Filippo Valsorda

There is some chatter about a CA mis-issuing a certificate for 1.1.1.1. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc/m/0V_VMV7uAgAJ

This CA (https://crt.sh/?caid=201916, only ~300 certs) is only trusted by (1) the Microsoft root program, and (2) the eIDAS QWAC trusted list.

MS has not been actively managing their root program for years now, and the EU wanted to push theirs on browsers with much better ones.

Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Sep 3, 2025 at 8:03pmWeb
Show threaddmi đź’˝ Sep 3, 2025

@filippo to me, it’s funny that this is not even the first mis-issuance related to 1.1.1.1 - there’s this banger: common name kasnetzise001.ka.de.dm-drogeriemarkt.com (???), valid for 2 years from 2013 to 2015, first seen by crt.sh in 2020 (??????). We tried investigating this last year as a part of our dns hyperfocus in Project SERVFAIL ( @dns ), but we never really got any interesting info.

If you filter crt.sh by in-addr.arpa, a surprising amount of certificates are issued for 1.1.1.1. Probably not to pwn cloudflare, rather as a placeholder that held the place for too long.

crt.sh | 2381870521

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadMerlin (Unifi hater no. 1)Sep 3, 2025
@domi @filippo exactly, DigiCert just said "lol that was before there were any rules" and that was it
Show threaddmi đź’˝ Sep 3, 2025
@merlin @filippo the concept of “this was before there were any rules” is so funny. american thought process
Show threadCraftByteSep 3, 2025
@filippo It's funnier than just that. The CA is the Croatian (fully state-owned) Financial Agency (What the name FinA means) that handles a lot of government IT projects and is an eIDAS eID issuer. Most of their issued certs are for Croatian companies. The certificates seem to be actual OV and not eIDAS QWACs, but still have the VAT IDs of the "holders", one being FINA and the other two being "TEST PLC" for who I am unable to find a company register entry. I have a feeling someone accidentally issued some test certs in prod...
Hopefully we don't have a conspiracy theory started about Croatian Intelligence spying on DNS traffic...
Show threadCraftByteSep 3, 2025
@filippo Also, looks like all 3 domains they used for the certs are not even registered...
Show threadaurorusSep 4, 2025

@filippo croatia has a foia [1]. It’s also available to foreigners, seems like an option to get some answers, or non-answers. Maybe @q would like another foia side-quest? Or someone else?

[1] https://en.wikipedia.org/wiki/Access_to_public_information_in_Croatia

Access to public information in Croatia - Wikipedia

Show threadNedĹľad BeusSep 4, 2025
@aurorus I recommend checking the FOI law in Croatia, from experience with submitting FOI requests, they have some wacky exceptions. Also submitting a complaint requires that you give them their address, and if it's not in Croatia, you need to find someone who will be your representative (since it's considered a legal procedure).
Show threadPontiff Fractal TiamSep 4, 2025
@filippo I remember how Mozilla used a controversial PR company for a FUD campaign against QWAC. And in my opinion it was all about maintaining Mozilla power position in the Web PKI ecosystem regardless of the (dis)advantages of QWAC and co
Hill & Knowlton - Wikipedia

Show threadFilippo ValsordaSep 4, 2025

@pft This is a weird time to call the opposition to QWACs FUD?

Like, this is exactly the kind of bad stuff we all said would happen.

Show threadPontiff Fractal TiamSep 4, 2025

@filippo I'm just calling that specific campaign FUD.

What happened here is IMO not worse than what happened to Google, Mozilla, and other trust stores in case of TrustCor or any other shady CA that made it into the program and was retracted later. Did anyone question the existence of trust stores?

My point is that the opposition from trust stores to EU is in bad faith and is about maintaining own power position.

Web browsers drop mysterious company with ties to U.S. military contractor

TrustCor Systems was a root certificate authority, a key position in internet infrastructure. But details about the company raised questions about where it is based and who it works with.

The Washington Post
Show threadkasperdSep 4, 2025
I get this error when I try to follow your link.
Show threadPontiff Fractal TiamSep 4, 2025
@kasperd it seems that even your DNS resolver doesn't like that campaign :-) I can't say why (see screenshot from just now) @filippo
Show threadkasperdSep 4, 2025

I was getting SERVFAIL both from my local DNS server and from Google. So I am confident there was something wrong with the authoritative servers for the domain.

Now I am getting a different error though.

Show threadPontiff Fractal TiamSep 4, 2025

@kasperd that's really strange, the first screenshot says nx domain...

Anyhow, it's not that interesting after all.

Show threadkasperdSep 5, 2025

It’s a known problem that there are browsers saying NXDOMAIN to the user for every DNS problem even if it’s not NXDOMAIN at all.

When I got that error at first I verified using the dig and host commands that it was a SERVFAIL error and that I also got that error from other DNS servers.

Show threadPontiff Fractal TiamSep 5, 2025
@kasperd I was not aware of that browser behavior. Did you finally see the campaign?