Security researchers revealed that three unauthorized TLS certificates were issued in May 2025 for 1.1.1.1, the widely used public DNS service run by Cloudflare and APNIC.
These certificates, improperly issued by the Fina RDC 2020 certificate authority, could allow attackers to intercept and decrypt encrypted DNS queries. In turn, this might expose users’ browsing histories and habits.
TLS certificates are digital documents that bind a website’s domain name to a public cryptographic key. When valid, they ensure that communications between a user’s device and a server remain private and secure.
However, if a malicious or unauthorized party holds a valid certificate, they can impersonate the domain and carry out what is known as an “adversary-in-the-middle” attack.
In such an attack, a bad actor secretly intercepts and possibly alters communications without the user’s knowledge.
The Fina RDC 2020 certificates were trusted by default on Windows operating systems and in the Microsoft Edge browser because Fina RDC 2020 is chained to the Fina Root CA.
That root certificate is part of Microsoft’s Root Certificate Program. In contrast, major browsers such as Google Chrome and Mozilla Firefox never included Fina in their trusted root lists, and Apple’s Safari likewise does not trust Fina. As a result, only Windows and Edge users faced potential risk.
Cloudflare confirmed that it did not request or authorize the issuance of these certificates. “Upon seeing the report on the certificate-transparency email list, we immediately kicked off an investigation and reached out to Fina, Microsoft, and Fina’s TSP supervisory body,” said a Cloudflare spokesperson.
“These parties can mitigate the issue by revoking the trust in Fina or revoking the mis-issued certificates. We also want to reassure users that our WARP VPN service was not affected.”
Microsoft indicated it has already “engaged the certificate authority to request immediate action” and plans to block the rogue certificates by adding them to its disallowed certificate list.
The company did not explain how the certificates evaded detection for four months, despite their creation in May.
This incident highlights a critical weakness in the internet’s public key infrastructure, where the compromise or error of a single certificate authority can undermine the trust model relied upon by millions.
Certificate Transparency logs exist to record every TLS certificate issued publicly, so that mis-issuances can be spotted quickly. Yet in this case, the certificates remained unnoticed for nearly four months.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
