Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet
3 September 2025
The three certificates were issued in May but only came to light Wednesday.
People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry.
The certificates, issued in May, can be used to decrypt domain lookup queries encrypted through DNS over HTTPS or DNS over TLS. Both protocols provide end-to-end encryption when end-user devices seek the IP address of a particular domain they want to access. Two of the certificates remained valid at the time this post went live on Ars.
Investigation underway
Although the certificates were issued four months ago, their existence came to public notice only on Wednesday in a post to an online discussion forum. They were issued by Fina RDC 2020, a certificate authority that’s subordinate to the root certificate holder Fina Root CA. The Fina Root CA, in turn, is trusted by the Microsoft Root Certificate Program, which governs which certificates are trusted by the Windows operating system. Microsoft Edge accounts for approximately 5 percent of the browsers actively used on the Internet.
In an emailed statement sent several hours after this post went live, Cloudflare officials confirmed the certificates were improperly issued. They wrote in part:
Cloudflare did not authorize Fina to issue these certificates. Upon seeing the report on the certificate-transparency email list, we immediately kicked off an investigation and reached out to Fina, Microsoft, and Fina’s TSP supervisory body – who can mitigate the issue by revoking trust in Fina or the mis-issued certificates. At this time, we have not yet heard back from Fina.
The statement went on to say that data encrypted through Cloudflare's WARP VPN isn't affected.
Microsoft said in an email that it has “engaged the certificate authority to request immediate action. We’re also taking steps to block the affected certificates through our disallowed list to help keep customers protected.” The statement didn't say how the company failed to identify the improperly issued certificate for such a long period of time.
Representatives from Google and Mozilla said in emails that their Chrome and Firefox browsers have never trusted the certificates, and there was no need for users to take any action. An Apple representative responded to an email with this link to a list of certificate authorities Safari trusts. Fina was not included.
Related Posts
You might also enjoy these articles on similar topics:
