1.1.1.1 DNS Mis-issued Certificates Threaten Internet Security
▼ Summary
– Internet security experts are alarmed by the issuance of three TLS certificates for the widely used DNS service 1.1.1.1 by Cloudflare and APNIC.
– These certificates, issued in May, can decrypt DNS over HTTPS queries and may also affect Cloudflare’s WARP VPN service.
– The certificates were issued by Fina RDC 2020, a subordinate of Fina Root CA, which is trusted by Microsoft’s Root Certificate Program.
– Microsoft has engaged the certificate authority and is taking steps to block the certificates, though it did not explain the delay in detection.
– Google, Mozilla, and Apple browsers do not trust these certificates, and the requester of the credentials remains unknown.
A significant security concern has emerged within the internet infrastructure community following the discovery of three mis-issued TLS certificates for the widely trusted DNS resolver 1.1.1.1. Operated jointly by Cloudflare and APNIC, this service plays a foundational role in secure domain name resolution, making the improper certification a serious matter.
These certificates, granted in May by Fina RDC 2020, a subordinate authority under Fina Root CA, could potentially be exploited to intercept and decrypt DNS over HTTPS (DoH) queries. DoH is designed to encrypt communications between a user’s device and the DNS resolver, shielding domain lookups from eavesdropping. The existence of these certificates also raises concerns about their possible misuse in relation to other Cloudflare services, including the WARP VPN offering.
Despite being issued months ago, the certificates only came to public attention recently through an online forum discussion. Fina Root CA is included in the Microsoft Root Certificate Program, meaning the certificates were trusted by default on Windows systems and in the Microsoft Edge browser, which holds roughly five percent of the global browser market.
Microsoft has since acknowledged the issue, stating it has contacted the certificate authority to demand immediate corrective measures. The company also confirmed it is taking steps to add the certificates to its disallowed list to protect users. Notably, the statement did not address why the improper issuance went undetected for such an extended period.
In contrast, representatives from Google and Mozilla clarified that their browsers, Chrome and Firefox, never trusted the certificates in question. Users of those platforms do not need to take any action. Similarly, Apple’s Safari browser does not include Fina in its list of trusted certificate authorities. The identity of the party that requested or obtained the certificates remains unknown, as Fina representatives have not responded to requests for comment.
(Source: Ars Technica)
