D
Dan Goodin
Wednesday’s discovery of
for Cloudflare’s 1.1.1.1 encrypted DNS lookup service generated intense interest and concern among Internet security practitioners. The revelation raised the possibility that an unknown entity had obtained the cryptographic equivalent of a skeleton key that could be used to surreptitiously decrypt millions of users’ DNS queries that were encrypted through DNS over TLS or DNS over HTTPS. From there, the scammers could have read queries or even tampered with results to send 1.1.1.1 users to malicious sites.
Since then, new information and analysis have become available, including the issuance of nine additional certificates since February 2024. This FAQ list is designed to answer questions raised in comments to the story and to provide the latest on what’s known about the incident, which Cloudflare constituted an “unacceptable lapse in security by Fina CA," the Microsoft-trusted certificate authority (CA) responsible for all 12 of the mis-issued certificates.
Has new information come to light since Wednesday morning?
Since then, new information and analysis have become available, including the issuance of nine additional certificates since February 2024. This FAQ list is designed to answer questions raised in comments to the story and to provide the latest on what’s known about the incident, which Cloudflare constituted an “unacceptable lapse in security by Fina CA," the Microsoft-trusted certificate authority (CA) responsible for all 12 of the mis-issued certificates.
You asked; we answer
Has new information come to light since Wednesday morning?
