SSL.com Scrambles to Patch Certificate Issuance Vulnerability

A domain control validation (DCV) vulnerability has resulted in SSL.com wrongly issuing nearly a dozen digital certificates for seven legitimate domains.

The bug was discovered and reported by a researcher who abused it to obtain a fraudulent certificate for aliyun.com, the official website for Alibaba Cloud, one of the largest cloud companies.

“SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It incorrectly marks the hostname of the approver’s email address as a verified domain, which is completely erroneous,” the researcher noted in a bug report.

To obtain the fake certificate, the researcher created a ‘_validation-contactemail’ DNS TXT record for a test domain using an @aliyun.com email address, then requested a certificate from SSL.com for the domain, selecting their email address from the email approvers list.

After the researcher ...