A glance through censys with the following query and a report checking parsed.extensions.subject_alt_name.dns_names: parsed.issuer.organization="Financijska*" and not labels="revoked" and labels="trusted" and parsed.extensions.extended_key_usage.server_auth="true"
Internal IPs (only the invalid SANs are mentioned): SAN: 10.1.134.20 https://crt.sh/?q=e0fe7d9c83faefd6ee2f078a382b1049a52677031c1af48fcece7666d0b8903b SAN: 10.1.134.21 https://crt.sh/?q=ae4daa27c166be9c5da7a2ba6582cb6fa3eec5127597e3617c4e53ab8d302e34 SAN: 10.1.134.25 https://crt.sh/?q=527aab4e6f976ec7b3f7dd1959e7a01f62d6ae2d573ee8a3a2fd3af5ad5a0e02 No TLD at all: SAN: finadok, spoint2013 https://crt.sh/?q=aae59c2e5176f641d2b66d69edaadb350e2b8e0ed977e821a3e4e51e4bc0de40 Spaces in DNS entries: SAN: NIAS otocna-iskaznica.hr https://crt.sh/?q=2185539e4ad2a8d4e9e3ff228feed656bf23f9066fc1c1b06ebfc833ea8a2cce SAN: instapay. paba.hr https://crt.sh/?q=161d567783398b1d9da8d9f2a3f9f03b0584f993bacfa9e4fadd17b498e42714 Underscore in DNS entry: SAN: obnova_osnivanje.mpudt.hr https://crt.sh/?q=3e8d8e4ecb5900bd9d36cdb3ade71a46d415f9bec08d8d5ff753070fcbff5d11 There's also all the other certs where dns_name are ip addresses anyway with failed lints, but I'm not checking ownership of every issued cert. If we're going to making a list of everywhere they've gone wrong we'll be here for a while is my point. - Wayne On Thursday, September 4, 2025 at 10:53:24 PM UTC+1 Watson Ladd wrote: > That's not all: > https://crt.sh/?id=15304695102&opt=ocsp looks a little suspicious to > me given the OU values here. I wish I had a legitimately issued one to > contrast with, but I am suspicious. > > I also found https://crt.sh/?id=2186789673 which is from a different CA > > Sincerely, > Watson > > On Thu, Sep 4, 2025 at 2:39 PM Andrew Ayer <[email protected]> wrote: > > > > On the Fediverse, Dr. Christopher Kunz < > https://chaos.social/@christopherkunz/115144844256513679> has noticed two > additional issues: > > > > 1. A presumably-misissued certificate for 2.2.2.2, an IP address > assigned to Oracle according to WHOIS: > https://crt.sh/?sha256=789DE404B22E8737C22694B72CBDDC23F8C1EE4BF1DF3FAEBACF5C3E5509288B > > > > 2. The certificates involved in this incident have been revoked with the > reason code cessationOfOperation. Per BR 4.9.1.1 (5), the reason should be > superseded. > > > > Regards, > > Andrew > > > > On Wed, 3 Sep 2025 23:31:58 +0800 > > Youfu Zhang <[email protected]> wrote: > > > > > Hello, > > > > > > This is a public report of several certificates issued by Fina RDC > > > 2020 that appear to be mis-issued. These certificates contain the > > > Subject Alternative Name (SAN) iPAddress:1.1.1.1. > > > > > > The IP address 1.1.1.1 is a well-known public DNS resolver operated by > > > Cloudflare, in partnership with APNIC. It is highly unlikely that the > > > certificate subscribers demonstrated control over this IP address as > > > required by the CA/Browser Forum Baseline Requirements. > > > > > > Three of the discovered certificates are still valid as of today, > > > September 3, 2025. > > > > > > Mis-issued Certificates: > > > > > > 1. Serial Number: d3:16:7e:fd:77:ca:d7:59:00:00:00:00:5f:c7:c6:72 > > > Subject CN: test1.hr > > > SAN: > > > - dNSName:test1.hr > > > - dNSName:test12.hr > > > - iPAddress:1.1.1.1 > > > crt.sh: https://crt.sh/?id=18603461241 > > > Censys: > > > > https://platform.censys.io/certificates/8abd30c3c154a4be2a1f82e2c0e96a7d4328320f743cc629778455a76632ceee > > > > > > 2. Serial Number: f9:72:55:2d:6a:c0:88:28:00:00:00:00:5f:c8:6f:4d > > > Subject CN: test1.hr > > > SAN: > > > - dNSName:test1.hr > > > - dNSName:test11.hr > > > - iPAddress:1.1.1.1 > > > crt.sh: https://crt.sh/?id=19749721864 > > > Censys: > > > > https://platform.censys.io/certificates/379d358af1a38f8b06866ea3342b15909ec566b5cd2404fda34fecfe07643abf > > > > > > 3. Serial Number: be:b8:ef:1b:1c:6c:ff:53:00:00:00:00:5f:c8:cd:e5 > > > Subject CN: test11.hr > > > SAN: > > > - dNSName:test11.hr > > > - dNSName:test12.hr > > > - iPAddress:1.1.1.1 > > > crt.sh: https://crt.sh/?id=20582951233 > > > Censys: > > > > https://platform.censys.io/certificates/d42b028468e73795365102058cbcd350ad0a0b9ca7073c5362a570c5ec208a92 > > > > > > Relevant Certificate Authority: > > > > > > These precertificates were issued by Fina RDC 2020 > > > (https://crt.sh/?caid=201916), which is a subordinate CA of Fina Root > > > CA (https://crt.sh/?caid=100631). > > > > > > Fina Root CA is trusted by The Microsoft Root Certificate Program. > > > > > > Apparent Violations: > > > > > > This issuance appears to violate both the CA/Browser Forum's > > > requirements and Fina's own stated policies. > > > > > > 1. CA/Browser Forum TLS Baseline Requirements (v2.1.7), Section > > > 7.1.2.7.12: > > > > > > The entry MUST contain the IPv4 or IPv6 address that the CA has > > > confirmed the Applicant controls or has been granted the right to use > > > through a method specified in Section 3.2.2.5. > > > > > > 2. Fina RDC 2020 Certificate Policy (v1.12), Section 3.2.2.4: > > > > > > For each IP Address listed in certificate application Fina shall > > > verify, as of the date the certificate was issued, the right to use > > > and control the IP Address by the Legal person submitting the > > > certificate application. > > > This verification shall be done in accordance with the methods > > > specified in the CA/Browser Forum BRG document. > > > > > > I request that Fina investigate this matter, revoke any active > > > non-compliant certificates, and provide a public incident report in a > > > timely manner. > > > > > > --- > > > > > > Best regards, > > > Youfu Zhang > > > > > > -- > > > You received this message because you are subscribed to the Google > > > Groups "[email protected]" group. To unsubscribe from > > > this group and stop receiving emails from it, send an email to > > > [email protected]. To view this discussion > > > visit > > > > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEKhA2zDcVuKi1KVnMOwgjyQ2T9rv7sCFCYG0gwozLU9f7p4vQ%40mail.gmail.com > . > > > > -- > > You received this message because you are subscribed to the Google > Groups "[email protected]" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250904173858.c0076467f4af410979bccbaf%40andrewayer.name > . > > > > -- > Astra mortemque praestare gradatim > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2c5f2ad7-5816-4325-bf20-03c4d6874db9n%40mozilla.org.
