Man in the middle attack
A content deliver network, substituting a fake cert, issued by itself or partner companies, in place of the actual real certificate, is a man-in-the-middle attack.
It was found to be a problem, Google has caught lots of countries faking its own certs, India, Egypt, even USA: Symantec was caught issuing fake Google certs:
Is it a big problem? Do bears shit in the woods? Yes its a big problem! You cannot secure your banking, web instrumentation, IoT devices or anything else if any certificate authority can fake any website certificate.
Add a Content Delivery Network (CDN) to the mix, and these fake certs can be issued PER USER and PER DEVICE, since the content deliver network controls the delivery of the website targetted at that user. On a PER USER basis the CDN can swap in the fake cert. The chance of INDIVIDUAL USER detecting those certs as fake is nill. These per user fake certs go undetected.
Avoid CDNs, you're exposing your customer data.
It's not enough to avoid CDNs, routes can be force by returning false data to skew routing algorithms, they can be force by returning false DNS queries, I've seen examples of this myself recently. You need to USE CERTIFICATE PINNING too.
If you don't believe me, here's Digicert FUDding Certificate Pinning:
Look at an example, how piss poor their claims are:
"Sometimes CAs must revoke your certificates. Maybe an audit shows the certificates have previously unknown issues, like misspellings in the subject name or invalid entries in the OU fields. Industry standards say the CA has five days to revoke your certificates, but you pinned them in your client code. How can you push out updates to all your clients in five days to start using your new replacement certificates?"
Why would a GOOD certificate authority try to stop you using a certificate verification mechanism designed to stop a ROGUE certificate authority issuing fake certs? A man-in-middle attack that has been done many times by ROGUE certificate authorities. My personal suspicion is that they are ROGUE, and that widespread use of pinning would throw up lots of "hold up, this site isn't supposed to have a DIGICERT certificate, something is rogue here".
Improvements need to be made to CERT PINNING too.
I want to be able to set all certficate authorities as untrusted, trusted, or "ask me per website", with a "always reject for this site" or "always accept for this site", for the latter.
I want a mechanism in Firefox to report certs I am suspicious of, for investigation, and to automatically report pinned violations.
You backdoored the internet and you undermined your security, and now you're bitching because your security is undermined.