Rogue-looking 1.1.1.1 certificate in CT Log

Chris Hartwig

unread,

Sep 3, 2025, 6:49:48 AM (yesterday) Sep 3

to certificate-transparency

Hi all,

Someone on YC's HackerNews (https://news.ycombinator.com/item?id=45089708) mentioned this precertificate: https://crt.sh/?id=20582951233

It was issued for IP address 1.1.1.1 (Cloudflare's DNS service), and it's supposedly a test by the Croatian CA Fina (includes SANs test11.hr and test12.hr, which btw return no answer in whois).

Can't this certificate be used to MITM Cloudflare's DNS service? How does Cloudflare feel about these certificates? There may be no bad intentions, but isn't it still a violation of the CA's obligations?

Andrew C Aitchison

unread,

Sep 3, 2025, 7:19:23 AM (yesterday) Sep 3

to certificate-transparency

And they made it valid for a year.
I would not have minded as much if it had been for a week.

Can an expired certificate be logged to CT ?
If so that might have been a better way to test that CT monitoring
actually alerts people ?

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

Bas Westerbaan

unread,

Sep 3, 2025, 7:27:26 AM (yesterday) Sep 3

to certificate-...@googlegroups.com

Thanks Chris, we're investigating. Obviously this is problematic.

This doesn't seem to be the first time either. https://crt.sh/?id=12116084225

Best,

Bas

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/certificate-transparency/b3138efb-26eb-4583-9044-b37f84989fa1n%40googlegroups.com.

Chris Hartwig

unread,

Sep 3, 2025, 7:33:51 AM (yesterday) Sep 3

to certificate-transparency

Hi Bas,

Yes I've seen the multiple certificates...

By the way, HackerOne's response:

"Although your finding might appear to be a security vulnerability, after reviewing your submission it appears this behavior does not pose a concrete and exploitable risk to the platform in and on itself. If you're able to demonstrate any impact please let us know, and provide an accompanying working exploit."

I think there may be an area for improvement in H1's sorting of issues.

Cheers

Chris Hartwig - SSLboard.com

Bas Westerbaan

unread,

1:31 PM (10 hours ago) 1:31 PM

to certificate-...@googlegroups.com

We just published https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/

Reply all

Reply to author

Forward