A Paywall Is Not Acceptable to Revoke SSL - a Response to Pro-CF Comments

Date Published: Jan 21, 2021

RSS Link

Most communities rightly accept that for a CA, such as CloudFlare, it is not acceptable for them to ignore requests to revoke a SSL certificate.

But on /r/privacytoolsIO A community, you would expect pro-corporate comments. You have many upvoted comments saying that I should have paid CloudFlare $10/month to have this control.

Strange to see such a pro-CloudFlare circle jerk on that SubReddit. Even worse, they are down-voting any rebuttals I try to make.

My domain, My SSL choice

Worldofmatthew.com is a domain owned by me, not CloudFlare. The SSL certificate is for that domain.

That means if I want to request that the relation with the CA to end by revoking the SSL certificate, that should be my choice. Not one by CloudFlare.

But but, it’s a FrEe SSL certificate, forget your rights……

The problem is that this argument also applies to other free CA’s as, Let’s Encrypt and ZeroSSL.

The difference is that both Let’s Encrypt and ZeroSSL allow you to revoke a SSL certificate at any time.

This problem is unique to CloudFlare. It is CloudFlare who thinks they are above me, the domain owner.

CloudFlare thinks it is acceptable to forcefully hold a SSL certificate against my domain. I left them in August 2020. They have not needed a SSL certificate for my domain since then.

This is CloudFlare claiming, pushing themselves over my rights.

By refusing to revoke after I ended the relationship between CloudFlare and this website. This is like if the bought a house but were forced to keep an extra lock for the old owners to get into.

theirs,If you want to continue this path of thought. Having that key would allow them to claim that house is still theirs as they still have the key to the lock you were forced to keep.

For CloudFlare, this means they can use that key to hijack connections without the invalid SSL cert warning showing.

And if you thought spending $10/month will save you, I have bad news for you.

In the last article, I talked about how spending $10/month would allow you access to the CloudFlare “Advanced Certificate Manager”. That would allow you to issue yourself a revokable SSL certificate from Lets Encrypt.

The thing is not only was this not available when I left CloudFlare in August 2020. It will not protect you unless you make sure you never used the universal SSL service at all.

If you ever selected to use that service, CloudFlare will have an Irrevocable SSL certificate for at least a year. You still won’t be able to revoke that SSL certificate, only the new one you created with Lets Encrypt.

My next stage in trying to get the SSL certificate revoked will involve reporting CloudFlare to the trust authorities. Something I hoped to not have to do such a move is assholic, but I don’t have many other options.

© 2014-2021 Matthew Morgan
Privacy Policy