Andrew AyerSep 3, 2025
Hey look, another certificate authority trusted ONLY by Microsoft is issuing certificates without validation (1.1.1.1/Cloudflare DNS in this case): https://crt.sh/?sha256=D42B028468E73795365102058CBCD350AD0A0B9CA7073C5362A570C5EC208A92
(h/t Hacker News user JXzVB0iA)
crt.sh | d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadAndrew AyerSep 4, 2025
The first rogue 1.1.1.1 certificate was issued by Fina and logged to Certificate Transparency over a year ago.
AFAICT, the first person to notice any of this was Hacker News user JXzVB0iA, two days ago: https://news.ycombinator.com/item?id=45089708
This morning, it was reported to the certificate-transparency mailing list, with attribution to JXzVB0iA.
A few hours later, it was reported to the mozilla-dev-security-policy mailing list, without attribution.
Then Dan Goodin wrote his article, citing the mozilla-dev-security-policy post.
Very surprising that Cloudflare did not notice given they operate a CT monitor.
Fina Root CA signs certificates for 1.1.1.1 | Hacker News

Show threadDr. Christopher KunzSep 4, 2025
@agwa While we're at it, is Oracle aware that Fina has also issued a certificate for 2.2.2.2 six days ago which is still valid and unrevoked? https://crt.sh/?id=20583047050
crt.sh | 20583047050

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Show threadDr. Christopher Kunz
@agwa Apparently, the cert was subsequently revoked and CRT picked it up a little while later. My toot is from 7:28 UTC, the cert was revoked at 6:34 UTC (but still showed as valid on CRT at the time of my toot)
Sep 4, 2025 at 9:22amWeb
Show threadDr. Christopher KunzSep 4, 2025
@agwa This screenshot was taken on or after 7:54 UTC and shows the cert as being valid. That's because the CRL had only been checked one and a half hours prior, at 6:28 UTC (six mins before the cert was revoked)
Show threadDr. Christopher KunzSep 4, 2025
@agwa Also, why are they using reason #5 (cessationOfOperation)? That's wrong IMHO, it should be reason #4 (superseded), according to BR 4.9.1.1 (5) or (12).
Show threadAndrew AyerSep 4, 2025
@christopherkunz These are excellent discoveries! Do you want to post this to the mozilla-dev-security-policy thread (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc). Or I can relay them, with or without attribution.
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Show threadDr. Christopher KunzSep 4, 2025
@agwa if you could post them and attribute me, that would be awesome. I was just researching for a news article and podcast on this.
Show threadDr. Christopher KunzSep 5, 2025
@agwa There's now a ticket for this too: https://bugzilla.mozilla.org/show_bug.cgi?id=1986968
1986968 - Financijska agencija (Fina): Mis-issued certificates

ASSIGNED (miroslav.perincic) in CA Program - CA Security Vulnerability. Last updated 2025-09-04.

Show threadAndrew AyerSep 5, 2025
@christopherkunz Cool, thanks posting your comment in the bug. I also relayed your findings to mdsp yesterday: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc/m/hV0LJBkUAAAJ
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Show threadDr. Christopher KunzSep 5, 2025
@agwa Yes, I saw that. Thanks! RE the bug, I'm not entirely sure how an incident that ran on Ars Technica and the Cloudflare blog before hitting Bugzilla can be classified as "self reported". ;-)