← SSL.com cases
Bugzilla #1961406
Certificate Problem Report
SSL.com: DCV bypass and issue fake certificates for any MX hostname
CLOSED
FIXED
SSL.com
AI Summary
SSL.com experienced a significant issue with its domain validation process, leading to the mis-issuance of eleven certificates due to an incorrect implementation of the Domain Control Validation (DCV) method. The bug allowed SSL.com to mistakenly verify domains based on the email domain of the approver rather than the actual domain being validated. Following the identification of the issue, SSL.com promptly disabled the affected validation method, revoked the mis-issued certificates, and implemented corrective measures, including enhanced testing protocols to prevent similar occurrences in the future. The incident was reported by a third party and has been addressed with a commitment to improve compliance and operational practices.
Chronology
- Initial bug report filed by a third party.
- Preliminary incident report released by SSL.com.
- Full incident report published detailing the bug and its impact.
- Report closure summary provided by SSL.com.
- SSL.com requests closure of the bug.
Participants
ragtime_knoll5n@icloud.com
rebeccak@ssl.com
arvid.vermote@globalsign.com
tjtncks@gmail.com
chrome-root-program@google.com
secauditor@ssl.com
External References
Similar Local Cases
SSL.com: CAA Empty set handling results in Wildcard issuance
SSL.com: "unknown" OCSP response for issued certificates
SSL.com: Incorrect Open MPIC Lambda implementation by EJBCA ACME Service
SSL.com: Issuance of 3 EV TLS certificates without 2-person validation of the organization information
SSL.com: Issuance of an EV TLS certificate with incorrect O Field Value
SSL.com: Issuance of 1 EV TLS certificate using a Registration/Incorporation Agency not included in our approved public list.
SSL.com: Failure to process CAA records from one SubCA
SSL.com: Insufficient validation evidence for the localityName attribute of an OV certificate