Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest.

⁨30⁩ ⁨likes⁩

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨cm0002@lemmy.world⁩ to ⁨cybersecurity@infosec.pub⁩

https://arstechnica.com/information-technology/2025/09/the-number-of-mis-issued-1-1-1-1-certificates-grows-heres-the-latest/

source

Comments

Sort:hotnewtop
  • tal@lemmy.today ⁨3⁩ ⁨weeks⁩ ago

    Fina CA, for its part, said in a short email that the certificates were “issued for internal testing of the certificate issuance process in the production environment. An error occurred during the issuance of the test certificates due to incorrect entry of IP addresses. As part of the standard procedure, the certificates were published on Certificate Transparency log servers.”

    Fina CA, for its part, said in a short email that the certificates were “issued for internal testing of the certificate issuance process in the production environment. An error occurred during the issuance of the test certificates due to incorrect entry of IP addresses. As part of the standard procedure, the certificates were published on Certificate Transparency log servers.”

    So does that mean Fina did nothing wrong?

    No. Fina never had Cloudflare’s permission to issue certificates for an IP it controls. Consent of the owning party is a cardinal rule that Fina didn’t follow.

    What are TLS certificates? How do they work?

    In short, these certificates are the only thing ensuring that gmail.com, bankofamerica.com, or any other website is controlled by the entity claiming ownership. By now, many Internet users know they should only trust a website when its real domain name appears correctly in the address bar and is accompanied by the HTTPS label.

    considers

    Hmm. Maybe the certificate validation process should be changed to require that two CAs sign off on the root of a chain, to eliminate a single point of failure. Or maybe software should require that just for certain security-sensitive identities, and there be a decision to designate certain TLDs or IP ranges or whatever as requiring an additional root. That obviously doesn’t magically resolve all potential certificate issues, but it does mean that a single error can’t create the potential to open the floodgates like this.

    source
    • frongt@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago

      Nah. A CA that issues fraudulent certificates will have its signing certs revoked by the root CA.

      But that requires actual fraud. This sounds like someone used 1.1.1.1 for testing, when they should have used 192.0.2.0/24 or something. That subnet is specifically reserved.

      source
  • kurikai@lemmy.world ⁨3⁩ ⁨weeks⁩ ago

    SSL certs aren’t for trusting the owner or the URL. They are just for trusting the certificate. DNSsec is for trusting the DNS record.

    source