We just published https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/
Best, Bas On Wed, Sep 3, 2025 at 10:41 PM Bas Westerbaan <b...@cloudflare.com> wrote: > Hi all, > > Quick message to confirm that Fina CA did not have our permission to > publish these certificates. After seeing the certificate-policy email, > we've immediately reached out to them, Microsoft and their TSP supervisory > body. We take this lapse very seriously. We've been busy investigating, > including checking if there are any other certificates misissued for our > domains. We're preparing a blog to share our findings soon. > > Best, > > Bas > > On Wed, Sep 3, 2025 at 8:23 PM 'Ben Wilson' via > dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: > >> Thank you, Youfu, for bringing this to the community’s attention. >> >> This CA has never been part of the Mozilla Root Program, and their >> certificates have never been trusted by Firefox. However, we are happy to >> facilitate continued discussion on dev-security-policy as it is clearly >> relevant to the community as a whole. >> >> Whilst we recognize Fina CA is not part of our root program, we also >> agree that it would be extremely beneficial for Fina to file an incident >> report in accordance with this guidance from the CCADB: >> https://www.ccadb.org/cas/incident-report. >> >> >> Ben >> >> >> On Wed, Sep 3, 2025 at 9:32 AM Youfu Zhang <zhangyo...@gmail.com> wrote: >> >>> Hello, >>> >>> This is a public report of several certificates issued by Fina RDC >>> 2020 that appear to be mis-issued. These certificates contain the >>> Subject Alternative Name (SAN) iPAddress:1.1.1.1. >>> >>> The IP address 1.1.1.1 is a well-known public DNS resolver operated by >>> Cloudflare, in partnership with APNIC. It is highly unlikely that the >>> certificate subscribers demonstrated control over this IP address as >>> required by the CA/Browser Forum Baseline Requirements. >>> >>> Three of the discovered certificates are still valid as of today, >>> September 3, 2025. >>> >>> Mis-issued Certificates: >>> >>> 1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72 >>> Subject CN: test1.hr >>> SAN: >>> - dNSName:test1.hr >>> - dNSName:test12.hr >>> - iPAddress:1.1.1.1 >>> crt.sh: https://crt.sh/?id=18603461241 >>> Censys: >>> https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee >>> >>> 2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d >>> Subject CN: test1.hr >>> SAN: >>> - dNSName:test1.hr >>> - dNSName:test11.hr >>> - iPAddress:1.1.1.1 >>> crt.sh: https://crt.sh/?id=19749721864 >>> Censys: >>> https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf >>> >>> 3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5 >>> Subject CN: test11.hr >>> SAN: >>> - dNSName:test11.hr >>> - dNSName:test12.hr >>> - iPAddress:1.1.1.1 >>> crt.sh: https://crt.sh/?id=20582951233 >>> Censys: >>> https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92 >>> >>> Relevant Certificate Authority: >>> >>> These precertificates were issued by Fina RDC 2020 >>> (https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root >>> CA (https://crt.sh/?caid=100631). >>> >>> Fina Root CA is trusted by The Microsoft Root Certificate Program. >>> >>> Apparent Violations: >>> >>> This issuance appears to violate both the CA/Browser Forum's >>> requirements and Fina's own stated policies. >>> >>> 1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section >>> 7.1.2.7.12: >>> >>> The entry MUST contain the IPv4 or IPv6 address that the CA has >>> confirmed the Applicant controls or has been granted the right to use >>> through a method specified in Section 3.2.2.5. >>> >>> 2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4: >>> >>> For each IP Address listed in certificate application Fina shall >>> verify, as of the date the certificate was issued, the right to use >>> and control the IP Address by the Legal person submitting the >>> certificate application. >>> This verification shall be done in accordance with the methods >>> specified in the CA/Browser Forum BRG document. >>> >>> I request that Fina investigate this matter, revoke any active >>> non-compliant certificates, and provide a public incident report in a >>> timely manner. >>> >>> --- >>> >>> Best regards, >>> Youfu Zhang >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "dev-security-policy@mozilla.org" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to dev-security-policy+unsubscr...@mozilla.org. >>> To view this discussion visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEKhA2zDcVuKi1KVnMOwgjyQ2T9rv7sCFCYG0gwozLU9f7p4vQ%40mail.gmail.com >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "dev-security-policy@mozilla.org" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to dev-security-policy+unsubscr...@mozilla.org. >> To view this discussion visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaJHMvabX-kpn0q-kRfs6e8cDxkPw828zum-CMpr1oYHA%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaJHMvabX-kpn0q-kRfs6e8cDxkPw828zum-CMpr1oYHA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMjbhoW%3DdFEstCwUhEoKiRqnG3Tiagiwafc4GswX%3DxwP%2BL5EGw%40mail.gmail.com.
