Cloudflare’s secure DNS counterpart, 1.1.1.1, recently became the centre of attention after a subordinate authority certificate somehow got ported a transport layer security (TLS) IP certificate 1.1.1.1. Discovered months later through Certificate Transparency logs, the misissuance highlights a dangerous hole in the internet’s trust model and adds to questions about the security of encrypted DNS traffic.
What Went Wrong
A sub CA called Fina RDC 2020 issued three certificates where they listed iPAddress:1.1.1.1 In the Subject alt name field; they do not own that IP. The resolver is 1.1.1.1, run by Cloudflare, and APNIC (one of the five RIRs), and practically the most prominent public DNS service worldwide.
Certificate authorities can only issue certificates for validly controlled IP addresses, not for arbitrary hostnames on the SAN IP address field.
They are required to verify that the requester (a host, or CSA in this case) has control over a piece of the SAN-IP space to be listed in the certificate.
For CA/Browser Forum Baseline requirements the certificate authority must verify control of any IP address in the certificate.
Such action is a breach of those rules, and also could, under sufficient conditions, allow an attacker to serve a valid certificate when they’re intercepting traffic to that IP.
The certificates were issued by a CA belonging to the Microsoft Root Certificate Program and thus up to be trusted by Windows and applications that utilize the Windows trust store. This last bit doesn’t have quite as much real-world effect, since Mozilla, Google, and Apple have all said that their root programs do not believe this CA, but it’s still a pretty big problem.
Why 1.1.1.1 Matters
Cloudflare’s 1.1.1.1 is a privacy-centric resolver that supports both DNS over HTTPS (DoH) and DNS over TLS (DoT). The company says the service serves billions of DNS queries a day. Any compromise to the confidentiality or integrity of its encrypted sessions resonates through consumer devices, enterprise networks and privacy tools alike.
DoH and DoT use TLS to ensure that clients are talking to the intended resolver. If a client is fine with a certificate that lists an IP address, and that IP is listed in the certificate’s SAN, then an evil intermediary could, in theory, perform a TLS intercept and observe or fiddle with DNS lookups. The practical danger here depends on what clients do: many DoH clients validate hostnames, for example cloudflare-dns. com), and some DoT or embedded clients may connect via IP, accepting IP-based identities.
Scope and Immediate Impact
Cloudflare said that it did not issue any certificates for 1.1.1.1, and that it has been working with Microsoft and the Croatian police, which oversees Fina’s PKI operations. Microsoft is in the process of recalling and blocking the affected certificates in its products and services. When disclosed, some certificates were still valid but awaiting revocation, highlighting the time delay that can happen between discovery and remediation.
Cloudflare said its WARP VPN service is not affected. “The primary” seems to be in (on?) encrypted DNS traffic paths where clients could accept IP-based SANs. No public evidence of abuse, but given the certificate misissuance and potential for network interception (BGP hijacks, local network manipulation is always possible) one should be vigilant.
An Old Weak Spot in the CA System
Misissuance is not new. Past calamities — DigiNotar’s demise, the demise of trust in Symantec’s legacy PKIs, and the dying off of other bad CAs — demonstrated how a weak link can infect the fabric of trust that the web represents. Two systemic issues are laid bare by the present incident: verification stringency of IP identity and the lag in time before the Certificate Transparency monitoring starts flagging blatantly obvious anomalies.
Certificate Transparency was built to give you visibility, making every publicly trusted certificate visible, and let you can audit it quickly. These certificates sat in logs for months until broad awareness, but this indicates to me that automated alerting of high value IP ranges is either underutilized, or ineffective. For high-value addresses like 1.1.1.1, proactive watchlists and policy-based alerts should just be the default setting applied to all CT monitors operated by browser vendors, CAs, and large network providers.
Technical Risk: How Could an Attacker Exploit This
Plauseable Adversary in the Middle: * A reasonable server at URI (e.g., C) that can be confused with the DNS upgrade server because the ‘A’ record is redirected * An attacker (an actual spammer probably) that has control of a network close to those clients, (e.g., private NAT), * The attacker controls 1.1.1.1 * 1.1.1.1 can be directed down @ and/or www paths * On HTTP the path can be something simple like ” /” or ” /DV41223Z”. * The attacker, in practice is able to get a mis-issued certificate that happens to contain 1.1.1.1 on the SAN or (any other SAN/IP /DNS in whatever combination), With this methodology, only some clients would accept the certificate, and we could not even bother to have done it on a global scale since we want to sell the created path/traffic to the DV host and move to the next target. * Cinch: the EVCA is willing to issue. ¶ This means an attacker may be able to decrypt DoT or DoH sessions and see the queried domains, and worse might be able to serve DoT/DoH clients tampered answers when the resolver’s stack accepts identities based on IP addresses and doesn’t pin a name. It depends on the client validation rules, the revocation status and the attacker capability to control the network path.
Best-practice clients verify the resolver’s hostname and refuse to accept IP-only identities in encrypted DNS. That is a single design choice that drastically cuts down on exposure from this type of CA failure.
What Enterprises and Individuals Can Do
– Favour resolver configurations that resolve to a known Auth domain name, not an IP literal for DoT and DoH.
– On Windows environments, make sure revocation checking is enabled and up to date; monitor Microsoft advisories and if possible, implement local disallow policies for known-bad thumbprints via group policy or MDM.
– Network teams should as well configure CT log monitoring for sensitive domains and IP ranges. Many security operations centers watch certificates for internal domains; extending that to public resolvers and other critical infrastructure is wise.
– When embedding DNS privacy features, developers should ensure that hostname validation is performed for TLS and IP-based SANs are never accepted without encountering a clear error.
The Bigger Fix
Clearly, this episode underscores the necessity of stricter programmatic limitations in CA communities. More stringent pre-issuance linting of IP SANs, mandatory incident reporting deadlines, and faster, coordinated revocation among root programs would materially reduce risk. Even then, the browser and OS vendors could reduce the blast radius by converging on policy and automating disallow lists for the certificates that reference well known critical infrastructure.
For now, the harm seems contained. But the moral is clear: even with Certificate Transparency, even with strict baseline requirements, trust on the internet still rests on the heavy application of verification, and with clients making the most conservative choice by default.
