Security researchers on Wednesday disclosed mis-issued TLS certificates tied to Cloudflare’s 1.1.1.1 DNS service, a vulnerability that could enable attackers to impersonate the service and monitor user traffic if the certificates were used maliciously.
Details about who requested and obtained the credentials remain unclear, and representatives from the organization identified as Fina did not respond to requests for comment, according to the report.
TLS certificates form part of the Transport Layer Security (TLS) protocol by binding a domain to a public key. The certificate authority (CA) – the entity authorized to issue browser-trusted certificates – signs certificates and holds the private key that vouches for their validity. Whoever possesses a valid TLS certificate can, in principle, cryptographically impersonate the domain for which it was issued.
Ryan Hurst, chief executive of Peculiar Ventures and a TLS/public-key-infrastructure expert, told that attackers with the mis-issued 1.1.1.1 certificates could launch active man-in-the-middle attacks, decrypting or altering traffic between end users and Cloudflare’s DNS service.
Cloudflare said the CA ecosystem is “a castle with many doors,” and warned that the failure of a single CA can threaten the security of the entire system. The company also highlighted its involvement in Certificate Transparency, a framework designed to surface mis-issued certificates and alert stakeholders.
The incident also drew attention to Microsoft’s role for not proactively detecting the mis-issued certificates or preventing Windows from trusting them for an extended period. The logs maintained by Certificate Transparency catalog issuance of all browser-trusted certificates in real time, enabling quicker detection of problems. The mis-issuance in this case was readily identifiable because the IP addresses used to verify the applicant’s control of the domain matched the 1.1.1.1 IP space.
The public discovery of the certificates four months after their issuance suggests the transparency logs did not receive the attention they were intended to receive. It remains unclear how so many parties could miss the mis-issuance for such a long period.