These BGP leaks do happen all the time. Cloudflare is right. This is a gap to the http-01 challenge on cloudflare’s end. It should be changed to match the RFC, but not because it’ll change anything meaningful for security.

It doesn’t matter because this (and similar http-01/dns-01 challenge exploits that allow the issuance or interception of CA signed certificates) are not a rare occurrence, and are surprisingly easy to perform as an individual. Even more so for governments.

Addendum: certificate transparency logs are free and are scraped and sold. Don’t believe for a second anyone out there is doing any free analysis at scale to watch your back. The orgs doing analysis are ultimately paid by orgs using it to hide their operations better. Your small business use-case for the data is pocket change compared to those contracts.