Redazione RHC : 10 September 2025 07:58
Last week, it was discovered that a little-known certificate authority called Fina issued 12 rogue TLS certificates for 1.1.1.1 (a popular Cloudflare DNS service) between February 2024 and August 2025, without the company’s authorization. The certificates may have been used to decrypt encrypted queries via DNS over HTTPS and DNS over TLS.
The spread of suspicious certificates became known almost by accident: a researcher was the first to to report it on Mozilla’s dev-security-policy mailing list. The certificates were issued by Fina RDC 2020, a CA affiliated with Fina Root CA. It quickly became clear that Microsoft trusted the Fina Root CA certificates, which meant Windows and Microsoft Edge trusted them too.
Cloudflare representatives quickly drew attention to the situation and confirmed that the certificates had been issued illegally.
“Cloudflare did not authorize Fina to issue these certificates. After seeing the report on the transparency mailing list “We immediately launched an investigation and contacted Fina, Microsoft, and Fina’s TSP watchdog, who may be able to resolve the issue by revoking trust in Fina or the erroneously issued certificates,” Cloudflare said.
The company’s statement also emphasized that the issue does not affect data encrypted via WARP VPN. In turn, Microsoft representatives said they had contacted the certification center and requested immediate action. The company assured that it has already taken steps to block these certificates.
Representatives from Google, Mozilla, and Apple stated that their browsers have never trusted Fina certificates and that users should not take any action. The problem is that certificates are a fundamental part of the Transport Layer Security (TLS) protocol. They contain a public key and information about the domain for which they are issued, while the certificate authority (the organization authorized to issue trusted certificates) holds the private key that verifies the validity of the certificate.
The CA uses its private key to sign certificates, and browsers verify them using trusted public keys. In practice, this means that anyone in possession of a certificate and its private key can cryptographically impersonate the domain for which it was issued.
Therefore, the owner of 1.1.1.1 certificates could potentially use them in man-in-the-middle attacks, intercepting communications between users and Cloudflare’s DNS service. As a result, third parties holding 1.1.1.1 certificates could decrypt, view, and modify Cloudflare DNS traffic.
“The CA ecosystem is a castle with many doors: the failure of one CA can compromise the entire castle. CA misbehavior, whether intentional or not, poses a significant and ongoing threat to Cloudflare. Cloudflare helped develop and launch Certificate Transparency from the beginning, which led to the discovery of this case of improper certificate issuance,” Cloudflare said.
Late last week, Cloudflare published a detailed report on the incident. An audit conducted by the company showed that the number of improperly issued certificates was 12, not the three initially reported. Worse yet, the first ones had been issued as early as February 2024.
Fina representatives commented on the incident in a brief email, stating that the certificates were “issued for internal testing of the certificate issuance process in a production environment.”
The certificate authority stated that an error occurred while issuing the test certificates “due to incorrectly entered IP addresses.” It was emphasized that, as part of standard procedure, the certificates were published in the Certificate Transparency registries.
Fina assured that the private keys did not leave the CA-controlled environment and were “destroyed immediately, before the certificates were revoked.” The company says the improperly issued certificates “did not in any way compromise the security of users or other systems.”
However, Cloudflare said it takes the incident very seriously, stressing that it must “assume that the private key in question exists and is not under Cloudflare’s control,” as there is no way to verify Fina’s claims.
The company acknowledges that the risks to which millions of Windows users relying on version 1.1.1.1 were exposed are partly due to Cloudflare. Cloudflare failed to implement regular checks of the Certificate Transparency logs that index the issuance of each TLS certificate and discovered the problem too late.
“We failed three times. The first time, because 1.1.1.1 is an IP certificate, but our system didn’t alert us to these cases. The second time, because, even though we were alerted to certificate issuances like all our customers, we didn’t implement adequate filtering. Given the huge number of names and issuances we handle, manual checks are not sufficient. Finally, due to excessively “noisy” monitoring, we have not enabled alerts for all our domains. We are working to correct all three of these shortcomings,” Cloudflare writes.
Redazione