The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026
Authors/Creators
Description
Abstract
This article analyzes a critical security vulnerability in Cloudflare's Universal SSL, where the automatic injection of permissive CAA records actively nullifies the IETF standard RFC 8657. By overriding user-defined account binding parameters, this configuration re-opens the exact security gap exploited in the 2023 jabber.ru MitM attack, leaving millions of domains vulnerable to BGP hijacking and unauthorized TLS certificate issuance. The analysis demonstrates that this is not a technical oversight but a design choice that neutralizes the `accounturi` and `validationmethods` security controls, and argues that Cloudflare must implement strict ACME account binding to mitigate this risk.
TL;DR
The Mechanism
Cloudflare’s Universal SSL injects permissive CAA records that override user DNS constraints, causing certificate authorities to ignore strict account-binding checks.
The Risk
This enables BGP hijacking and network interception to obtain unauthorized TLS certificates by bypassing accounturi and validationmethods.
The Precedent
The configuration replicates the gap exploited in the 2023 jabber.ru MitM, where intercepted traffic satisfied http-01 validation challenges.
The Mitigation
Cloudflare must stop overriding user DNS records or fully implement RFC 8657 to restrict certificate issuance to the domain owner’s authorized ACME account.
UPDATE (January 2026): The Venezuela Confirmation
In January 2026, a massive BGP leak involving Venezuela’s state-owned ISP (CANTV, AS8048) made global headlines. In their analysis of the incident, Cloudflare explicitly stated that “BGP route leaks happen all of the time, and they have always been part of the Internet.” [1a]
This admission highlights exactly why the security gap described in this article is so critical. If BGP leaks are “common” (whether accidental or malicious), then the network layer cannot be trusted for domain validation.
Yet, as detailed below, Cloudflare’s Universal SSL default configuration actively disables the specific IETF standard (RFC 8657) designed to prevent these common BGP leaks from being weaponized to issue fraudulent certificates.
I have opened a new discussion on this specific contradiction with the Cloudflare team.
By David Osipov
Table of contents
1. Audio Overview
2. Video Overview
3. TL;DR
4. The Mechanism
5. The Risk
6. The Precedent
7. The Mitigation
8. Introduction: A Critical Security Gap in Cloudflare’s Universal SSL
9. RFC 8659 vs RFC 8657: The CAA Standards Explained
10. 1. The Basic Standard: RFC 8659 (CAA)
11. 2. The Real Standard: RFC 8657 (The ACME Extensions)
12. Technical Deep Dive: http-01 vs. dns-01
13. The Cloudflare Problem: A “Feature Collision”
14. This Isn’t Just Cloudflare: A Pattern of “Platform vs. Provider”
15. The Industry’s Answer: Multi-Perspective Issuance Corroboration (MPIC)
16. The Princeton connection
17. Implementation timeline
18. Why MPIC doesn’t replace RFC 8657
19. But… Is This Really a Problem? (Yes, It Is)
20. My Attempt to Engage Cloudflare
21. The Core Contradiction: A Business Decision, Not a Technical Lag
22. What Should Be Done (The Fix is Not Complicated)
23. What can be done now?
Other (En)
This investigation began after my own failed attempt to implement RFC 8657 CAA records on my Cloudflare-hosted domains. When I discovered that Cloudflare was silently *overwriting* my security-hardened CAA records, I realized millions of free-tier users were unknowingly vulnerable to the same MitM attack that compromised jabber.ru in 2023. After a month of silence from Cloudflare's community team, followed by a dismissive response citing 'standard adoption timelines,' I knew this issue needed broader exposure. My subsequent article on Habr.com became the week's top post, confirming the community's concern about this artificial security gap.
Files
CF_vulnerable.jpg
Files
(68.6 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:ed3785e578b540f50353d9aafc8937a9
|
8.7 MB | Download |
|
md5:805a5e2e45728cb440e5558cb6f9896b
|
96.8 kB | Preview Download |
|
md5:c5283c2aac0120a7d4507373fc843132
|
47.7 kB | Download |
|
md5:51e0f59eb75324020eac72c6f5c09208
|
29.4 kB | Download |
|
md5:70c4e46084e3c909539a5da6828d48dc
|
61.4 kB | Download |
|
md5:3daa1e54c38d821a1ba87143c9f9124a
|
29.9 kB | Download |
|
md5:d82c8cfc794254eccb2058b98edf0bae
|
218.8 kB | Preview Download |
|
md5:b4f966c323c6089b0b5ad92c39dc9bb1
|
38.5 MB | Preview Download |
|
md5:57a6f5adc6425c51211331234a81897b
|
1.4 MB | Preview Download |
|
md5:ab523e019a9cb1894b7bc75eebf1b4ab
|
18.0 MB | Preview Download |
|
md5:ad3ef8549f0bdfebb06788dd9bfc38dc
|
1.5 MB | Preview Download |
Additional details
Additional titles
- Translated title
- Атака на jabber.ru (2023) вскрывает критическую уязвимость Cloudflare в 2026 году
Identifiers
Dates
- Created
-
2025-12-31
- Updated
-
2026-01-05v. 1.1. Added video overview section with embedded YouTube presentation analyzing the security vulnerability.
- Updated
-
2026-01-06v. 1.2. Added audio overview section with accessible HTML5 audio player, properly configured R2 CORS policy, and enhanced WCAG 2.2 AA/WAI-ARIA compliance.
- Updated
-
2026-01-06v. 1.3. Added inline JSON-LD RSL metadata and human-readable CC BY 4.0 license information to the Audio and Video overviews; minor accessibility improvements.
- Updated
-
2026-01-09v. 1.4. Added DOI (10.5281/zenodo.18201412) for citation management and academic discovery systems.
- Updated
-
2026-01-15v. 1.5. Added analysis of the January 2026 Venezuela BGP leak as confirmation of the threat vector. Linked to new Cloudflare Community discussion on RFC 8657 support requirements.
References
- Cloudflare Community (2025) Critical security gap: Cloudflare must fully support RFC 8657 CAA. Cloudflare Community. Retrieved from https://community.cloudflare.com/t/critical-security-gap-cloudflare-must-fully-support-rfc-8657-caa/799999. Archived 2025-11-29 at https://archive.ph/v45rx.
- ValdikSS (2023) Encrypted traffic interception on Hetzner and Linode targeting the largest russian XMPP (Jabber) messaging service. Retrieved from https://notes.valdikss.org.ru/jabber.ru-mitm/. Archived 2025-10-01 at https://web.archive.org/web/20251001180559/http://notes.valdikss.org.ru/jabber.ru-mitm/.
- Hallam-Baker, P., Stradling, R., Hoffman-Andrews, J. (2019) DNS certification authority authorization (CAA) resource record. RFC Editor. Retrieved from https://doi.org/10.17487/RFC8659.
- Hallam-Baker, P., Stradling, R. (2013) DNS certification authority authorization (CAA) resource record. RFC Editor. Retrieved from https://doi.org/10.17487/RFC6844.
- Landau, H. (2019) Certification authority authorization (CAA) record extensions for account URI and automatic certificate management environment (ACME) method binding. RFC Editor. Retrieved from https://doi.org/10.17487/RFC8657.
- Landau, H. (2023) XMPP CA/jabber.ru incident. Retrieved from https://www.devever.net/~hl/xmpp-incident. Archived 2025-09-03 at https://web.archive.org/web/20250903150526/https://www.devever.net/~hl/xmpp-incident.
- Cloudflare (n.d.) Add CAA records - Cloudflare SSL/TLS docs. Cloudflare. Retrieved from https://developers.cloudflare.com/ssl/edge-certificates/caa-records/. Archived 2025-11-29 at https://web.archive.org/web/20251129082411/https://developers.cloudflare.com/ssl/edge-certificates/caa-records/.
- Cloudflare Community (2025) Cloudflare nameservers ignore CAA record validationmethods and accounturi. Cloudflare Community. Retrieved from https://community.cloudflare.com/t/cloudflare-nameservers-ignore-caa-record-validationmethods-and-accounturi/758109. Archived 2025-11-30 at https://archive.ph/Yiizx.
- Vercel (n.d.) Working with DNS. Vercel. Retrieved from https://vercel.com/docs/domains/working-with-dns. Archived 2025-06-12 at https://web.archive.org/web/20250612154059/https://vercel.com/docs/domains/working-with-dns.
- AWS (n.d.) Set up to use AWS certificate manager. AWS. Retrieved from https://docs.aws.amazon.com/acm/latest/userguide/setup.html#setup-caa. Archived 2025-07-29 at https://web.archive.org/web/20250729205005/https://docs.aws.amazon.com/acm/latest/userguide/setup.html#setup-caa.
- Google Cloud (n.d.) Troubleshoot certificate issuance - Google cloud. Google Cloud. Retrieved from https://docs.cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
- DNSimple Support (2025) CAA record format and policy tags. DNSimple Support. Retrieved from https://support.dnsimple.com/articles/caa-record-format/.
- AWS (2017) Amazon route 53 now supports CAA records. AWS. Retrieved from https://aws.amazon.com/about-aws/whats-new/2017/08/amazon-route-53-now-supports-caa-records/.
- Birge-Lee, H., Sun, Y., Edmundson, A., Rexford, J., Mittal, P. (2018) Bamboozling certificate authorities with BGP. In 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD. Retrieved from https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee. Archived 2025-10-01 at https://web.archive.org/web/20251012064048/https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee.
- CA/Browser Forum (2024) Ballot sc067v3: Require domain validation and CAA checks to be performed from multiple network perspectives. CA/Browser Forum. Retrieved from https://cabforum.org/2024/08/05/ballot-sc067v3-require-domain-validation-and-caa-checks-to-be-performed-from-multiple-network-perspectives-corroboration. Archived 2025-10-12 at https://web.archive.org/web/20251012064049/https://cabforum.org/2024/08/05/ballot-sc067v3-require-domain-validation-and-caa-checks-to-be-performed-from-multiple-network-perspectives-corroboration.
- Wikipedia (n.d.) DigiNotar - Wikipedia. Wikipedia. Retrieved from https://en.wikipedia.org/wiki/DigiNotar.
- SSLMate (n.d.) Timeline of certificate authority failures. SSLMate. Retrieved from https://sslmate.com/resources/certificate_authority_failures. Archived 2025-09-17 at https://web.archive.org/web/20250917234438/https://sslmate.com/resources/certificate_authority_failures.
- Wilson, K. (2016) Distrusting new wosign and startcom certificates. Retrieved from https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/. Archived 2025-09-21 at https://web.archive.org/web/20250921194325/https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/.
- Gualtieri, M. (2017) Chaining remote web vulnerabilities to abuse let's encrypt. Retrieved from https://www.mike-gualtieri.com/posts/chaining-remote-web-vulnerabilities-to-abuse-lets-encrypt. Archived 2025-09-07 at https://web.archive.org/web/20250907232526/https://www.mike-gualtieri.com/posts/chaining-remote-web-vulnerabilities-to-abuse-lets-encrypt.
- Осипов, Д. (2025) Дыра в щите Cloudflare: как атака на Jabber.ru вскрыла проблему, о которой молчат c 2023. Retrieved from https://habr.com/ru/articles/918570/. Archived 2025-08-12 at https://web.archive.org/web/20250812005512/https://habr.com/ru/articles/918570/.
- Rescorla, E. (2018) The transport layer security (TLS) protocol version 1.3. RFC Editor. Retrieved from https://doi.org/10.17487/RFC8446.
- Iyengar, J., Thomson, M. (2021) QUIC: A UDP-based multiplexed and secure transport. RFC Editor. Retrieved from https://doi.org/10.17487/RFC9000.
- Sullivan, N. (2016) Introducing TLS 1.3. Retrieved from https://blog.cloudflare.com/introducing-tls-1-3/. Archived 2025-08-23 at https://web.archive.org/web/20250823134855/https://blog.cloudflare.com/introducing-tls-1-3/.
- Jones, N. (2018) Get a head start with QUIC. Retrieved from https://blog.cloudflare.com/head-start-with-quic/. Archived 2025-06-20 at https://web.archive.org/web/20250620064636/https://blog.cloudflare.com/head-start-with-quic/.
- Rescorla, E., Oku, K., Sullivan, N., Wood, C. A. (2025) TLS encrypted client hello. Internet Engineering Task Force. Retrieved from https://datatracker.ietf.org/doc/draft-ietf-tls-esni/25/. Work in Progress.
- Patton, C. (2020) Good-bye ESNI, hello ECH!. Retrieved from https://blog.cloudflare.com/encrypted-client-hello/. Archived 2025-09-05 at https://web.archive.org/web/20250905140052/https://blog.cloudflare.com/encrypted-client-hello/.
- Gaudiaut, T. (2025) Cloudflare, a hidden pillar of the internet. Statista. Retrieved from https://www.statista.com/chart/35487/market-share-of-reverse-proxy-services-cloudflare/. Archived 2025-11-30 at https://web.archive.org/web/20251130143159/https://www.statista.com/chart/35487/market-share-of-reverse-proxy-services-cloudflare/?__sso_cookie_checker=failed.
- W3Techs.com (2025) Usage of reverse proxy services for websites, november 2025. W3Techs. Retrieved from https://w3techs.com/technologies/overview/proxy/. Archived 2025-11-30 at https://archive.ph/6fkAS.
- Cloudflare Community (2026) Universal SSL exposes domains to BGP leaks (re: Venezuela analysis). Cloudflare Community. Retrieved from https://community.cloudflare.com/t/universal-ssl-exposes-domains-to-bgp-leaks-re-venezuela-analysis/879930. Archived 2026-01-15 at https://archive.ph/uZsIM.
- Herdes, B. (2026) A closer look at a BGP anomaly in venezuela. Retrieved from https://blog.cloudflare.com/bgp-route-leak-venezuela/. Archived 2026-01-13 at https://web.archive.org/web/20260113015221/https://blog.cloudflare.com/bgp-route-leak-venezuela/.