Skip to content
SYSTEM FAIL

Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet

The three certificates were issued in May but only came to light Wednesday.

Dan Goodin | 115
The HTTPS concept with highlighted glowing S. HyperText Transfer Protocol Secure. Increasing the security of encryption. The concept of safe surfing on the net. 3D render.
Credit: Getty Images
Credit: Getty Images
Story text

People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry.

The certificates, issued in May, can be used to decrypt domain lookup queries encrypted through DNS over HTTPS or DNS over TLS. Both protocols provide end-to-end encryption when end-user devices seek the IP address of a particular domain they want to access. Two of the certificates remained valid at the time this post went live on Ars.

Investigation underway

Although the certificates were issued four months ago, their existence came to public notice only on Wednesday in a post to an online discussion forum. They were issued by Fina RDC 2020, a certificate authority that’s subordinate to the root certificate holder Fina Root CA. The Fina Root CA, in turn, is trusted by the Microsoft Root Certificate Program, which governs which certificates are trusted by the Windows operating system. Microsoft Edge accounts for approximately 5 percent of the browsers actively used on the Internet.

In an emailed statement sent several hours after this post went live, Cloudflare officials confirmed the certificates were improperly issued. They wrote in part:

Cloudflare did not authorize Fina to issue these certificates. Upon seeing the report on the certificate-transparency email list, we immediately kicked off an investigation and reached out to Fina, Microsoft, and Fina’s TSP supervisory body – who can mitigate the issue by revoking trust in Fina or the mis-issued certificates. At this time, we have not yet heard back from Fina.

The statement went on to say that data encrypted through Cloudflare's WARP VPN isn't affected.

Microsoft said in an email that it has “engaged the certificate authority to request immediate action. We’re also taking steps to block the affected certificates through our disallowed list to help keep customers protected.” The statement didn't say how the company failed to identify the improperly issued certificate for such a long period of time.

Representatives from Google and Mozilla said in emails that their Chrome and Firefox browsers have never trusted the certificates, and there was no need for users to take any action. An Apple representative responded to an email with this link to a list of certificate authorities Safari trusts. Fina was not included.

It wasn't immediately known which organization or person requested and obtained the credentials. Representatives from Fina, didn’t answer emails seeking details.

The certificates are a key part of the Transport Layer Security protocol. They bind a specific domain to a public key. The certificate authority, the entity authorized to issue browser-trusted certificates, possesses the private key certifying that the certificate is valid. Anyone in possession of a TLS certificate can cryptographically impersonate the domain for which it was issued.

The holder of the 1.1.1.1 certificates could potentially use them in active adversary-in-the-middle attacks that intercept communications passing between end users and the Cloudflare DNS service, Ryan Hurst, CEO of Peculiar Ventures and a TLS and public key infrastructure expert, told Ars.

From there, attackers with possession of the 1.1.1.1 certificates could decrypt, view, and tamper with traffic from the Cloudflare DNS service, Hurst said.

Castles made of sand

Wednesday’s discovery exposes a key weakness of the public key infrastructure that’s responsible for ensuring trust of the entire Internet. Despite being the only thing ensuring that gmail.com, bankofamerica.com or any other website is controlled by the entity claiming ownership, the entire system can collapse with a single point of failure.

Cloudflare's statement observed:

The CA ecosystem is a castle with many doors: the failure of one CA can cause the security of the whole castle to be compromised. CA misbehavior, whether intentional or not, poses a persistent and significant concern for Cloudflare. From the start, Cloudflare has helped develop and run Certificate Transparency that has allowed this mis-issuance to come to light.

The incident also reflects poorly on Microsoft for failing to proactively catch the mis-issued certificates and allowing Windows to trust them for such a long period of time. Certificate Transparency, a site that catalogues in real time the issuance of all browser-trusted certificates, can be searched automatically. The entire purpose of the logs is so stakeholders can quickly identify mis-issued certificates before they can be actively used. The mis-issuance in this case is easy to spot because the IP addresses used to confirm the party applying for the certificates had control of the domain was 1.1.1.1 itself.

The public discovery of the certificates four months after the fact suggests the transparency logs didn’t receive the attention they were intended to get. It's unclear how so many different parties could miss the certificates for such a long time span.

This story was updated to correct an explanation of TLS certificates and to report newly available details.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
115 Comments
Staff Picks
D
DRJlaw
It would be good to include more about the "mis-issued" part of this, the article seems entirely devoid of facts on this point. The linked post says they "appear to be misused" and it is "highly unlikely" that control of the IP was demonstrated but even then, no facts.

Do not project your failures in reading comprehension on to the article. "Appear to be misused" does not appear in the article. "Highly unlikely" does not appear in the article. Facts, however, do appear in the article.

How are they being misused?

Well,
“Doing so would require a BGP hijack to trick your host to think your [rogue] 1.1.1.1 was the one I should connect to,” he explained. BGP is short for Border Gateway Protocol, a specification used to link regional networks scattered around the world, known as Autonomous Systems, to each other. By manipulating the system through false notices, attackers regularly take control of legitimate IP addresses, including those belonging to telecoms, banks, and Internet services.

From there, attackers with possession of the 1.1.1.1 certificates could decrypt, view, and tamper with traffic from the Cloudflare DNS service, Hurst said. He added that Cloudflare’s WARP VPN service may also be similarly affected.

Has Cloudflare (apparent actual owner of 1.1.1.1) made statements to this effect?

Well,
CAs are required to provide the IP addresses they used to verify that a party applying for a certificate controls the address they want covered. None of the three certificates provides that information.

Would Cloudflare omit that information? Even more to the point, if they did should the CA issue such a certificate? No? Then we presume that the irregularly issued certificate was not issued to a proper requester. Why would Cloudflare even hold information about whether someone else improperly requested and was issued a certificate anyway?

I expect a lot more than this from Ars.

I expect better than this from you. The fault is not with Ars.
m
mg224
So the Google rep was lying out of their teeth then? Does the same apply to Firefox?


Chrome used to use the host’s root store. It has changed, or is changing, to have its own store

https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md

Off the top of my head I do not know which OSes they’ve enabled it for (some, none, or all).

edit: this (old) info describes them doing a platform by platform transition

https://www.chromium.org/Home/chromium-security/root-ca-policy/policy-archive/version-1-2/

Noting iOS is not going to move over. I think the OP is thinking of the old system. I expect most versions of Chrome moved over by now.
F
FabiusCunctator
Looking at the domain names associated with the certs (test1.hr, test12.hr, etc) and the fact that three separate certs went through, I’d bet this is test that data that somehow inadvertently got sent to prod. Perhaps even internally in Fina? Embarrassment could explain their silence.
It's at least as much of a bad look for Microsoft as it is for Fina. The certs were patently defective, and a basic scan by automated tools should have kicked them out long before they were put into production versions of Windows for crying out loud.
1
10YearsofTears
By default Chrome running on Windows trusts the certs in the Windows certificate store.
This is wrong. Chrome has its own root store and it’s been in use on Windows for about 3 years.
Prev story
Next story