Hello and welcome to the Friday, September 5th, 2025 edition of the Sands Inundit Storm Centers.

Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu master's degree program in

information security engineering. Today I want to start with a story that I well ended yesterday's

podcast on and that's the rogue certificate that was issued for 1.1.1.1. Whenever we have sort of a trust issue here with the sort of authority system,

in particular if it affects a critical resource like this public DNS server,

it's certainly worthwhile looking into it a little bit further, and that's what Cloudflare did now.

Cloudflare published a blog post

with additional details that their investigation revealed as part of this incident. So the main

concern here we have with this particular incident is the use of TLS in protocols like DNS over TLS and

DNS over HDPS as they're being used with these DNS servers. And of course, certificates

are being used in order to verify that you're connecting to the correct Resolver in this case.

And in particular, when you're connecting to a DNS Resolver,

you are often connecting using an IP address, not a host name.

So as a result, the certificates involved here must include the IP address.

And that's exactly what's happening here with the Cloudflare DNS certificate.

It does include the 1.1.1 IP address as well as other IP addresses.

And of course, the host names that this particular server is also known under in case a user uses that to connect.

Typically, Cloudflare uses DigiCert for its certificates, not this particular set of authority

that issued the 1.1.1.1Rogue certificate. Cloudflare states that, well, they talk to them and they

basically were told that this certificate was issued as a test. Now, this is still a breach of trust

as far as certificate authority best practices go. If you are

...