Cloudflare 1.1.1.1 Hit by 12 Unauthorized Certificates — Critical PKI Breach

Overview & Impact

Cloudflare has confirmed that from February 2024 through August 2025, a Croatian certificate authority—Fina CA—improperly issued 12 TLS certificates for its widely used public DNS service 1.1.1.1, without authorization.
Cyber Kendra GBHackers Daily CyberSecurity

These rogue certificates, if paired with their private keys, could have enabled man-in-the-middle attacks against encrypted DNS queries (DoT/DoH), potentially compromising user privacy and service trust.
Cyber Kendra Cyber Security News

Risk Landscape

Fina CA is included in the Microsoft Root Certificate Program, making these certificates trusted by Windows clients by default. Meanwhile, browsers like Chrome, Firefox, and Safari had never trusted Fina CA—limiting exposure to non-Windows systems.
Cyber Kendra CyberInsider Daily CyberSecurity
Though no exploitation has been detected, Cloudflare and Microsoft took swift action by revoking the certificates and adding them to a disallow list.
Cyber Kendra The Cloudflare Blog CyberInsider GBHackers
The certificates were discovered via Certificate Transparency (CT) logs, but only after a prolonged delay—highlighting monitoring blind spots in certificate issuance oversight.
The Cloudflare Blog Cyber Kendra Daily CyberSecurity

Timeline Highlights

First issuance: February 2024
Discovery & public alert: September 2025
Full revocation and response: Early September 2025
The Cloudflare Blog Daily CyberSecurity

CyberDudeBivash Analysis & Recommendations

Risk Assessment

This incident underscores how a single CA error can undermine core internet infrastructure. Since 1.1.1.1 supports encrypted DNS traffic globally, a rogue certificate could facilitate interception or manipulation of sensitive DNS queries—culminating in user privacy violations or redirect attacks on vulnerable Windows systems.

Mitigation & IT Response

Verify revocation status on managed systems, especially Windows endpoints.
Ensure clients reject TLS certificates from Fina CA, or confirm Microsoft’s disallowed list is in effect.
Monitor CT logs for certificate issuance against critical IPs/domains you rely on.
Enforce least-privilege root stores, limiting trusted CAs and flagging uncommon authorities like Fina.
Deploy DNS clients with endpoint certificate pinning to fixed resolvers where feasible.

Strategic Insight

Cloudflare’s delayed detection—despite monitoring—illustrates the limitations of CT oversight alone.
Incident points to the persistent vulnerability of certificate ecosystems and the importance of real-time, adaptive trust enforcement.

CyberDudeBivash recommends treating DNS resolver TLS integrity as a strategic cybersecurity vector, not an ancillary service.

#Cloudflare #PublicDNS #DNSPrivacy #CertificateMisissuance #PKI #FinaCA #TLSVulnerability #CyberDudeBivash #IncidentResponse #CTLogs

Cyberdudebivash