A fundamental vulnerability in SSL.com’s domain validation process allowed attackers to get trusted TLS certificates for domains they didn’t own—by simply exploiting an email-based loophole. One of the incorrectly issued certs was for Chinese technology giant Alibaba’s cloud service, aliyun.com, raising wider questions about certificate authority (CA) practices and digital trust.
Security researcher “Sec Reporter” uncovered the issue and demonstrated how someone could trick SSL.com’s system into verifying not just the requested domain—but also the domain name tied to an email address listed in a DNS TXT record. In other words, if you had access to inbox@webmail.com, you could get SSL.com to validate and issue a certificate for webmail.com itself, regardless of your actual ownership.
The error? SSL.com mistakenly validated the email domain as a verified domain, bypassing a critical check in the validation sequence. The flaw effectively enabled any user with an active email account on a major service to pretend to be that service with a valid certificate.
This vulnerability was not only hypothetical. The researcher was able to successfully ask for certificates for aliyun.com and www.aliyun.com without any administrative control. Altogether, SSL.com revoked 11 certs issued under this defective process—many belonging to companies in healthcare, tech, and e-commerce.
While SSL.com quickly shut off the buggy process and promised a full incident report by May, the breach of protocol reveals the weakness of the public key infrastructure. The breached method of validation—TXT record with email link confirmation—had itself withstood criticism before. But this blunder illustrates how small implementation nuances can escalate into enormous vulnerabilities.
The reality that a certificate authority could be manipulated into verifying domains it shouldn’t trust is raising hard questions: How many other CAs could have such weak spots? And how much damage could have gone unnoticed?
For now, SSL.com says it’s prioritizing the incident. But the community will likely call for greater scrutiny and transparency across the certificate ecosystem, especially as digital identity continues to underpin the security of the modern internet.
