Cybersecurity

Discovery of Mis-issued TLS Certificates

Three improperly issued TLS certificates for 1.1.1.1, a public DNS service from Cloudflare and the Asia Pacific Network Information Centre (APNIC), were discovered. The certificates were issued in May 2025 and could potentially allow attackers to intercept and decrypt encrypted DNS lookups, exposing users’ browsing habits.

The unauthorized certificates were publicly reported on Wed, Sep 3, 2025, in an online security forum, four months post-issuance.

Technical Details and Response

The certificates were issued by Fina RDC 2020, a certificate authority (CA) under the Fina Root CA, which is included in the Microsoft Root Certificate Program. Consequently, the certificates were trusted by the Windows operating system and the Microsoft Edge browser by default.

Cloudflare confirmed the unauthorized issuance and initiated an investigation. They are collaborating with Fina, Microsoft, and Fina’s TSP supervisory body to address the issue by revoking trust in Fina or the mis-issued certificates. Cloudflare assured that its WARP VPN service remains unaffected.

Microsoft has engaged the certificate authority to request immediate action and is moving to block the affected certificates via its disallowed list for customer protection. No explanation was provided for the four-month delay in detection.

Google and Mozilla representatives confirmed that Chrome and Firefox have not trusted the Fina root certificate. Apple’s Safari does not include Fina in its list of trusted root authorities.

Security Implications

A TLS certificate binds a domain name to a public key, verifying the domain’s ownership cryptographically. A valid certificate allows domain impersonation, enabling an adversary-in-the-middle attack.

This incident highlights vulnerabilities within the public key infrastructure (PKI) that secures internet transactions, indicating that a single point of failure can compromise the entire trust system. Cloudflare compared the CA ecosystem to “a castle with many doors,” where failure of one CA can compromise the entire system’s security.

The incident raises concerns over the effectiveness of Certificate Transparency (CT) logs, which are public records intended for rapid detection of mis-issuances.

The investigation is ongoing, with unresolved questions about the requestors of the certificates and the failure of existing safeguards to detect them promptly.