The discovery of three improperly issued TLS certificates for 1.1.1.1, the popular public DNS service from Cloudflare, and the Asia Pacific Network Information Centre (APNIC).
The certificates, which were issued in May 2025, could allow attackers to intercept and decrypt encrypted DNS lookups, potentially exposing users’ browsing habits.
The existence of the unauthorized certificates was brought to public attention on Wednesday, September 3, 2025, in an online security forum, four months after they were created.
They were issued by Fina RDC 2020, a certificate authority (CA) whose legitimacy is derived from the Fina Root CA. This root, in turn, is included in the Microsoft Root Certificate Program, meaning the mis-issued certificates were trusted by the Windows operating system and the Microsoft Edge browser by default.
Mis-issued TLS Certificates for 1.1.1.1
Cloudflare officials confirmed the certificates were issued without their authorization. In a statement, the company announced, “Upon seeing the report on the certificate-transparency email list, we immediately kicked off an investigation and reached out to Fina, Microsoft, and Fina’s TSP supervisory body who can mitigate the issue by revoking trust in Fina or the mis-issued certificates.” Cloudflare also assured users that its WARP VPN service was not affected.
Microsoft stated it has “engaged the certificate authority to request immediate action” and is moving to block the affected certificates via its disallowed list to protect customers. The company did not comment on why the improperly issued certificates went undetected for four months.
Users of other major browsers are not affected. Representatives for Google and Mozilla confirmed that Chrome and Firefox have never trusted the Fina root certificate, and Apple’s list of trusted root authorities for Safari does not include Fina, reads the report.
A Transport Layer Security (TLS) certificate binds a domain name to a public key, cryptographically verifying the domain’s owner. Anyone holding a valid certificate for a domain can impersonate it. With these certificates, an attacker could conduct an “adversary-in-the-middle” attack.
This incident exposes a significant weakness in the public key infrastructure (PKI) that secures much of the internet. A single point of failure can undermine the entire system of trust. Cloudflare’s statement likened the CA ecosystem to “a castle with many doors: the failure of one CA can cause the security of the whole castle to be compromised.”
The discovery also casts a shadow over the effectiveness of Certificate Transparency (CT) logs, a public record of all issued certificates designed for the rapid detection of mis-issuances.
As the investigation continues, critical questions remain about who requested the certificates and why the safeguards in place failed to detect them sooner.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
