A prominent certificate authority (SSL.com) has disclosed a significant security vulnerability in its domain validation system that could allow attackers to obtain fraudulent SSL certificates for domains they don’t own.
The flaw was reported by David Zhao, a senior researcher from the CitadelCore Cyber Security Team, who demonstrated how the system could be manipulated to issue certificates for Alibaba Cloud’s domain (aliyun.com).
Critical DCV Implementation Flaw
According to The Reister, the vulnerability stems from an incorrect implementation of Domain Control Validation (DCV) method 3.2.2.4.14, known as “Email to DNS TXT Contact.”
.png
)
SSL.com’s validation system incorrectly marked the hostname of an approver’s email address as a verified domain a serious departure from proper security protocols.
The researcher provided a detailed proof-of-concept demonstration showing how the flaw could be exploited:
- Creating a test domain on dcv-inspector.com
- Configuring a DNS TXT record (_validation-contactemail) with an email address using aliyun.com as the domain
- Requesting a certificate for the test domain from SSL.com
- Completing the email validation process.
- Observing that SSL.com incorrectly added aliyun.com (the email domain) to verified domains.
- Successfully requesting and receiving certificates for aliyun.com and www.aliyun.com.
“SSL.com verified and issued aliyun.com…. I’m not administrator, admin, hostmaster, postmaster, or webmaster of aliyun.com. and also, _validation-contactemail with the value of my email is never configured for aliyun.com. So, this is wrong,” the researcher said.
SSL.com responded promptly to the disclosure, acknowledging the issue and taking immediate action.
Rebecca Kelley, assigned to handle the incident, announced that the company had “disabled domain validation method 3.2.2.4.14 that was used in the bug report for all SSL/TLS certificates” while they investigated the issue.
In a preliminary incident report released within 24 hours, SSL.com confirmed the vulnerability violated their Certificate Policy and Certification Practice Statement (CP/CPS) clauses.
After scanning their certificate database, they identified ten additional affected certificates beyond the one reported by the researcher.
“Historical evidence shows that, with the exception of one certificate, SSL.com did issue previous certificates using compliant DCV evidence during the initial issuance of the certificates which point to non-fraudulent mis-issuances,” explained Kelley.
“Unfortunately, upon renewal/reissuance of said certificates, it appears the affected certificates were issued based on invalid DCV evidence.”
This vulnerability represents a serious threat to web security infrastructure. SSL/TLS certificates serve as the foundation of trust on the internet, verifying website identities and enabling encrypted connections.
The ability to obtain fraudulent certificates could potentially allow attackers to impersonate legitimate websites, conduct man-in-the-middle attacks, or intercept encrypted communications.
SSL.com stated it is “processing this incident with the utmost priority.” The company has committed to delivering a full incident report by May 2, 2025.
This event underscores the need for ongoing vigilance from both certificate authorities and domain owners, as well as the importance of rapid detection and remediation of vulnerabilities to maintain confidence in the public key infrastructure that secures the internet.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
