A critical vulnerability in SSL.com’s domain validation process allowed unauthorized parties to fraudulently obtain TLS certificates for high-profile domains, including Alibaba Cloud’s aliyun.com, researchers revealed this week.
The certificate authority (CA) has since revoked 11 improperly issued certificates, raising concerns about trust in automated validation systems.
According to Mozilla report, SSL.com’s Domain Control Validation (DCV) system, designed to verify ownership of a domain before issuing certificates, contained a loophole in its “Email to DNS TXT Contact” method (BR 3.2.2.4.14). Attackers could trick the system by:
This allowed attackers to request certificates for the target domain itself, bypassing proper authorization.
SSL.com revoked certificates for multiple domains, including:
These certificates could have enabled phishing sites, HTTPS traffic interception, or impersonation of legitimate services.
While no malicious use has been confirmed, the potential for abuse was significant.
In a preliminary report, SSL.com’s Rebecca Kelley acknowledged the flaw, attributing it to an “incorrect implementation” of validation logic.
The compromised DCV method has been temporarily disabled, and affected certificates were revoked within 24 hours of discovery.
Key actions:
Critics argue the incident underscores systemic risks in automated CA processes. “A single validation bug can compromise trust across the web,” said cybersecurity analyst Mika Chen.
SSL.com’s swift revocation limits immediate harm, but the incident highlights the fragile balance between automation and security in certificate issuance.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…