Croatian Agency Created Havoc in DNS Services

In early September 2025, Croatia’s Financial Agency (Fina) became the focus of an international cybersecurity controversy after it was revealed that the agency had wrongly issued a set of TLS/SSL certificates for the IP address 1.1.1.1, a critical resource belonging to Cloudflare, one of the world’s leading providers of DNS and internet security services. Between February and August 2025, Fina issued twelve certificates that should never have been created, as the IP address in question was not under its control.

TLS certificates are a cornerstone of internet trust, enabling encrypted communication by validating that a website or service is genuine. If misused, such certificates can facilitate “man-in-the-middle” attacks, where attackers intercept and potentially alter data between users and a service. In this case, experts warned that the wrongly issued certificates could have allowed impersonation of Cloudflare’s DNS service, undermining trust in one of the most widely used security infrastructures on the internet.

Fina’s official explanation was that the certificates were generated as part of “internal testing” in a production environment, and that a human error occurred when inputting the IP address. The agency insisted that no private keys or certificates were left on its systems, that the keys were destroyed after testing, and that no end users or services were ever exposed to real risk. It framed the incident as an isolated mistake, promising to update its procedures to avoid similar errors in the future.

Despite this reassurance, the situation exposed serious shortcomings. First, Cloudflare discovered the problem only after the community flagged unusual entries in Certificate Transparency (CT) logs, months after the certificates were issued. Cloudflare itself admitted that its monitoring systems were insufficient to detect certificates issued solely for IP addresses without associated domains. In effect, Cloudflare “missed” the problem three times: by not tracking IP-based certificates, by failing to filter anomalies properly, and by not having sufficient alerts to catch the irregularity.

Second, Microsoft’s systems also allowed the certificates to be trusted for months within its Windows and Edge ecosystem. Unlike Google Chrome, Mozilla Firefox, or Apple Safari, which do not trust Fina’s root certificate authority, Microsoft automatically includes Fina Root CA in its trusted root program. This meant that millions of Windows users were theoretically vulnerable until Microsoft intervened and revoked the problematic certificates.

The incident sparked alarm among cybersecurity professionals. Analysts such as Marko Rakar and Lucijan Carić called it an unprecedented breach of trust, warning that Fina had undermined its role as a certificate authority. Comparisons were drawn to past incidents, such as the DigiNotar breach in 2011, which shook global confidence in certificate authorities. The fact that four months passed before the error was detected highlighted the fragility of the internet’s trust model.

Ultimately, the case illustrates systemic weaknesses across multiple actors. Fina erred by issuing certificates it had no authority over, Cloudflare failed to promptly detect the anomaly, and Microsoft’s permissive trust model prolonged the risk. While no evidence of misuse has been found, the episode serves as a cautionary tale of how a single misstep in certificate issuance can escalate into a global internet security concern, raising questions about oversight, accountability, and the resilience of the trust-based TLS ecosystem.