… please see for yourself. I stumbled upon this due to my curiosity. I’m glad to see someone, you @sandro , are concerned.

I’m off to get some sleep; I’ll be back later to see where this stands. Goodnight.

Qualys currently returns the following

image1057×346 11.5 KB

However, yes, certificate #3 appears to be untrusted at this point → SSL Server Test: cloudflare.com (Powered by Qualys SSL Labs)

@cloonan

Yes, as we’ve realized I’ve the past several days, the forward facing grades aren’t necessarily reflective of deeper issues. As you’ve discovered, those grades obfuscate the expired certs (three in total are in fact expired) and may be downloaded for further inspection directly within SSLLab’s UI.

Yes, the sha1 certificate is bad. So what? It’s been 4 years since it was recommended to turn off Sha1 support(1), so the need to renew the (ev) sha1 certificate for the main Cloudflare domain hasn’t been a priority.

1:

Also this may be part of the reason they don’t have an updated sha1:

Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA-1 hash algorithm. CAs MAY continue to sign certificates to verify OCSP responses using SHA1 until 1 January 2017.

Thanks for the report, this has been resolved.

https://www.ssllabs.com/ssltest/analyze.html?d=Cloudflare.com&s=198.41.214.162

@judge - Dismissing this as a non-issue is irresponsible. The reasons you give for your dismissal are absurd and defensive. Please know that I say this in the kindest way possible without sacrificing any honesty. I’ve finally, as @cs-cf has kindly stated, been informed by someone within Cloudflare’s security department earlier today that the expired certificates - as it was not a matter of a single cert, not that having one expired cert would make it something to be ignored by Cloudflare - were immediately remedied upon said person having heard of the issue through my reaching out via support, as well as, I presume, my going public with the issue. @Sandro - thank-you for the concern you showed immediately upon seeing the information I posted.

• intr0

(Attachment publickey - [email protected] - 0xCA04F762.asc is missing)

A question: So, considering SHA1 is, essentially, considered too weak of an algorithm to use for certs issued by CAs, and considering that Cloudflare did ultimately removed the cert that was in question within this thread as well as the discussion I had with various persons within Cloudflare’s support team, is it not unreasonable to expect that both the same level of security considerations be given by Cloudflare when distributing certs to us, the customers who purchase certs for our domains, and, in my view, the same level of respect to us the customers when we’re issued certs by Cloudflare? I.e., should not Cloudflare follow the same level of standards as other CAs and not issue SHA1 hashed certs to its customers - as is current practice when Cloudflare allows certs to be issued with a root certs that uses Signature Algorithm SHA-1 with RSA Encryption as opposed to complying the same standards applied to itself in its own root cert that’s been issued by Comodo aka Sectigo AKA Digicert?

This topic was automatically closed after 30 days. New replies are no longer allowed.