Researchers in internet security are sounding the alarm after three TLS certificates were issued for 1.1.1.1, Cloudflare’s widely used DNS service, by a subordinate CA in the Fina chain. The certificates were issued in May but only came to light this week. If exploited, they could decrypt DNS-over-HTTPS queries and potentially affect services like WARP, Cloudflare’s VPN.
Issued by Fina RDC 2020, a subordinate to Fina Root CA, the chain is trusted by Microsoft’s Root Certificate Program. Microsoft said it would take immediate action, including revoking the certificates on its disallowed list. The statement did not explain how the misissuance went undetected for so long. Apple’s Safari trust list did not include Fina, making it less likely the certificates would be trusted on Apple devices.
Public disclosure happened on Wednesday via an online discussion forum post, and it is not publicly known who requested the credentials. Representatives from Fina did not respond to inquiries. Google and Mozilla stated that Chrome and Firefox have never trusted the certificates, so no user action is required. Microsoft Edge holds a small share of the browser market, magnifying the potential impact if trusted by other platforms.
Encryption experts warn that TLS certificates attach a public key to a domain; misissued certs could be used in man-in-the-middle attacks on DNS traffic, including DNS-over-HTTPS traffic to 1.1.1.1. If an attacker could redirect traffic via BGP hijacks or other routes, end users could be exposed to forged responses. Cloudflare’s WARP VPN could also be affected if the certificates are accepted by endpoints.
Observers say the incident highlights ongoing PKI weaknesses and the importance of transparency logs. While the three certs were publicized, they illustrate that misissuance can slip through, despite attempts at monitoring. The industry is likely to review subordinate CA practices and how major vendors validate certificates in the future.
