Close Menu
    Check BMI
    Technology

    Ssl.com: DCV bypass and issue fake certificates for any MX hostname

    TechAiVerseBy No Comments2 Mins Read20 Views
    Ssl.com: DCV bypass and issue fake certificates for any MX hostname

    Ssl.com: DCV bypass and issue fake certificates for any MX hostname


    Open

    Bug 1961406


    Opened 1 day ago
    Updated 38 minutes ago

    CA Certificate Compliance

    User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0

    Steps to reproduce:

    SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It incorrectly marks the hostname of the approver’s email address as a verified domain, which is completely erroneous.

    Steps to reproduce:

    • Navigate to https://dcv-inspector.com and click “Start Test”. You will be redirected to a URL such as https://dcv-inspector.com/test/d2b4eee07de5efcb8598f0586cbf2690.
    • Create a TXT record for the domain _validation-contactemail.d2b4eee07de5efcb8598f0586cbf2690.test.dcv-inspector.com with the value myusername@aliyun.com. Here, aliyun.com is both a cloud provider and an email provider, similar to @Yahoo.com, @Gmail.com, or @iCloud.com.
    • Visit SSL.com and request a certificate for the domain d2b4eee07de5efcb8598f0586cbf2690.test.dcv-inspector.com. Then, select myusername@aliyun.com from the email approvers list.
    • Log in to myusername@aliyun.com, retrieve the email that contains the DCV random value, and finalize the DCV validation process.
    • SSL.com will add the domain name of the email address (the part after the @. in this case, aliyun.com) to your list of verified domains.
    • To obtain certificates for aliyun.com and www.aliyun.com, initiate the certificate request. SSL.com will then issue certificates for both aliyun.com and www.aliyun.com.

    Affected Certificates

    Actual results:

    SSL.com verified and issued aliyun.com.
    I’m not administrator、admin、hostmaster、postmaster、or webmaster of aliyun.com. and also, _validation-contactemail with the value of my email is never configured for aliyun.com.
    So, this is wrong.

    Expected results:

    Don’t list the email domain into verified domains.

    Summary: SSL.com: DCV bypass and issue certificates for any MX hostname → SSL.com: DCV bypass and issue fake certificates for any MX hostname

    SSL.com acknowledges this bug report and we are investigating further.

    Out of an abundance of caution, we have disabled domain validation method 3.2.2.4.14 that was used in the bug report for all SSL/TLS certificates while we investigate. We will provide a preliminary report on or before 2025-04-21.

    Share.

    Jonathan is a tech enthusiast and the mind behind Tech AI Verse. With a passion for artificial intelligence, consumer tech, and emerging innovations, he deliver clear, insightful content to keep readers informed. From cutting-edge gadgets to AI advancements and cryptocurrency trends, Jonathan breaks down complex topics to make technology accessible to all.

    Related Posts

    Leave A Reply