In May 2025, a concerning discovery was made. Three unauthorized TLS certificates were issued for Cloudflare's 1.1.1.1 DNS service. This service is a cornerstone of internet security, used by over 44 million people daily. The implications of this event are significant.
These certificates could enable adversary-in-the-middle attacks. Such attacks would compromise encrypted DNS traffic, putting user data at risk. The discovery was alarming, but what made it worse was the delay in public disclosure. It took four months for the issue to come to light.
This incident highlights systemic risks to the global internet trust infrastructure. Ensuring the security of foundational services like 1.1.1.1 is crucial. Without it, the internet's reliability and safety are at stake.
Introduction: The Threat of Mis-issued TLS Certificates
The security of online communications relies heavily on TLS certificates. These digital passports enable HTTPS encryption, ensuring that data exchanged between users and websites remains private. Without them, sensitive information could be exposed to malicious actors.
Understanding TLS Certificates and Their Role in Internet Security
TLS certificates bind domain names to cryptographic keys, validating secure connections. They are issued by certificate authorities, trusted third parties responsible for verifying the identity of website owners. This process builds trust in online interactions.
In a unique case, Fina RDC 2020 issued certificates containing the IP SAN 1.1.1.1, even though Cloudflare did not request them. This type of certificate differs from standard domain validation, as it directly ties to an IP address rather than a domain name.
Microsoft’s trust relationship with Fina Root CA added complexity to the situation. This incident highlights the importance of vigilance in maintaining the integrity of certificate issuance processes.
Mis-issued Certificates for 1.1.1.1 DNS Service Pose a Threat to the Internet
A critical vulnerability emerged in the digital security landscape. Attackers could exploit BGP hijacks to redirect traffic to malicious servers. Combined with valid certificates, this technique allows interception of encrypted DNS queries.
IP SAN certificates issued by Fina RDC 2020 bypass standard validation processes. These certificates directly tie to IP addresses, making them harder to detect. Cloudflare’s dual validation system, which checks both IP and Host headers, offers some protection. However, raw-IP endpoints remain vulnerable.
The Mechanics of an Adversary-in-the-Middle Attack
In such attacks, malicious actors redirect traffic to their servers. They use valid certificates to impersonate legitimate services. This allows them to decrypt queries, hijack sessions, or manipulate content.
Certificate transparency logs can help identify rogue certificates. For example, certificates with IDs 18603461241 and 19749721864 were flagged as malicious. Despite these tools, the risks remain significant.
Real-world implications include session hijacking, query decryption, and content manipulation. These threats highlight the need for stronger safeguards in certificate issuance processes.
The Impact on Users and Trust in the Internet
User trust in online systems faced a significant challenge. The discovery of unauthorized certificates highlighted vulnerabilities in widely used platforms. This incident not only put millions of users at risk but also raised questions about the reliability of foundational internet services.
Windows and Edge Users at Greater Risk
Windows and Edge users were particularly vulnerable. Data shows that 94% of devices trusting Fina Root CA run on Windows. While Edge holds only 4.2% of the global browser market, it accounted for 100% of the affected clients. This concentration of risk underscores the importance of secure operating systems and browsers.
Microsoft’s approach to trusted certificate authorities differs from other providers. With 128 trusted CAs, Microsoft’s program is more expansive than Mozilla’s, which approves only 52. Fina Root CA, despite its low issuance volume, was included in Microsoft’s trusted list. This decision left users exposed to potential threats.
Statistics reveal a stark contrast. Fina Root CA had only 201 active certificates, compared to Let’s Encrypt’s 380 million. Geographic risk was also concentrated in European markets where Microsoft’s operating systems dominate. However, users of Safari, Chrome, and Firefox remained immune due to these browsers’ distrust policies for Fina Root CA.
Stakeholder Responses and Mitigation Efforts
The discovery of unauthorized digital credentials sparked immediate action from key stakeholders. Both Cloudflare and Microsoft took decisive steps to address the issue and protect users. Their responses highlighted the importance of collaboration in maintaining digital security.
Cloudflare's Investigation and Communication
Cloudflare detected the rogue credentials through certificate transparency logs on September 3, 2025. Within four hours, they notified Fina RDC and Microsoft about the issue. This swift communication was critical in minimizing potential damage.
Cloudflare also conducted a gap analysis of their monitoring systems. They compared crt.sh logs with their proprietary tools to identify vulnerabilities. This proactive approach helped them strengthen their defenses against future threats.
Microsoft's Steps to Block Rogue Credentials
Microsoft acted quickly to update its disallowed list, blocking the unauthorized credentials. The update took 72 hours to propagate fully across systems. This step was essential in preventing further exploitation of the issue.
Despite Fina RDC’s minimal issuance share, Microsoft’s root program requirements were scrutinized. The incident underscored the need for stricter criteria in approving certificate authorities. Ongoing risks from two still-valid credentials highlighted the challenges in fully resolving the issue.
Systemic Failures in Certificate Issuance and Transparency
The recent case involving unauthorized credentials exposed deep flaws in the certificate issuance process. Over 73% of certificate authorities lack automated monitoring of transparency logs, leaving gaps in oversight. This failure highlights the need for stronger safeguards in the WebPKI system.
Historic incidents like DigiNotar and TÃœRKTRUST show how over-reliance on a few major CAs can lead to vulnerabilities. Today, four CAs control 89% of issuance, creating a fragile ecosystem. The EU’s eIDAS 2.0 regulation, which mandates trust in EU-based CAs, further complicates the issue by prioritizing compliance over security.
To address these challenges, experts propose solutions like 47-day certificate lifespans and special handling for IP SANs. Additionally, Microsoft’s increased participation in the CA/Browser Forum could help improve governance and accountability. Strengthening these systems is essential to restore trust in digital security.