Abstract This article analyzes a critical security vulnerability in Cloudflare's Universal SSL, where the automatic injection of permissive CAA records actively nullifies the IETF standard RFC 8657. By overriding user-defined account binding parameters, this configuration re-opens the exact security gap exploited in the 2023 jabber.ru MitM attack, leaving millions of domains vulnerable to BGP hijacking and unauthorized TLS certificate issuance. The analysis demonstrates that this is not a technical oversight but a design choice that neutralizes the `accounturi` and `validationmethods` security controls, and argues that Cloudflare must implement strict ACME account binding to mitigate this risk. TL;DR The Mechanism Cloudflare’s Universal SSL injects permissive CAA records that override user DNS constraints, causing certificate authorities to ignore strict account-binding checks. The Risk This enables BGP hijacking and network interception to obtain unauthorized TLS certificates by bypassing accounturi and validationmethods. The Precedent The configuration replicates the gap exploited in the 2023 jabber.ru MitM, where intercepted traffic satisfied http-01 validation challenges. The Mitigation Cloudflare must stop overriding user DNS records or fully implement RFC 8657 to restrict certificate issuance to the domain owner’s authorized ACME account. By David Osipov ISNI: 0000 0005 1802 960X ORCID: 0009-0005-2713-9242 VIAF: 139173726847611590332 Wikidata: Q130604188

1. Audio Overview2. Video Overview3. TL;DR4. The Mechanism5. The Risk6. The Precedent7. The Mitigation8. Introduction: A Critical Security Gap in Cloudflare’s Universal SSL9. RFC 8659 vs RFC 8657: The CAA Standards Explained10. 1. The Basic Standard: RFC 8659 (CAA)11. 2. The Real Standard: RFC 8657 (The ACME Extensions)12. Technical Deep Dive: http-01 vs. dns-0113. The Cloudflare Problem: A “Feature Collision”14. This Isn’t Just Cloudflare: A Pattern of “Platform vs. Provider”15. The Industry’s Answer: Multi-Perspective Issuance Corroboration (MPIC)16. The Princeton connection17. Implementation timeline18. Why MPIC doesn’t replace RFC 865719. But… Is This Really a Problem? (Yes, It Is)20. My Attempt to Engage Cloudflare21. The Core Contradiction: A Business Decision, Not a Technical Lag22. What Should Be Done (The Fix is Not Complicated)23. What can be done now?

This investigation began after my own failed attempt to implement RFC 8657 CAA records on my Cloudflare-hosted domains. When I discovered that Cloudflare was silently *overwriting* my security-hardened CAA records, I realized millions of free-tier users were unknowingly vulnerable to the same MitM attack that compromised jabber.ru in 2023. After a month of silence from Cloudflare's community team, followed by a dismissive response citing 'standard adoption timelines,' I knew this issue needed broader exposure. My subsequent article on Habr.com became the week's top post, confirming the community's concern about this artificial security gap.