Fina CA, for its part, said in a short email that the certificates were “issued for internal testing of the certificate issuance process in the production environment. An error occurred during the issuance of the test certificates due to incorrect entry of IP addresses. As part of the standard procedure, the certificates were published on Certificate Transparency log servers.”

Fina CA, for its part, said in a short email that the certificates were “issued for internal testing of the certificate issuance process in the production environment. An error occurred during the issuance of the test certificates due to incorrect entry of IP addresses. As part of the standard procedure, the certificates were published on Certificate Transparency log servers.”

So does that mean Fina did nothing wrong?

No. Fina never had Cloudflare’s permission to issue certificates for an IP it controls. Consent of the owning party is a cardinal rule that Fina didn’t follow.

What are TLS certificates? How do they work?

In short, these certificates are the only thing ensuring that gmail.com, bankofamerica.com, or any other website is controlled by the entity claiming ownership. By now, many Internet users know they should only trust a website when its real domain name appears correctly in the address bar and is accompanied by the HTTPS label.

considers

Hmm. Maybe the certificate validation process should be changed to require that two CAs sign off on the root of a chain, to eliminate a single point of failure. Or maybe software should require that just for certain security-sensitive identities, and there be a decision to designate certain TLDs or IP ranges or whatever as requiring an additional root. That obviously doesn’t magically resolve all potential certificate issues, but it does mean that a single error can’t create the potential to open the floodgates like this.