13

I own a website that uses a Let's Encrypt certificate. It's not behind Cloudflare, it's hosted at OVH and I'm accepting direct traffic from it.

Now, I set up an apache2 webserver and used certbot to automatically generate a certificate. The problem here is that when I look at the certificate information on Firefox, I can see at the bottom of the page that it contains references to "Cloudflare Nimbus2023", despite my not using their services.

The picture attached below is what it shows... Image here (for some reason it won't let me attach pictures)

Can anyone explain to me what this is? What is Cloudflare accessing here??

djdomi
  • 1,599
  • 3
  • 12
  • 19
lolc
  • 143
  • 1
  • 7
  • in this position it will ne be easy to verify without the full way what you meaning. moreover if its a private site then the whole question would be offtopic due home and enduser question shall be asked on superuser.com – djdomi Mar 19 '23 at 19:09
  • @djdomi well, if you're on firefox, you can literally just check serverfault.com's certificate and scroll at the bottom once you clicked on "View Certificate". And sure enough, you will see a reference to Cloudflare at the bottom. Odd. – lolc Mar 19 '23 at 19:16
  • My goal here would be to generate a certificate that doesn't contain references to Cloudflare. So I DO think this post belongs to ServerFault. – lolc Mar 19 '23 at 19:17
  • 1
    @lolc Why is the reference to CF important? – vidarlo Mar 19 '23 at 20:18
  • @vidarlo because Cloudflare is a MITM. https://web.archive.org/web/20220403064007/https://git.redxen.eu/dCF/deCloudflare/src/branch/master/README.md – lolc Mar 19 '23 at 20:37
  • 3
    Uhm, if you use CF as a proxy they are by *design* in the middle. But they are ***not*** malicious. Whoever uses their service *wants* them to be in the middle. However, using their CT Log ***does not*** enable them to MITM your traffic or decrypt it! – vidarlo Mar 19 '23 at 20:56

1 Answers1

22

Nimbus2023 is a certificate transparency log, hosted by Cloudflare. Basically CAB requires that all issued certificates is listed in transparency logs - and CF operates one such. SCT is a Signed Certificate Timestamp - basically Cloudflare signs that they've seen your certificate at a particular point in time. This makes validation easier, and basically forms a promise from the log operator to include the certificate in the log, within 24 hours.

The existence of SCT's keeps such log operators honest - they can't cheat, because they have publicly acknowledged to be aware of the certificate, and promise to include it. It also reduces privacy concerns, as the browser won't have to look up the certificate in a CT log.

This is nothing to worry about. It's a property of how LE issues certificates. The key material never leaves your computer, so CF (nor LE) can't decrypt your traffic.

If you don't want your certificates to appear in CT logs, the best bet is not to use certificates. The better approach is to trust the guys running CA/Browser forum, and Let's encrypt. They have a solid grasp of how TLS works and how to keep it secure.

vidarlo
  • 6,654
  • 2
  • 18
  • 31