Fake Certificate Issued for Alibaba Cloud After SSL.com Validation Trick

A critical vulnerability in SSL.com’s domain validation process allowed unauthorized parties to fraudulently obtain TLS certificates for high-profile domains, including Alibaba Cloud’s aliyun.com, researchers revealed this week.

The certificate authority (CA) has since revoked 11 improperly issued certificates, raising concerns about trust in automated validation systems.

How Domain Validation Was Exploited

According to Mozilla report, SSL.com’s Domain Control Validation (DCV) system, designed to verify ownership of a domain before issuing certificates, contained a loophole in its “Email to DNS TXT Contact” method (BR 3.2.2.4.14). Attackers could trick the system by:

- Advertisement -

1. Creating a DNS TXT record for a subdomain (e.g., _validation-contactemail.[random].test.dcv-inspector.com) with an email address from a target domain (e.g., user@aliyun.com).
2. Requesting a certificate for the subdomain, triggering a validation email to the provided address.
3. Completing validation, which erroneously marked aliyun.com ...