Bug hunter tricked SSL.com into issuing cert for Alibaba Cloud domain in 5 steps

Certificate issuer SSL.com’s domain validation system had an unfortunate bug that was exploited by miscreants to obtain, without authorization, digital certs for legit websites.

With those certificates in hand, said fraudsters could set up more-convincing malicious copies of those sites for things like credential phishing, or decrypt intercepted HTTPS traffic between those sites and their visitors.

And since learning of that flaw, SSL.com has revoked 11 wrongly issued certificates – one of them for Alibaba.

The hole appears to be as simple as this: As part of the process of verifying that you control a domain name – and thus allow you to obtain a TLS certificate for that domain so that it can (for instance) support encrypted HTTPS connections with visitors – SSL.com gives you the option of creating a _validation-contactemail DNS TXT record for the domain, with the value set to a contact email address.

Once that ...