D
Dan Goodin
People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry.
The certificates, issued in May, can be used to decrypt domain lookup queries encrypted through DNS over HTTPS or DNS over TSL. Both protocols provide end-to-end encryption when end-user devices seek the IP address of a particular domain they want to access. Two of the certificates remained valid at the time this post went live on Ars.
Although the certificates were issued four months ago, their existence came to public notice only on Wednesday in a to an online discussion forum. They were issued by Fina RDC 2020, a certificate authority that’s subordinate to the root certificate holder Fina Root CA. The Fina Root CA, in turn, is trusted by the Microsoft Root Certificate Program, which governs which certificates are trusted by the Windows operating system. Microsoft Edge accounts for approximately 5 percent of the browsers actively used on the Internet.
The certificates, issued in May, can be used to decrypt domain lookup queries encrypted through DNS over HTTPS or DNS over TSL. Both protocols provide end-to-end encryption when end-user devices seek the IP address of a particular domain they want to access. Two of the certificates remained valid at the time this post went live on Ars.
Investigation underway
Although the certificates were issued four months ago, their existence came to public notice only on Wednesday in a to an online discussion forum. They were issued by Fina RDC 2020, a certificate authority that’s subordinate to the root certificate holder Fina Root CA. The Fina Root CA, in turn, is trusted by the Microsoft Root Certificate Program, which governs which certificates are trusted by the Windows operating system. Microsoft Edge accounts for approximately 5 percent of the browsers actively used on the Internet.
