The number of mis-issued 1.1.1.1 certificates grows. Here's the latest.

The number of mis-issued 1.1.1.1 certificates grows. Here's the latest.

Briefly

"Wednesday's discovery of three mis-issued TLS certificates for Cloudflare's 1.1.1.1 encrypted DNS lookup service generated intense interest and concern among Internet security practitioners. The revelation raised the possibility that an unknown entity had obtained the cryptographic equivalent of a skeleton key that could be used to surreptitiously decrypt millions of users' DNS queries that were encrypted through DNS over TLS or DNS over HTTPS. From there, the scammers could have read queries or even tampered with results to send 1.1.1.1 users to malicious sites."

"Since then, new information and analysis have become available, including the issuance of nine additional certificates since February 2024. This FAQ list is designed to answer questions raised in comments to the story and to provide the latest on what's known about the incident, which Cloudflare said Thursday constituted an "unacceptable lapse in security by Fina CA," the Microsoft-trusted certificate authority (CA) responsible for all 12 of the mis-issued certificates."

"Has new information come to light since Wednesday morning? Yes, multiple details. First, Cloudflare said that an audit it conducted following the discovery found that Fina CA mis-issued a total of 12 certificates, nine more than previously known. All certificates have since been revoked. Cloudflare said that it has not yet found any evidence that any of them were used maliciously, meaning used to cryptographically impersonate services offered by its 1.1.1.1 DNS resolver."