SSL.com: DCV bypass and issue fake certificates for any MX hostname

FanJ · Apr 19, 2025 at 9:41 AM

Bug 1961406 Opened 19 hours ago Updated 3 hours ago

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It incorrectly marks the hostname of the approver's email address as a verified domain, which is completely erroneous.
Click to expand...

SSL.com acknowledges this bug report and we are investigating further.
Click to expand...

Out of an abundance of caution, we have disabled domain validation method 3.2.2.4.14 that was used in the bug report for all SSL/TLS certificates while we investigate. We will provide a preliminary report on or before 2025-04-21.
Click to expand...

Cert revoked:
https://crt.sh/?id=17926238129&opt=ocsp

Thanks to Erik at security.nl :
https://www.security.nl/posting/884827/Domain Validation en OCSP

FanJ · Apr 22, 2025 at 6:19 PM

Preliminary Incident Report is published.
See above mentioned Bugzilla thread for the Summary:
https://bugzilla.mozilla.org/show_bug.cgi?id=1961406
See postings by Rebecca.

Incident description: An incorrect implementation of the DCV method specified in the SSL.com CP/CPS, section 3.2.2.4.14 (Email to DNS TXT Contact), resulted in mis-issuing a certificate to the hostname of the approver's email address. The certificate has already been revoked, the relevant DCV record has been invalidated and the DCV method has been disabled until remediation of the issue. After scanning the entire corpus of certificates issued with the above method, we identified ten (10) additional affected certificates that were mis-issued and have now been revoked.
Click to expand...

Relevant policies: This is a violation of the following CP/CPS clauses
Click to expand...

Read there more for the details!!!

Further down in that thread the other 10 certificates (that were mis-issued and have now been revoked) were given.

Full certificate details will be provided per CCADB guidelines in our Full Incident Report
Click to expand...

===

One more quote:

SSL.com will post our Full Incident Report on or before 2025-05-02.
Click to expand...

FanJ · Apr 22, 2025 at 6:35 PM

Article in Dutch at security.nl :
SSL.com verstrekte door bug tls-certificaat clouddienst Alibaba aan onderzoeker
https://www.security.nl/posting/885...rtificaat clouddienst Alibaba aan onderzoeker

FanJ · Apr 23, 2025 at 4:27 AM

Another link to an English article about the issue:
https://www.theregister.com/2025/04/22/ssl_com_validation_flaw/

Log in or Sign up

SSL.com: DCV bypass and issue fake certificates for any MX hostname

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Log in or Sign up

SSL.com: DCV bypass and issue fake certificates for any MX hostname

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

Useful Searches