Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet

Summary

The certificates are a key part of the Transport Layer Protocol. They contain the private key used to digitally sign domains to certify they rightfully belong to the entity claiming ownership or control. The private key is also used to decrypt traffic that passes between end users and the sites they are visiting. The holder of the 1.1.1.1 certificates could potentially use them in active adversary-in-the-middle attacks that intercept communications passing between end users and the Cloudflare DNS service, Ryan Hurst, CEO of Peculiar Ventures and a TLS and public key infrastructure expert, told Ars. “Doing so would require a BGP hijack to trick your host to think your [rogue] 1.1.1.1 was the one I should connect to,” he explained. BGP is short for Border Gateway Protocol, a specification used to link regional networks scattered around the world, known as Autonomous Systems, to each other. By manipulating the system through false notices, attackers regularly take control of legitimate IP addresses, including those belonging to telecoms, banks, and Internet services. From there, attackers with possession of the 1.1.1.1 certificates could decrypt, view, and tamper with traffic from the Cloudflare DNS service, Hurst said. He added that Cloudflare’s WARP VPN service may also be similarly affected. Wednesday’s discovery exposes key failures of the public key infrastructure that’s responsible for ensuring trust of the entire Internet. They are the only thing ensuring that gmail.com, bankofamerica.com, irs.gov, and any other sensitive website is controlled by the entity claiming ownership. Given the pivotal role of certificates, CAs are required to provide the IP addresses they used to verify that a party applying for a certificate controls the address they want covered. None of the three certificates provides that information. The incident also reflects poorly on Microsoft for failing to catch the mis-issued certificate before it was trusted by Windows. Also at partial faul...