For me it’s Cloudflare circumventing its transparency reporting. That’s lying. If they’re willing to lie about something like this, I wonder what else they found a technical workaround for.
Note that the CA's that Cloudflare uses have not mis-issued any certificates in this case, the certificate was legitimately issued for Cloudflare to front the site in question with their CDN/WAF services. It just happens that the court order will make Cloudflare front them with a HTTP 451 instead, for visitors from the relevant countries.
There is no bypassing of certificate transparency, as there was no additional TLS certificate issued, it was already in use.
If Cloudflare was demanded to block a different site that did not use Cloudflare's WAF service, they would have to do something else at the recursive DNS resolver level. So far that hasn't happened, because Cloudflare is incredibly popular, especially so for less-than-legal sites.
> There is no bypassing of certificate transparency
Transparency as in their reporting, not the technical details of certificate issuance.
FTA: “Interestingly, Cloudflare maintains in its transparency report that it is not blocking content through its public DNS resolver. Instead, it points out that it uses ‘alternate mechanisms’.”
> That's accurate, the DNS responses for these domains previously did, and still do, point to Cloudflare's WAF/CDN. They haven't said anything like '...never blocked access to customer content...'.
It’s accurate in that bullshit isn’t technically a lie. If they’re willing to do this, they’re potentially willing to use their CDN to MITM DNS requests. Because after all, they’d be leaving the DNS request unmolested while doing the dirty work on their CDN.
For me it’s Cloudflare circumventing its transparency reporting. That’s lying. If they’re willing to lie about something like this, I wonder what else they found a technical workaround for.