In May 2025, Fina RDC 2020—an intermediate Certificate Authority under the Fina Root CA (trusted by Microsoft)—improperly issued three TLS certificates that included 1.1.1.1 in the SAN field. GBHackers+8Cyber Security News+8CyberInsider+8
The certificates could enable attackers to perform a man-in-the-middle (MitM) attack on DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) traffic, potentially decrypting otherwise secure DNS communications to monitor or manipulate user behavior. Ars Technica+8Cyber Security News+8CyberInsider+8
Though Certificate Transparency (CT) logs recorded the mis-issuance, no alerts or remediation occurred for months—highlighting significant gaps in PKI monitoring and governance. DigitrendZ+7unmitigatedrisk.com+7Cyber Security News+7
Governance & PKI Oversight Failures
Root Store Trust is a Single Point of Failure: Trusting every CA (especially obscure ones) expands attack surfaces exponentially. The Fina certificate, despite its powerful ramifications, stemmed from a small, low-volume CA. unmitigatedrisk.com
CT Log Alerts Didn’t Trigger Action: Certificate Transparency’s promise is meaningless if organizations don’t operationalize monitoring and response pipelines. unmitigatedrisk.com+2Cyber Security News+2
Low Transparency on Certificate Request Process: It remains unclear who requested those certs for the IP 1.1.1.1, and whether Fina CA failed validation protocols or maliciously misissued. Ars Technica+8CyberInsider+8Cyber Security News+8
Trust Boundaries & Enterprise Exposure
Factor
Details
Affected Platforms
Windows & Edge — rely on Microsoft root store.
Unaffected Platforms
Chrome (non-Windows), Firefox, Safari — use independent root trust stores.
Attack Prerequisites
A BGP hijack or IP-level redirection could, combined with rogue cert, enable full interception of DNS traffic. unmitigatedrisk.com+2Reddit+2
Possible Impact
Decryption of DNS queries (from DoH/DoT), session hijacking, user tracking, manipulation of DNS responses.
CyberDudeBivash Defensive Framework (CDB-PKI)
Root Store Governance
Audit inclusion criteria for root CAs.
Establish tiers: restrict high-risk operations (like IP SAN issuance) to trusted, audited CAs only.
Root Blacklisting Procedures
Microsoft should batch-revoke mis-issued certs and distrust Fina Root swiftly.
Prevent policy complacency in root store refresh cycles.
CT Log Incident Response
Enforce real-time monitoring of CT logs for SAN anomalies.
Auto-alert on entries with IP addresses or sensitive endpoints (e.g., 1.1.1.1).
Fallback Pathing for DNS Security
Avoid raw-IP DoH/DoT endpoints across configurations; prefer domain-based access where certificate validation is stricter.
Employ DNS validation layers (like DoH to domain+certificate name match).
Cross-Platform Monitoring
Include detection for suspicious certificate chains involving Fina CA in threat intelligence feeds.
Remember zero trust: verify identity beyond certificate acceptance.
Summary Table
Category
Details
Who’s at risk
Windows/Edge users (~5% global browser usage)
Risk Vector
MitM via trusted (rogue) cert + BGP hijack
Primary Oversight Failure
Lack of CT monitoring, root store governance gap
Takeaway
No PKI is too low-volume to be trusted without governance
Apply patch/blacklist from Microsoft; alert users of exposure.
Disable IP-address-based DoH/DoT endpoints until assurance confirmed.
Short-Term:
Review root store policies in enterprise chains; consider implementing restricted root stores (WDAC, AppLocker).
Subscribe to CT monitoring for DNS anomalies and certificate inventory.
Strategic:
Advocate for hierarchical trust (root tiers), automated CT response, and shared governance in ecosystem forums like CA/Browser Forum.
CyberDudeBivash stands ready to help your organization establish robust PKI risk controls, CT log automation, and incident response frameworks to avoid crises like this in the future.
Cyberdudebivash 
Leave a comment