1
Feedback
I read Bryton Herdes’ analysis of the Venezuela BGP anomaly with interest. The key takeaway was that “BGP route leaks happen all of the time” and are a fundamental part of the internet.
But Cloudflare can harden their infrastructure and secure their users by only let us utilize methods outlined in RFC 8657.
Risk:
When a BGP leak occurs (malicious or accidental), an attacker can intercept traffic to satisfy an ACME http-01 challenge. This allows them to issue a valid SSL certificate for a victim’s domain.
The IETF standard RFC 8657 was created specifically to stop this by using accounturi in CAA records to bind issuance to a specific account.
Issue:
But Cloudflare’s Universal SSL automatically injects permissive CAA records that override user-defined accounturi bindings.
Ignoring, Cloudflare is saying like: “We know BGP leaks happen constantly, but we will force a configuration that allows those leaks to be used for valid certificate issuance by malicious attackers.”
This recreates the exact vulnerability exploited in the 2023 jabber.ru MitM attack. I’ve already tried to raise this issue here, but was ignored.
I have published a full technical analysis here:
Request:
Can the SSL team please confirm when Universal SSL will be updated to respect strict accounturi bindings without injecting permissive wildcards? Given the prevalence of BGP leaks you just highlighted, this defense is mandatory, not optional.
Best regards,
David
ISNI: 0000 0005 1802 960X
grey 2
For anyone finding this thread later: I have confirmed via testing that this behavior persists as of Jan 2026.
The Workaround:
The only way to currently enforce RFC 8657 on Cloudflare is to Disable Universal SSL entirely and upload a Custom Certificate (Business Plan required).
If you are on a Free/Pro plan, you are currently vulnerable to the BGP vector described in the Venezuela analysis if you rely on Universal SSL.
grey 3
Please be advised,
the !CVE identificator has been assigned for this weakness: NotCVE-2026-0001
system Closed 4
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.