David Osipov
@david-osipov.vision
AI & B2B SaaS Product Leader. Building secure enterprise software. Cybersecurity researcher, OpenStreetMap mapper & Wikipedian.
I tried to raise this with their team, but the report was dismissed.
This isn't just technical debt; it's a business decision to prioritize onboarding friction over security standards.
Full technical breakdown: david-osipov.vision/en/blog/cybe...
This isn't just technical debt; it's a business decision to prioritize onboarding friction over security standards.
Full technical breakdown: david-osipov.vision/en/blog/cybe...
The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026
A deep-dive into how Cloudflare's Universal SSL undermines RFC 8657, creating a security gap exposing millions of domains to MitM attacks.
david-osipov.vision
January 6, 2026 at 6:07 PM
I tried to raise this with their team, but the report was dismissed.
This isn't just technical debt; it's a business decision to prioritize onboarding friction over security standards.
Full technical breakdown: david-osipov.vision/en/blog/cybe...
This isn't just technical debt; it's a business decision to prioritize onboarding friction over security standards.
Full technical breakdown: david-osipov.vision/en/blog/cybe...
This bypasses your security lock.
Because CAs accept any valid CAA record, Cloudflare's injected record allows an attacker who intercepts validation traffic (like the Hetzner/Linode interception in 2023) to issue a valid cert for your domain, ignoring your restrictions.
Because CAs accept any valid CAA record, Cloudflare's injected record allows an attacker who intercepts validation traffic (like the Hetzner/Linode interception in 2023) to issue a valid cert for your domain, ignoring your restrictions.
January 6, 2026 at 6:07 PM
This bypasses your security lock.
Because CAs accept any valid CAA record, Cloudflare's injected record allows an attacker who intercepts validation traffic (like the Hetzner/Linode interception in 2023) to issue a valid cert for your domain, ignoring your restrictions.
Because CAs accept any valid CAA record, Cloudflare's injected record allows an attacker who intercepts validation traffic (like the Hetzner/Linode interception in 2023) to issue a valid cert for your domain, ignoring your restrictions.
The issue is a "Feature Collision."
If you set a strict CAA record to lock certificate issuance to your specific ACME account (preventing BGP hijacking attacks), Cloudflare silently injects a generic issue "letsencrypt.org" record to keep their Universal SSL working.
If you set a strict CAA record to lock certificate issuance to your specific ACME account (preventing BGP hijacking attacks), Cloudflare silently injects a generic issue "letsencrypt.org" record to keep their Universal SSL working.
January 6, 2026 at 6:07 PM
The issue is a "Feature Collision."
If you set a strict CAA record to lock certificate issuance to your specific ACME account (preventing BGP hijacking attacks), Cloudflare silently injects a generic issue "letsencrypt.org" record to keep their Universal SSL working.
If you set a strict CAA record to lock certificate issuance to your specific ACME account (preventing BGP hijacking attacks), Cloudflare silently injects a generic issue "letsencrypt.org" record to keep their Universal SSL working.