Rising Threat: More 1.1.1.1 Certificates Mis-Issued
▼ Summary
– Three mis-issued TLS certificates for Cloudflare’s 1.1.1.1 service were discovered, raising concerns about potential decryption of encrypted DNS queries.
– An audit revealed that Fina CA mis-issued a total of 12 certificates, nine more than initially known, all of which have been revoked.
– Cloudflare stated there is no evidence that any of the certificates were used maliciously to impersonate its services.
– Fina CA claimed the certificates were issued for internal testing due to an error in IP address entry and were published as part of standard procedure.
– Cloudflare acknowledged it should have detected the mis-issuances earlier through Certificate Transparency, which it helps administer.
The recent discovery of mis-issued TLS certificates for Cloudflare’s widely used 1.1.1.1 encrypted DNS service has sent ripples through the cybersecurity community. Security experts are alarmed by the possibility that unauthorized parties could have gained the ability to intercept and manipulate encrypted DNS traffic, potentially redirecting users to harmful websites or eavesdropping on their queries. This incident underscores the critical importance of robust certificate management and oversight in maintaining trust across the internet.
Since the initial report, further investigation has revealed that the scope of the problem is larger than first thought. Cloudflare has confirmed that a total of twelve certificates were improperly issued by Fina CA, a Microsoft-trusted certificate authority, with nine of those certificates having been issued since February of this year. All of these certificates have now been revoked, though the company states there is no evidence they were used maliciously in any attack or impersonation attempt.
Cloudflare acknowledged that its own monitoring systems, including participation in the Certificate Transparency framework, should have detected these irregularities sooner. The company helps administer this very system, which is designed to provide public oversight of certificate issuance and prevent exactly this kind of error or misuse.
For its part, Fina CA provided a brief explanation, stating that the certificates were generated during internal testing of its production certificate issuance process. According to the CA, the mis-issuance resulted from an error in entering IP addresses. The certificates were published to public Certificate Transparency logs as part of standard procedure, which is how they eventually came to light.
(Source: Ars Technica)
