Back to News
Market Impact: 0.4

Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet

NETMSFTGOOGLGOOGAAPL
Technology & InnovationCybersecurity & Data Privacy

Unauthorized TLS certificates were improperly issued for Cloudflare's widely used 1.1.1.1 DNS service by Fina RDC 2020, a certificate authority trusted by Microsoft. Discovered four months after issuance, these certificates could enable decryption and tampering of encrypted DNS traffic, particularly if combined with a Border Gateway Protocol (BGP) hijack. Cloudflare has confirmed the unauthorized issuance, initiated an investigation, and is coordinating with Microsoft and Fina for revocation, while Microsoft is blocking the certificates. While major browsers like Chrome, Firefox, and Safari are unaffected, this incident underscores critical vulnerabilities within the certificate authority ecosystem and potential supply chain risks for core internet infrastructure.

Analysis

An investigation has been launched following the improper issuance of three TLS certificates for Cloudflare's (NET) 1.1.1.1 DNS service, a critical piece of internet infrastructure. The certificates, issued in May by Fina RDC 2020, a certificate authority (CA) trusted by the Microsoft (MSFT) Root Certificate Program, were not discovered for four months. These certificates create a significant security vulnerability, as they could be used to decrypt DNS over HTTPS traffic if combined with a successful Border Gateway Protocol (BGP) hijack, thereby exposing user domain lookups. While Cloudflare has confirmed it did not authorize the issuance and is working towards revocation, the incident highlights a critical lapse in Microsoft's CA vetting process. The direct impact is primarily contained to users of systems that trust the Microsoft root store, such as the Windows OS and Edge browser, which accounts for approximately 5% of the market. Conversely, users of Google's (GOOGL) Chrome, Mozilla's Firefox, and Apple's (AAPL) Safari are unaffected as their browsers do not trust the problematic CA, underscoring the security benefits of their independent root store management.

AllMind AI Terminal

AI-powered research, real-time alerts, and portfolio analytics for institutional investors.

Request a Demo

Market Sentiment

Overall Sentiment

moderately negative

Sentiment Score

-0.50

Ticker Sentiment

AAPL0.30
GOOG0.30
GOOGL0.30
MSFT-0.20
NET-0.70

Key Decisions for Investors

  • Investors in Cloudflare (NET) should monitor for any statements regarding client trust and retention, as this incident, despite NET not being at fault for the issuance, directly impacts the perceived security of its core services.
  • The four-month delay in detection represents an operational failure for Microsoft (MSFT), and investors should evaluate the potential for reputational risk and scrutinize any forthcoming changes to its Root Certificate Program's oversight policies.