Andrew Ayer
Hey look, another certificate authority trusted ONLY by Microsoft is issuing certificates without validation (1.1.1.1/Cloudflare DNS in this case): https://crt.sh/?sha256=D42B028468E73795365102058CBCD350AD0A0B9CA7073C5362A570C5EC208A92
(h/t Hacker News user JXzVB0iA)
crt.sh | d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Sep 3, 2025 at 12:07pmWeb
Show threadAndrew AyerSep 4, 2025
The first rogue 1.1.1.1 certificate was issued by Fina and logged to Certificate Transparency over a year ago.
AFAICT, the first person to notice any of this was Hacker News user JXzVB0iA, two days ago: https://news.ycombinator.com/item?id=45089708
This morning, it was reported to the certificate-transparency mailing list, with attribution to JXzVB0iA.
A few hours later, it was reported to the mozilla-dev-security-policy mailing list, without attribution.
Then Dan Goodin wrote his article, citing the mozilla-dev-security-policy post.
Very surprising that Cloudflare did not notice given they operate a CT monitor.
Fina Root CA signs certificates for 1.1.1.1 | Hacker News

Show threadMatt NordhoffSep 4, 2025

@agwa Some goofus named Matt noticed one of the revoked certs before — I think I was searching for 1.1.1.1 on crt.sh to look at Cloudflare's certs — but didn't make a stink and then forgot about it. Wellp. Insert emoji of your choice here.

Speculating wildly, I wonder if Cloudflare has monitoring but only configured it to alert on Chrome or Mozilla-trusted roots.

Matt Nordhoff (@[email protected])

https://crt.sh/?id=15190039061 Uhhh if you ignore that it was revoked, purportedly 3 minutes after being issued, was — is — this Financijska agencija (pre)certificate really trusted for TLS in Windows? Did Microsoft or anyone do anything about it? (There are several others I didn't look at.) The CA is naturally also on the EU Trusted List for QWACs or whatever. Edit: The link is a precertificate, and there is no corresponding certificate logged, but that is not evidence none exists.

Infosec Exchange
Show threadDr. Christopher KunzSep 4, 2025
@agwa While we're at it, is Oracle aware that Fina has also issued a certificate for 2.2.2.2 six days ago which is still valid and unrevoked? https://crt.sh/?id=20583047050
crt.sh | 20583047050

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadDr. Christopher KunzSep 4, 2025
@agwa Apparently, the cert was subsequently revoked and CRT picked it up a little while later. My toot is from 7:28 UTC, the cert was revoked at 6:34 UTC (but still showed as valid on CRT at the time of my toot)
Show threadDr. Christopher KunzSep 4, 2025
@agwa This screenshot was taken on or after 7:54 UTC and shows the cert as being valid. That's because the CRL had only been checked one and a half hours prior, at 6:28 UTC (six mins before the cert was revoked)
Show threadDr. Christopher KunzSep 4, 2025
@agwa Also, why are they using reason #5 (cessationOfOperation)? That's wrong IMHO, it should be reason #4 (superseded), according to BR 4.9.1.1 (5) or (12).
Show threadAndrew AyerSep 4, 2025
@christopherkunz These are excellent discoveries! Do you want to post this to the mozilla-dev-security-policy thread (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc). Or I can relay them, with or without attribution.
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Show threadDr. Christopher KunzSep 4, 2025
@agwa if you could post them and attribute me, that would be awesome. I was just researching for a news article and podcast on this.
Show threadDr. Christopher KunzSep 5, 2025
@agwa There's now a ticket for this too: https://bugzilla.mozilla.org/show_bug.cgi?id=1986968
1986968 - Financijska agencija (Fina): Mis-issued certificates

ASSIGNED (miroslav.perincic) in CA Program - CA Security Vulnerability. Last updated 2025-09-04.

Show threadAndrew AyerSep 5, 2025
@christopherkunz Cool, thanks posting your comment in the bug. I also relayed your findings to mdsp yesterday: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc/m/hV0LJBkUAAAJ
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Show threadDr. Christopher KunzSep 5, 2025
@agwa Yes, I saw that. Thanks! RE the bug, I'm not entirely sure how an incident that ran on Ars Technica and the Cloudflare blog before hitting Bugzilla can be classified as "self reported". ;-)
Show threadEckes Sep 5, 2025
@christopherkunz do we know what Flow in their registration process even allows this, and why are they still in operation (to that extend the Revolution reason seems nice foreshadowing)
Show threadDr. Christopher KunzSep 5, 2025

@eckes I don't think that this CA has any public registration process, they seem to be a federal institution in Croatia. The certificates seem to be "test" certificates, and the CA has answered Cloudflare's questions with "there was an error during certificate generation".

Cloudflare has found some pretty strong words for that behavior in their blog.

Show threadEckes Sep 5, 2025
@christopherkunz interesting, that’s a good use for CT if companies think they can be irresponsible (if it was not malicious, given the meaning of DoT and DoHTTPS with those Certs)
Show threadDr. Christopher KunzSep 5, 2025
@eckes Honestly, CT is awesome. The visibility it gives researchers and other stakeholders is invaluable. Also, it's good for CTI of all sorts and a lifesaver for seemingly simple tasks like "is this a fake online shop?"
Show threadMatt NordhoffSep 3, 2025

@agwa Not their first one! crt.sh is especially slow right now, but IIRC there's another, expired, apparently-never-revoked cert from the same CA from ~2023.

Edit: Correction: 2024-2025, and at least 1 is revoked (I did not check the others).

Show threadMatt NordhoffSep 3, 2025

@agwa E.g. https://crt.sh/?id=12116084225 from 2024 (expired).

When https://crt[.]sh/?q=1.1.1.1 loads (link broken to reduce fedi-DDoS), there are 12 results matching "C=HR, O=Financijska agencija" from 2024-2025 (not excluding possible precert duplicates).

Edit: And what kind of serial number is "VATHR-32343828408.286"?

Edit: The cert I linked above was revoked, I was mistaken.

crt.sh | 12116084225

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadAndrew AyerSep 3, 2025
@mnordhoff Oh no, did I accidentally DDOS crtsh?

That's the subject serial number which is used to identify the company in OV/EV certs. I'm guessing it's a Hungarian tax identifier.
Show threadMatt NordhoffSep 3, 2025
@agwa D'oh. Thank you. Makes sense. My brain glossed right over the cert "Serial Number" at the top and went down to the Subject "serialNumber".  Guess I don't spend enough time around OV/EV certs.
Show threadgrawitySep 3, 2025
@mnordhoff @agwa Defined in ETSI 319 412-1, section 5.1.4 "Legal person semantics identifier"
https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf#page=11 - 3 letter type, 2 letter country code, in this case the company's VAT tax identifier
Show threadRairii   Sep 3, 2025
@agwa based on the other names, someone's been testing in production?
Show threadAndrew AyerSep 3, 2025
@Rairii That's what it looks like