Cybersecurity researchers have discovered that three TLS certificates were improperly issued for 1.1.1.1, the widely used DNS service operated by Cloudflare in partnership with APNIC. This incident raises serious concerns about the integrity of the certificate authority (CA) ecosystem and the security of encrypted DNS traffic.
The certificates, issued in May by Fina RDC 2020, a subordinate of Fina Root CA, were considered valid under the Microsoft Trusted Root Program. These certificates could theoretically allow malicious actors to decrypt DNS queries protected with DNS over HTTPS (DoH) or DNS over TLS (DoT), enabling potential man-in-the-middle (MITM) attacks. Alarmingly, two of the certificates remained active at the time of the disclosure.
Cloudflare confirmed the misissuance, clarifying that it never authorized Fina to issue certificates for 1.1.1.1. Upon learning of the issue through the Certificate Transparency mailing list, the company immediately began an internal investigation and contacted Fina, Microsoft, and relevant oversight authorities. Cloudflare emphasized that traffic encrypted via its WARP VPN was not impacted.
Microsoft, meanwhile, admitted that the certificates had bypassed detection within its trusted program. The company stated it is working with the CA to revoke the certificates and has taken steps to block them in order to protect users. However, the lack of early detection has sparked criticism, as it allowed the certificates to remain trusted within Windows systems for an extended period.
Interestingly, Google Chrome and Mozilla Firefox were unaffected, as their browsers never trusted these certificates. Similarly, Apple Safari does not include Fina in its trusted CA list, further limiting the scope of exposure. Despite this, the risk to Microsoft users underscores how fragmented and vulnerable the certificate trust ecosystem remains.
The identity of the party that requested and obtained these certificates remains unknown, as Fina has not responded to multiple inquiries. This lack of transparency adds further complexity to an already serious incident.
Certificates are a critical component of TLS encryption, binding domains to public keys and ensuring secure communication. A misissued certificate effectively acts as a backdoor, giving attackers the ability to intercept, decrypt, and alter traffic. For a DNS service as popular as 1.1.1.1, which is trusted globally for speed and privacy, such a breach poses significant risks to millions of users.
Cloudflare highlighted the systemic dangers, stating: “The CA ecosystem is like a castle with many doors: the failure of one CA can compromise the entire system.” The company also reminded the industry of its ongoing role in advancing Certificate Transparency, which was instrumental in detecting this flaw.
Conclusion
The incident demonstrates how fragile the trust model of TLS certificates remains. A single misstep by a CA can put millions of users at risk, highlighting the urgent need for greater oversight, transparency, and stricter validation mechanisms across the industry. While Cloudflare and browser vendors acted quickly, the gap in Microsoft’s detection highlights vulnerabilities that attackers could exploit. This serves as a wake-up call for the cybersecurity community to reinforce the foundations of internet trust.
