Cloudflare’s 1.1.1.1 DNS Service Was Targeted by a Rogue Certificate Authority
On September 3, 2025, researcher Youfu Zhang reported to the Mozilla dev-security-policy mailing list that the certification authority Fina RDC 2020 had issued multiple TLS certificates for the IP address 1.1.1.1. This address, jointly operated by Cloudflare and APNIC, underpins Cloudflare’s public DNS resolver. Since no third party can legitimately prove control over it, the issuance violated CA/Browser Forum rules.
Fina RDC 2020 functions as a subordinate authority of Fina Root CA, which is included in the Microsoft Root Certificate Program. As a result, its certificates were trusted within Windows, though Mozilla confirmed that Firefox never accepted them.
Cloudflare later published a detailed postmortem, revealing that between February 2024 and August 2025, Fina had issued twelve unauthorized certificates for 1.1.1.1—none of which had been sanctioned by Cloudflare. All certificates have since been revoked.
Cloudflare stressed that there was no evidence of malicious use. For an attacker to impersonate its DNS service, they would have required not only the private key but also client-side trust in Fina CA and the ability to intercept network traffic.
Fina defended the incident as the result of “internal testing.” Cloudflare countered that issuing certificates for IP addresses it does not own is unacceptable, violating both industry standards and Fina’s own stated policies.
The problem came to light only because Fina logged the certificates in Certificate Transparency (CT) records. These public logs, designed to expose misissuance, allowed researchers to detect the anomaly.
Cloudflare admitted its internal monitoring mechanisms had failed: IP-based certificates were not tracked, filtering controls were insufficient, and alerts had been disabled due to excessive data noise. The company has pledged to strengthen monitoring and refine response processes.
Further examination showed the certificates were valid for up to a year and included fabricated domains such as test.hr and testssl.finatest.hr. In some cases, the listed owner was a fictitious entity named TEST D.D.
The risk applied only to clients that explicitly trusted Fina CA. While the authority is part of the EU Trust Service, it is absent from the trusted root lists of Mozilla, Apple, Chrome, and Android. Microsoft responded by promptly adding the certificates to its disallowed list.
Cloudflare also verified the routing of 1.1.1.1, finding no evidence of BGP hijacking.
The timeline reveals the first certificate was issued on February 18, 2024, and revoked just 33 minutes later, while the last was issued on August 26, 2025, and removed only on September 4, 2025. Early public mentions of the incident surfaced on Hacker News and in CT mailing lists.
Cloudflare emphasized that this was the first known case of unauthorized certificates issued for 1.1.1.1, underscoring how fragile the global trust system of certificate authorities remains: a single point of failure at one CA can cascade into risks for millions of users.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
