Addressing the Unauthorized Issuance of Multiple Tls Certificates for 1.1.1.1

Posted4 months agoActive4 months ago

mcpherrinm

37 points

5 comments

blog.cloudflare.comTechstory

calmmixed

Debate

40/100

Tls CertificatesDNS SecurityCloudflare

Key topics

Tls Certificates

DNS Security

Cloudflare

Cloudflare addresses the unauthorized issuance of multiple TLS certificates for their 1.1.1.1 DNS service, sparking discussion on the potential security implications and the company's incident response.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

1-2h

Avg / period

1.3

Key moments

01Story posted
Sep 4, 2025 at 1:32 PM EDT
4 months ago
Step 01
02First comment
Sep 4, 2025 at 3:20 PM EDT
2h after posting
Step 02
03Peak activity
2 comments in 1-2h
Hottest window of the conversation
Step 03
04Latest activity
Sep 4, 2025 at 11:13 PM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (5 comments)

Showing 5 comments

8organicbits

4 months ago

1 reply

It's interesting to imagine how you'd maliciously use a TLS certificate for a major DoH provider (which does NOT appear to have happened here). Impersonating a DoH server would let you return any DNS responses you wish. DNSSEC would only protect against this sort of attack if the stub resolver performed the DNSSEC validation, which I think is quite rare. For HTTPS, the attacker would also need a certificate for the target domain (or trick the user into trusting an invalid certificate / downgrade to HTTP). This is not a compelling attack since it only compromises one layer of protection.

This is problematic for SMTP/email, as you really need a trustworthy MX response and, unless you have MTA-STS, TLS validation is usually not performed. DNSSEC/DANE could help, but it depends on where DNSSEC validation occurs.

It would, however, be a privacy concern as the attacker impersonating the DoH server would learn the queries and source IP addresses.

tptacek

4 months ago

From a privacy perspective, the impact is further limited by the tiny number of popular zones that are actually signed --- you're two predicates removed from a useful attack (widespread deployment of clientside DNSSEC validation, which is very rare today, and widespread zone signing).

It's a weird misissuance from that perspective! Suggestive to me of something nonmalicious (nonmalicious misissuance is still a dealbreaker).

slacktivism123

4 months ago

1 reply

Sounds like HackerOne Managed Triage Services dropped the ball again and closed both reports without even flagging to Cloudflare's security engineers.

This happened in a high-profile way with the Zendesk situation (https://news.ycombinator.com/item?id=41818459) and is not the first time:

    1. Bug bounty report received from knowledgeable person who isn't a "celebrity" (top x performer on H1 leaderboard, social media influencer, H1 event invitee)

    2. with novel impact to the company, open source ecosystem, or wider Internet

    3. which doesn't fall neatly into an OWASP Top 10 (Web) box

    4. so Triage close it in the pre-queue before the company get eyes on it, replying with a zero-effort CR (Common Response aka Canned Response)

    5. the company doesn't see the report unless they go digging for it in the thousands of spam/bullshit/Acunetix copypaste reports that are also closed

---

Timeline of events:

https://blog.cloudflare.com/unauthorized-issuance-of-certifi...

>2025-09-02 04:50:00: Report shared with us on HackerOne, but was mistriaged

>2025-09-03 02:35:00: Second report shared with us on HackerOne, but also mistriaged.

>2025-09-03 10:59:00: Report sent on the public mailing [list] picked up by the team.

---

The canned response in question:

https://groups.google.com/g/certificate-transparency/c/we_8S...

>"after reviewing your submission it appears this behavior does not pose a concrete and exploitable risk to the platform in and on itself.

>If you're able to demonstrate any impact please let us know, and provide an accompanying working exploit."

weddpros

4 months ago

My HackerOne dismissal reads

"Although your finding might appear to be a security vulnerability, after reviewing your submission it appears this behavior does not pose a concrete and exploitable risk to the platform in and on itself. If you're able to demonstrate any impact please let us know, and provide an accompanying working exploit."

I was disappointed, and as far as I'm concerned, HackerOne is 2/2 dismissals.

homestar

4 months ago

It seems like all Cloudflare does these days is write up apologies for security incidents.

View full discussion on Hacker News

ID: 45129869Type: storyLast synced: 11/20/2025, 7:50:26 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN