04.09.2025 15:49:00
Дата публикации
In May 2025, three TLS certificates were issued for the domain 1.1.1.1 — the address of Cloudflare's public DNS service. The certificates allowed encrypted DNS requests to be decrypted, which paved the way for traffic interception and substitution. They were discovered only four months later, in September, thanks to a forum post.
This is critical, since the domain is one of the top 3 most used public DNS resolvers in the world, along with GoogleDNS and OpenDNS.
The issuing party turned out to be Fina RDC 2020 — a certificate authority controlled by Fina Root CA, which is part of Microsoft's trusted chain. This means that Windows and the Edge browser automatically trusted these certificates until Microsoft revoked them. At the time of publication, two of the three certificates were still valid.
Cloudflare said it did not authorize the certificates to be issued and launched an internal investigation. The company contacted Fina, Microsoft, and the regulatory authority, which could revoke trust in Fina or cancel the certificates. Fina had not responded at the time of publication.
Microsoft, in turn, promised to add the certificates to the list of prohibited ones. However, the company did not explain why it did not detect the problem earlier. Google and Mozilla reported that their browsers never trusted these certificates. Safari also did not include Fina in the list of trusted centers.
Experts warn that possession of such certificates allows an attacker to imitate the 1.1.1.1 service, decrypt traffic, and interfere with communications between the user and the DNS server. This creates a threat of a man-in-the-middle attack, especially in networks without additional protection.
Cloudflare emphasized that its WARP VPN service is not affected, as it uses a separate encryption system. However, the incident exposed the vulnerability of the entire trust infrastructure: one failure in the chain of certification authorities can put millions of users at risk.
The TLS certificate system is the foundation of trust on the Internet. It is supposed to ensure that sites like gmail.com really belong to the owners they claim to own. But as this incident showed, it only takes one erroneous issue for the entire system to start cracking.
Cloudflare called for greater transparency and control, recalling that it was thanks to the Certificate Transparency system that the problem was identified.
This incident is not just a technical failure, but an alarming signal: trust on the Internet is based on a fragile architecture, where a mistake by one center can become an entry point for a global attack.
(the text translation was done automatically)
This is critical, since the domain is one of the top 3 most used public DNS resolvers in the world, along with GoogleDNS and OpenDNS.
The issuing party turned out to be Fina RDC 2020 — a certificate authority controlled by Fina Root CA, which is part of Microsoft's trusted chain. This means that Windows and the Edge browser automatically trusted these certificates until Microsoft revoked them. At the time of publication, two of the three certificates were still valid.
Cloudflare said it did not authorize the certificates to be issued and launched an internal investigation. The company contacted Fina, Microsoft, and the regulatory authority, which could revoke trust in Fina or cancel the certificates. Fina had not responded at the time of publication.
Microsoft, in turn, promised to add the certificates to the list of prohibited ones. However, the company did not explain why it did not detect the problem earlier. Google and Mozilla reported that their browsers never trusted these certificates. Safari also did not include Fina in the list of trusted centers.
Experts warn that possession of such certificates allows an attacker to imitate the 1.1.1.1 service, decrypt traffic, and interfere with communications between the user and the DNS server. This creates a threat of a man-in-the-middle attack, especially in networks without additional protection.
Cloudflare emphasized that its WARP VPN service is not affected, as it uses a separate encryption system. However, the incident exposed the vulnerability of the entire trust infrastructure: one failure in the chain of certification authorities can put millions of users at risk.
The TLS certificate system is the foundation of trust on the Internet. It is supposed to ensure that sites like gmail.com really belong to the owners they claim to own. But as this incident showed, it only takes one erroneous issue for the entire system to start cracking.
Cloudflare called for greater transparency and control, recalling that it was thanks to the Certificate Transparency system that the problem was identified.
This incident is not just a technical failure, but an alarming signal: trust on the Internet is based on a fragile architecture, where a mistake by one center can become an entry point for a global attack.
(the text translation was done automatically)
