Recently, a security incident involving the unauthorized issuance of TLS certificates for 1.1.1.1, a widely used public DNS resolver, has come to light. Over nearly a year and a half, a Certificate Authority (Fina CA) issued twelve certificates for this IP address without proper authorization. While there’s no current evidence these certificates were exploited maliciously, the incident highlights important issues related to trust, transparency, and security on the Internet.
How DNS and TLS Work Together
1.1.1.1 is a public DNS resolver service used worldwide. It helps translate domain names like example.com into IP addresses such as 192.0.2.42, enabling users to access websites efficiently.
The Limitations of Traditional DNS
Originally, DNS queries are sent in plain text, making them vulnerable to eavesdropping or tampering. This can compromise user privacy and security.
Protocols like DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt DNS traffic, establishing secure connections that verify the resolver’s identity via TLS certificates.
When connecting over these protocols, clients verify that the server’s TLS certificate is valid and trusted. Since devices often connect directly via IP addresses like 1.1.1.1, the TLS certificates must include those IPs in their Subject Alternative Name (SAN) fields for proper validation.
This system depends on a network of trusted Certificate Authorities (CAs). If a CA issues certificates improperly or maliciously, it can undermine trust.
Between February 2024 and August 2025, Fina CA issued twelve TLS certificates for 1.1.1.1 without the knowledge or approval of the operators of this DNS service. These certificates were valid for one year each, included various domain names, many unregistered and used a subject name referencing a fictitious organization.
This matters because TLS certificates are the foundation of trust in encrypted communications. If malicious actors were to obtain and misuse these certificates, it could allow impersonation of the DNS resolver, potentially enabling traffic interception or redirection.
While there is currently no evidence of such exploitation, the incident reveals vulnerabilities in the trust infrastructure that underpins secure communications on the Internet.
In a hypothetical malicious scenario, an attacker with a rogue certificate and private key could impersonate the DNS resolver, intercept user traffic, and potentially manipulate or spy on DNS queries.
However, such a scenario requires several conditions, such as the attacker having access to the private key and users trusting the CA that issued the certificate, which, according to statements from the CA, was not the case here.
The Role of Certificate Transparency
To detect misissuance, the industry relies on Certificate Transparency (CT), a system where all issued certificates are logged publicly. These logs enable organizations, browser vendors, and other stakeholders to identify unauthorized or suspicious certificates.
Fortunately, Fina CA submitted these certificates to CT logs, which allowed for their prompt revocation. Still, not all clients, including DNS resolvers, enforce CT checks, underscoring the importance of industry-wide adoption.
Once the incident was identified, operators involved took immediate actions:
- Revoked the unauthorized certificates
- Engaged with the CA and industry partners to investigate and prevent similar issues
- Enhanced monitoring systems to better detect future certificate misissuance
- Strengthened alerting mechanisms for certificate issuance anomalies
For most users, direct management of certificates isn’t necessary. However, staying informed and practicing good security hygiene remains important:
- Keep your devices and browsers updated. Updates often include security improvements that help verify trusted certificates.
- Pay attention to security warnings. Modern browsers alert you to invalid or suspicious certificates with warnings and avoid proceeding on untrusted sites.
- For organizations: Review your systems’ trust policies, ensure they rely on reputable Certificate Authorities, and consider monitoring for unauthorized certificates.
This incident serves as a reminder of the ongoing challenges in maintaining trust on the Internet. While the current infrastructure has vulnerabilities, collaborative efforts—such as the use of Certificate Transparency—are crucial in detecting and preventing misissuance.
The broader community continues to work toward a more secure and transparent Internet. Staying vigilant and informed helps all of us contribute to a safer digital environment.
For a more in-depth discussion, please Cloudflare’s blog post announcement.
Leave a Reply