SSL.com Vulnerability Allowed Fraudulent SSL Certificates for Major Domains

An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in its email-based domain verification method.

Internet security relies on trust, and the Certificate Authority (CA) is a key player in this system as it verifies website identities, and issues SSL/TLS certificates, which encrypt communication between a computer and the website.

However, recently, a serious problem was found with one of these trusted CAs, SSL.com. Researchers discovered a flaw in how SSL.com was checking if someone requesting a certificate actually controlled the domain name, a process called Domain Control Validation (DCV).

SSL.com enables users to verify domain control and obtain a TLS certificate for encrypted HTTPS connections by creating a _validation-contactemail DNS TXT record with the contact email address as the value. SSL.com sends a code and URL to confirm the user’s control of the domain ...