SSL.com’s DCV Debacle: Wrongly Issued Certificates Cause a Security Stir
A domain control validation vulnerability allowed SSL.com to mistakenly issue certificates for legitimate domains, including Alibaba Cloud’s aliyun.com. The flaw involved a DNS TXT record trick, turning the DCV method into a digital certificate gumball machine. SSL.com has since revoked misissued certificates and disabled the faulty validation method.
Hot Take:
Who knew a simple email could open the gates to the internet’s treasure trove? Thanks to a bug in SSL.com’s domain control validation method, it’s like handing out golden tickets to Willy Wonka’s factory—except the factory is actually a secure website, and the tickets are digital certificates. Talk about a cyber slip-up! At least the researcher was a good sport about it and not a notorious cyber-criminal mastermind. This is a reminder that even the gatekeepers of the internet sometimes forget to lock the gates.
Key Points:
- A domain control validation vulnerability led to SSL.com issuing certificates incorrectly for legitimate domains.
- A researcher exploited this bug to obtain a fraudulent certificate for Alibaba Cloud’s website, aliyun.com.
- SSL.com has since revoked the misissued certificates and disabled the flawed DCV method.
- The bug was specifically in the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact).
- Certificates were also wrongly issued for other domains like *.medinet.ca and help.gurusoft.com.sg.