Andrew AyerSep 3, 2025
Hey look, another certificate authority trusted ONLY by Microsoft is issuing certificates without validation (1.1.1.1/Cloudflare DNS in this case): https://crt.sh/?sha256=D42B028468E73795365102058CBCD350AD0A0B9CA7073C5362A570C5EC208A92
(h/t Hacker News user JXzVB0iA)
crt.sh | d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadAndrew Ayer
The first rogue 1.1.1.1 certificate was issued by Fina and logged to Certificate Transparency over a year ago.
AFAICT, the first person to notice any of this was Hacker News user JXzVB0iA, two days ago: https://news.ycombinator.com/item?id=45089708
This morning, it was reported to the certificate-transparency mailing list, with attribution to JXzVB0iA.
A few hours later, it was reported to the mozilla-dev-security-policy mailing list, without attribution.
Then Dan Goodin wrote his article, citing the mozilla-dev-security-policy post.
Very surprising that Cloudflare did not notice given they operate a CT monitor.
Fina Root CA signs certificates for 1.1.1.1 | Hacker News

Sep 4, 2025 at 12:13amWeb
Show threadMatt NordhoffSep 4, 2025

@agwa Some goofus named Matt noticed one of the revoked certs before — I think I was searching for 1.1.1.1 on crt.sh to look at Cloudflare's certs — but didn't make a stink and then forgot about it. Wellp. Insert emoji of your choice here.

Speculating wildly, I wonder if Cloudflare has monitoring but only configured it to alert on Chrome or Mozilla-trusted roots.

Matt Nordhoff (@[email protected])

https://crt.sh/?id=15190039061 Uhhh if you ignore that it was revoked, purportedly 3 minutes after being issued, was — is — this Financijska agencija (pre)certificate really trusted for TLS in Windows? Did Microsoft or anyone do anything about it? (There are several others I didn't look at.) The CA is naturally also on the EU Trusted List for QWACs or whatever. Edit: The link is a precertificate, and there is no corresponding certificate logged, but that is not evidence none exists.

Infosec Exchange
Show threadDr. Christopher KunzSep 4, 2025
@agwa While we're at it, is Oracle aware that Fina has also issued a certificate for 2.2.2.2 six days ago which is still valid and unrevoked? https://crt.sh/?id=20583047050
crt.sh | 20583047050

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadDr. Christopher KunzSep 4, 2025
@agwa Apparently, the cert was subsequently revoked and CRT picked it up a little while later. My toot is from 7:28 UTC, the cert was revoked at 6:34 UTC (but still showed as valid on CRT at the time of my toot)
Show threadDr. Christopher KunzSep 4, 2025
@agwa This screenshot was taken on or after 7:54 UTC and shows the cert as being valid. That's because the CRL had only been checked one and a half hours prior, at 6:28 UTC (six mins before the cert was revoked)
Show threadDr. Christopher KunzSep 4, 2025
@agwa Also, why are they using reason #5 (cessationOfOperation)? That's wrong IMHO, it should be reason #4 (superseded), according to BR 4.9.1.1 (5) or (12).
Show threadAndrew AyerSep 4, 2025
@christopherkunz These are excellent discoveries! Do you want to post this to the mozilla-dev-security-policy thread (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc). Or I can relay them, with or without attribution.
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Show threadDr. Christopher KunzSep 4, 2025
@agwa if you could post them and attribute me, that would be awesome. I was just researching for a news article and podcast on this.
Show threadDr. Christopher KunzSep 5, 2025
@agwa There's now a ticket for this too: https://bugzilla.mozilla.org/show_bug.cgi?id=1986968
1986968 - Financijska agencija (Fina): Mis-issued certificates

ASSIGNED (miroslav.perincic) in CA Program - CA Security Vulnerability. Last updated 2025-09-04.

Show threadAndrew AyerSep 5, 2025
@christopherkunz Cool, thanks posting your comment in the bug. I also relayed your findings to mdsp yesterday: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc/m/hV0LJBkUAAAJ
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Show threadDr. Christopher KunzSep 5, 2025
@agwa Yes, I saw that. Thanks! RE the bug, I'm not entirely sure how an incident that ran on Ars Technica and the Cloudflare blog before hitting Bugzilla can be classified as "self reported". ;-)
Show threadEckes Sep 5, 2025
@christopherkunz do we know what Flow in their registration process even allows this, and why are they still in operation (to that extend the Revolution reason seems nice foreshadowing)
Show threadDr. Christopher KunzSep 5, 2025

@eckes I don't think that this CA has any public registration process, they seem to be a federal institution in Croatia. The certificates seem to be "test" certificates, and the CA has answered Cloudflare's questions with "there was an error during certificate generation".

Cloudflare has found some pretty strong words for that behavior in their blog.

Show threadEckes Sep 5, 2025
@christopherkunz interesting, that’s a good use for CT if companies think they can be irresponsible (if it was not malicious, given the meaning of DoT and DoHTTPS with those Certs)
Show threadDr. Christopher KunzSep 5, 2025
@eckes Honestly, CT is awesome. The visibility it gives researchers and other stakeholders is invaluable. Also, it's good for CTI of all sorts and a lifesaver for seemingly simple tasks like "is this a fake online shop?"