In May 2025, three unauthorized Transport Layer Security (TLS) certificates were issued for 1.1.1.1, the widely used public Domain Name System (DNS) service operated by Cloudflare in partnership with the Asia Pacific Network Information Centre (APNIC). These certificates, issued by the certificate authority (CA) Fina RDC 2020, could potentially allow malicious actors to intercept and decrypt encrypted DNS queries, thereby exposing users’ browsing activities.
The existence of these certificates came to light on September 3, 2025, when they were discussed in an online security forum, four months after their issuance. Fina RDC 2020’s legitimacy is derived from the Fina Root CA, which is included in the Microsoft Root Certificate Program. Consequently, the mis-issued certificates were trusted by default by Windows operating systems and the Microsoft Edge browser.
Cloudflare’s Response
Cloudflare confirmed that these certificates were issued without their authorization. In response, the company initiated an investigation and reached out to Fina, Microsoft, and Fina’s supervisory body to address the issue. Cloudflare also assured users that its WARP VPN service remained unaffected by this incident.
Microsoft’s Actions
Microsoft engaged with the certificate authority to request immediate action and moved to block the affected certificates via its disallowed list to protect customers. The company did not provide details on why the improperly issued certificates went undetected for four months.
Impact on Other Browsers
Users of other major browsers were not affected. Representatives for Google and Mozilla confirmed that Chrome and Firefox have never trusted the Fina root certificate. Similarly, Apple’s list of trusted root authorities for Safari does not include Fina.
Understanding TLS Certificates and Potential Risks
A TLS certificate binds a domain name to a public key, cryptographically verifying the domain’s owner. Possession of a valid certificate for a domain enables an entity to impersonate that domain. In this case, an attacker with the mis-issued certificates could conduct an adversary-in-the-middle attack, intercepting and decrypting encrypted DNS lookups.
Implications for Public Key Infrastructure
This incident highlights a significant vulnerability in the public key infrastructure (PKI) that underpins much of the internet’s security. A single point of failure within a CA can compromise the entire system of trust. Cloudflare likened the CA ecosystem to a castle with many doors, emphasizing that the failure of one CA can jeopardize the security of the whole system.
Effectiveness of Certificate Transparency Logs
The discovery also raises questions about the effectiveness of Certificate Transparency (CT) logs, which are public records of all issued certificates designed to detect mis-issuances promptly. The four-month delay in identifying these unauthorized certificates suggests potential gaps in the monitoring and reporting processes.
Ongoing Investigation
As the investigation continues, critical questions remain about who requested the certificates and why existing safeguards failed to detect them sooner. This incident underscores the need for continuous vigilance and improvement in the mechanisms that secure internet communications.
