Sec Reporter account holder on Mozilla’s Bugzilla platform reported a vulnerability in SSL.com’s certificate issuance service, where the domain ownership verification process failed, allowing malicious actors to issue certificates for domains they do not own.
This bug exploited the email to DNS TXT domain ownership verification process, where any email listed in the DNS’s TXT record could be used for domain ownership confirmation. Instead of SSL.com issuing certificates based on the TXT record, they sent domain certificates via email.
This error enabled malicious actors to use any free email service to obtain certificates for major domains like gmail.com, yahoo.com, or icloud.com, and potentially intercept communications from these domains in the future.
The bug reporter demonstrated the issuance of a certificate using the domain aliyun.com, belonging to Alibaba Cloud, which was revoked within 3 hours (the certificate was logged in 5 CT Logs).
SSL.com has since disabled the email to DNS TXT domain ownership verification and will provide updates on the issue tomorrow.
Source – Bugzilla
TLDR: Bug reported on Bugzilla highlighted a flaw in SSL.com’s domain certificate issuance process, allowing unauthorized issuance of certificates for major domains. Fixes have been implemented to address the issue.
Leave a Comment