A massive security lapse has left millions of internet users vulnerable to DNS query interception after a certificate authority (CA) improperly issued 12 unauthorized TLS certificates for Cloudflare's popular 1.1.1.1 public DNS resolver service.
The certificates, issued by Croatian CA Fina between February 2024 and August 2025, could have allowed attackers to cryptographically impersonate the widely used DNS service and decrypt users' internet browsing queries. The incident first surfaced publicly through a Hacker News post on September 1, 2025, but Cloudflare only began investigating after reports on the certificate-transparency mailing list on September 3—months after some certificates were issued.
Discovery Reveals Systematic Failures
Cloudflare confirmed that Fina CA issued the certificates without authorization, calling it "an unacceptable lapse in security." The company stated it has found no evidence that the certificates were used maliciously, but emphasized they "must assume that a corresponding private key exists" and could potentially be exploited.
Fina CA claimed the certificates were issued for "internal testing of the certificate issuance process in the production environment" due to an "error" in entering IP addresses. However, security experts criticized this explanation, noting that proper testing should never use production IP addresses belonging to other organizations.
Technical Impact and Vulnerability Scope
The unauthorized certificates posed a significant threat to users of DNS over HTTPS (DoH) and DNS over TLS (DoT)—encrypted protocols that protect DNS queries from eavesdropping. With valid certificates, attackers could potentially:
- Intercept and decrypt users' DNS queries
- Manipulate DNS responses to redirect users to malicious sites
- Conduct man-in-the-middle attacks on encrypted DNS traffic
The vulnerability primarily affected Windows users, as Microsoft's Root Certificate Program was the only major browser vendor that trusted Fina CA by default. Chrome, Firefox, Safari, and Android users were not affected with default settings.
The incident exposes fundamental weaknesses in the Internet's public key infrastructure (PKI). As Cloudflare noted, "the CA ecosystem is a castle with many doors: the failure of one CA can cause the security of the whole castle to be compromised."
Web security expert Filippo Valsorda emphasized the broader concern: "The story here is less the 1.1.1.1 certificate and more why Microsoft trusts this carelessly operated CA."
Protective Measures and Response
Microsoft quickly responded by adding the unauthorized certificates to its disallowed list, preventing Windows systems from trusting them. All certificates have since been revoked.
Cloudflare acknowledged its own monitoring failures, stating it "should have caught and responded to it earlier" through Certificate Transparency logs—public records of all issued certificates designed to catch such problems.
What Users Should Do
IT administrators managing Windows devices should verify that the certificates have been blocked through Microsoft's updates. For individual users, the risk has largely been mitigated through the revocations, though the incident underscores the importance of using browsers from vendors with strict CA oversight.
The incident serves as a stark reminder of how a single CA's negligence can potentially compromise millions of users' internet security, highlighting ongoing debates about the need for stricter oversight of certificate authorities worldwide.