Digital Event Horizon
Three Transport Layer Security (TLS) certificates for the 1.1.1.1 DNS service from Cloudflare and APNIC were issued in May but only came to public notice on Wednesday, posing a significant threat to internet security. The certificates can be used in active adversary-in-the-middle attacks that intercept communications passing between end users and the Cloudflare DNS service.
Three Transport Layer Security (TLS) certificates for Cloudflare DNS service were issued in May but only came to public notice on Wednesday. The certificates can be used to decrypt domain lookup queries encrypted through DNS over HTTPS, posing a significant threat to internet security. The certificates can be exploited in active adversary-in-the-middle attacks, allowing attackers to intercept communications and tamper with traffic. The incident highlights failures of the public key infrastructure, including lack of verification of ownership information. Microsoft failed to catch the mis-issued certificate, which was trusted by Windows for an extended period. The discovery of these certificates raises concerns about internet security and the effectiveness of transparency logs.
In a recent development that has sent shockwaves through the online community, it has been discovered that three Transport Layer Security (TLS) certificates for the widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry were issued in May, but only came to public notice on Wednesday. The certificates, which can be used to decrypt domain lookup queries encrypted through DNS over HTTPS, a protocol that provides end-to-end encryption when end-user devices seek the IP address of a particular domain they want to access, pose a significant threat to internet security.
According to Ryan Hurst, CEO of Peculiar Ventures and a TLS and public key infrastructure expert, the certificates can be used in active adversary-in-the-middle attacks that intercept communications passing between end users and the Cloudflare DNS service. This could potentially allow attackers to decrypt, view, and tamper with traffic from the Cloudflare DNS service, as well as its WARP VPN service.
The incident highlights key failures of the public key infrastructure that's responsible for ensuring trust of the entire Internet. The public key infrastructure is comprised of certificate authorities (CAs) that are required to provide the IP addresses they used to verify that a party applying for a certificate controls the address they want covered. None of the three certificates provides this information, which could be exploited by attackers.
Furthermore, the fact that Microsoft failed to catch the mis-issued certificate and allowed Windows to trust it for such a long period of time reflects poorly on the company. The incident also raises questions about the effectiveness of transparency logs, which are publicly available and intended to quickly identify mis-issued certificates before they can be actively used.
The discovery of these mis-issued certificates is a significant concern, as they can have far-reaching consequences for internet security. The public key infrastructure is the only thing ensuring that sensitive websites such as gmail.com, bankofamerica.com, irs.gov, and others are controlled by the entity claiming ownership. A breach in this trust could have serious repercussions for users who rely on these services.
In light of this incident, it is essential to take steps to mitigate the risks associated with mis-issued TLS certificates. This may involve updating software and applications that use these certificates to ensure they only accept valid certificates. Additionally, users should be vigilant about reporting any suspicious activity or certificate-related issues to the relevant authorities.
The incident also highlights the need for greater transparency and accountability within the public key infrastructure community. CAs, cloud service providers, and other stakeholders must work together to identify and address such vulnerabilities before they can be exploited by malicious actors.
In conclusion, the mis-issued TLS certificates pose a significant threat to internet security, and it is crucial that steps are taken to mitigate these risks. The public key infrastructure is a critical component of our online safety net, and any failure in this trust must be addressed promptly and effectively.
Related Information:
https://www.digitaleventhorizon.com/articles/Mis-issued-TLS-Certificates-Pose-Significant-Threat-to-Internet-Security-deh.shtml
https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-1-dns-service-pose-a-threat-to-the-internet/
Published: Wed Sep 3 15:47:41 2025 by llama3.2 3B Q4_K_M
