Representatives from Google and Mozilla said in emails that their Chrome and Firefox browsers have never trusted the certificates, and there was no need for users to take any action. An Apple representative responded to an email with this link to a list of certificate authorities Safari trusts. Fina was not included.
It wasn’t immediately known which organization or person requested and obtained the credentials. Representatives from Fina, didn’t answer emails seeking this detail.
The certificates are a key part of the Transport Layer Security protocol. They bind a specific domain to a public key. The certificate authority, the entities authorized to issue browser-trusted certificates, possesses the private key certifying that the certificate is valid. Anyone in possession of a TLS certificate can cryptographically impersonate the domain for which it was issued.
The holder of the 1.1.1.1 certificates could potentially use them in active adversary-in-the-middle attacks that intercept communications passing between end users and the Cloudflare DNS service, Ryan Hurst, CEO of Peculiar Ventures and a TLS and public key infrastructure expert, told Ars.
From there, attackers with possession of the 1.1.1.1 certificates could decrypt, view, and tamper with traffic from the Cloudflare DNS service, Hurst said.
Wednesday’s discovery exposes a key weakness of the public key infrastructure that’s responsible for ensuring trust of the entire Internet. Despite being the only thing ensuring that gmail.com, bankofamerica.com or any other website is controlled by the entity claiming ownership, the entire system can collapse with a single point of failure.
The incident also reflects poorly on Microsoft for failing to catch the mis-issued certificate and allowing Windows to trust it for such a long period of time. Certificate Transparency, a site that catalogues in real time the issuance of all browser-trusted certificates, can be searched automatically. The entire purpose of the logs is so stakeholders can quickly identify mis-issued certificates before they can be actively used. The public discovery of the certificates four months after the fact suggests the transparency logs didn’t receive the attention they were intended to get.
It’s unclear how so many different parties could miss the certificates for such a long time span.
Post updated to correct explanation of TLS certificates.