A certificate authority operating under Microsoft's root program has issued three TLS certificates improperly containing the IP address 1.1.1.1, a highly sensitive and globally used DNS resolver run by Cloudflare and APNIC.
The certificates were discovered months after their issuance, raising concerns over certificate authority oversight and systemic weaknesses in the internet's trust infrastructure.
Arbitrary certificate issuance
The issue was first publicly reported on September 3, 2025, by security researcher Youfu Zhang on Mozilla's dev-security-policy mailing list. Zhang identified that Fina RDC 2020 had issued three certificates in May 2025 that improperly listed 1.1.1.1 in their Subject Alternative Name (SAN) fields.
This IP address is globally reserved for Cloudflare's DNS service and is not controlled by any random certificate applicant. According to the CA/Browser Forum Baseline Requirements (v2.1.7, section 7.1.2.7.12), certificate authorities are obligated to verify ownership or control of any IP address listed in a certificate. Fina's own policies reinforce this requirement, stating that it must confirm legal control over any IP address listed in a request before issuance.
Three affected certificates remain valid as of the initial disclosure, exposing a potential vector for misuse. The certificates were issued for domains like test1.hr and test11.hr, but all included iPAddress:1.1.1.1, an unauthorized inclusion that could allow impersonation of Cloudflare's DNS infrastructure.
Fina RDC 2020 operates as a subordinate CA under Fina Root CA, which is part of the Microsoft Root Certificate Program. This means certificates issued by Fina RDC 2020 are trusted by Windows-based systems, including Microsoft Edge and other applications relying on the Windows certificate store.
Although Mozilla, Google, and Apple confirmed that Firefox, Chrome, or Safari do not trust Fina's certificates, Microsoft has acknowledged the misissuance and is now working to revoke the affected certificates and add them to its disallowed list. As of now, Fina has not issued a public incident report or revoked the still-valid certificates, despite requests from both Mozilla and Cloudflare.
Cloudflare's response
Cloudflare reacted promptly after the disclosure, confirming they never authorized the issuance and launching a formal investigation. The company emphasized that its WARP VPN service remains unaffected by this incident and stated that they are collaborating with Microsoft and Croatian regulatory authorities overseeing Fina CA.
The concern lies primarily with DNS over HTTPS (DoH) and DNS over TLS (DoT) traffic, which rely on encrypted connections to resolvers like 1.1.1.1. If the certificates fell into malicious hands, attackers could potentially conduct adversary-in-the-middle (AitM) attacks, intercepting and decrypting otherwise secure DNS queries. This could allow monitoring or manipulation of users' browsing behavior.
While there's no evidence that the certificates were actively exploited, the case demonstrates the “single point of failure” vulnerability in the certificate authority ecosystem. While Certificate Transparency (CT) logs are designed to make all certificate issuance public and auditable, the 1.1.1.1 certificates were only discovered four months after issuance, suggesting that automated or manual reviews failed to catch this obvious anomaly, leaving users exposed to risks for an equal period of time.
Leave a Reply