{"id":6171,"date":"2025-04-22T13:20:09","date_gmt":"2025-04-22T17:20:09","guid":{"rendered":"https:\/\/hostingdiscussion.com\/news\/?p=6171"},"modified":"2025-04-22T12:31:17","modified_gmt":"2025-04-22T16:31:17","slug":"bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains","status":"publish","type":"post","link":"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/","title":{"rendered":"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains"},"content":{"rendered":"<article class=\"text-token-text-primary w-full\" dir=\"auto\" data-testid=\"conversation-turn-1078\" data-scroll-anchor=\"true\">\n<div class=\"text-base my-auto mx-auto py-5 [--thread-content-margin:--spacing(4)] @[37rem]:[--thread-content-margin:--spacing(6)] @[70rem]:[--thread-content-margin:--spacing(12)] px-(--thread-content-margin)\">\n<div class=\"[--thread-content-max-width:32rem] @[34rem]:[--thread-content-max-width:40rem] @[64rem]:[--thread-content-max-width:48rem] mx-auto flex max-w-(--thread-content-max-width) flex-1 text-base gap-4 md:gap-5 lg:gap-6 group\/turn-messages focus-visible:outline-hidden\" tabindex=\"-1\">\n<div class=\"group\/conversation-turn relative flex w-full min-w-0 flex-col agent-turn\">\n<div class=\"relative flex-col gap-1 md:gap-3\">\n<div class=\"flex max-w-full flex-col grow\">\n<div class=\"min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal [.text-message+&amp;]:mt-5\" dir=\"auto\" data-message-author-role=\"assistant\" data-message-id=\"6456c8c9-6013-4fb5-8ed9-88046c2dcb96\" data-message-model-slug=\"gpt-4o\">\n<div class=\"flex w-full flex-col gap-1 empty:hidden first:pt-[3px]\">\n<div class=\"markdown prose dark:prose-invert w-full break-words dark\">\n<p class=\"\" data-start=\"99\" data-end=\"478\"><span id=\"input-sentence~0\">A fundamental vulnerability in SSL.com&#8217;s domain validation process allowed attackers to get trusted TLS certificates for domains they didn&#8217;t own\u2014by simply exploiting an email-based loophole. One of the incorrectly issued certs was for Chinese technology giant Alibaba&#8217;s cloud service, aliyun.com, raising wider questions about certificate authority (CA) practices and digital trust.<\/span><span id=\"input-sentence~1\"><\/p>\n<p>Security researcher \u201cSec Reporter\u201d uncovered the issue and demonstrated how someone could trick SSL.com\u2019s system into verifying not just the requested domain\u2014but also the domain name tied to an email address listed in a DNS TXT record. In other words, if you had access to inbox@webmail.com, you could get SSL.com to validate and issue a certificate for webmail.com itself, regardless of your actual ownership.<\/span><span id=\"input-sentence~2\"><\/p>\n<p>The error? SSL.com mistakenly validated the email domain as a verified domain, bypassing a critical check in the validation sequence. The flaw effectively enabled any user with an active email account on a major service to pretend to be that service with a valid certificate.<\/span><span id=\"input-sentence~3\"><\/p>\n<p>This vulnerability was not only hypothetical. The researcher was able to successfully ask for certificates for aliyun.com and www.aliyun.com without any administrative control. Altogether, SSL.com revoked 11 certs issued under this defective process\u2014many belonging to companies in healthcare, tech, and e-commerce.<\/span><span id=\"input-sentence~4\"><\/p>\n<p>While SSL.com quickly shut off the buggy process and promised a full incident report by May, the breach of protocol reveals the weakness of the public key infrastructure. The breached method of validation\u2014TXT record with email link confirmation\u2014had itself withstood criticism before.<\/span><span id=\"input-sentence~5\"> But this blunder illustrates how small implementation nuances can escalate into enormous vulnerabilities.<\/p>\n<p>The reality that a certificate authority could be manipulated into verifying domains it shouldn&#8217;t trust is raising hard questions: How many other CAs could have such weak spots?<\/span><span id=\"input-sentence~6\"> And how much damage could have gone unnoticed?<\/p>\n<p>For now, SSL.com says it&#8217;s prioritizing the incident. But the community will likely call for greater scrutiny and transparency across the certificate ecosystem, especially as digital identity continues to underpin the security of the modern internet.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>A fundamental vulnerability in SSL.com&#8217;s domain validation process allowed attackers to get trusted TLS certificates for domains they didn&#8217;t own\u2014by simply exploiting an email-based loophole. One of the incorrectly issued certs was for Chinese technology giant Alibaba&#8217;s cloud service, aliyun.com, raising wider questions about certificate authority (CA) practices and digital trust. Security researcher \u201cSec Reporter\u201d [&hellip;]<\/p>\n","protected":false},"author":20624,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[830,3591,93,904,3592,3593],"class_list":["post-6171","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-alibaba","tag-bug","tag-cloud","tag-domain","tag-ssl-com","tag-tls-certificates"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Bug in SSL.com\u2019s email verification let strangers claim certs for major domains - Web Hosting News<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains - Web Hosting News\" \/>\n<meta property=\"og:description\" content=\"A fundamental vulnerability in SSL.com&#8217;s domain validation process allowed attackers to get trusted TLS certificates for domains they didn&#8217;t own\u2014by simply exploiting an email-based loophole. One of the incorrectly issued certs was for Chinese technology giant Alibaba&#8217;s cloud service, aliyun.com, raising wider questions about certificate authority (CA) practices and digital trust. Security researcher \u201cSec Reporter\u201d [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/\" \/>\n<meta property=\"og:site_name\" content=\"Web Hosting News\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-22T17:20:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-22T16:31:17+00:00\" \/>\n<meta name=\"author\" content=\"Justine Juyad\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Justine Juyad\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/\",\"url\":\"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/\",\"name\":\"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains - Web Hosting News\",\"isPartOf\":{\"@id\":\"https:\/\/hostingdiscussion.com\/news\/#website\"},\"datePublished\":\"2025-04-22T17:20:09+00:00\",\"dateModified\":\"2025-04-22T16:31:17+00:00\",\"author\":{\"@id\":\"https:\/\/hostingdiscussion.com\/news\/#\/schema\/person\/3a1732732b90f8c57c2a0ec68d3c49e3\"},\"breadcrumb\":{\"@id\":\"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hostingdiscussion.com\/news\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hostingdiscussion.com\/news\/#website\",\"url\":\"https:\/\/hostingdiscussion.com\/news\/\",\"name\":\"Web Hosting News\",\"description\":\"Cloud and web hosting industry daily news\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hostingdiscussion.com\/news\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/hostingdiscussion.com\/news\/#\/schema\/person\/3a1732732b90f8c57c2a0ec68d3c49e3\",\"name\":\"Justine Juyad\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hostingdiscussion.com\/news\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/96df33d01870f85226adf8492251fbefe00bc349b10bb7679b094f3fa086999c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/96df33d01870f85226adf8492251fbefe00bc349b10bb7679b094f3fa086999c?s=96&d=mm&r=g\",\"caption\":\"Justine Juyad\"},\"description\":\"HostingDiscussion.com senior reporter\",\"sameAs\":[\"https:\/\/hostingdiscussion.com\/news\/\"],\"url\":\"https:\/\/hostingdiscussion.com\/news\/author\/justine-juyad\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains - Web Hosting News","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/","og_locale":"en_US","og_type":"article","og_title":"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains - Web Hosting News","og_description":"A fundamental vulnerability in SSL.com&#8217;s domain validation process allowed attackers to get trusted TLS certificates for domains they didn&#8217;t own\u2014by simply exploiting an email-based loophole. One of the incorrectly issued certs was for Chinese technology giant Alibaba&#8217;s cloud service, aliyun.com, raising wider questions about certificate authority (CA) practices and digital trust. Security researcher \u201cSec Reporter\u201d [&hellip;]","og_url":"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/","og_site_name":"Web Hosting News","article_published_time":"2025-04-22T17:20:09+00:00","article_modified_time":"2025-04-22T16:31:17+00:00","author":"Justine Juyad","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Justine Juyad","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/","url":"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/","name":"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains - Web Hosting News","isPartOf":{"@id":"https:\/\/hostingdiscussion.com\/news\/#website"},"datePublished":"2025-04-22T17:20:09+00:00","dateModified":"2025-04-22T16:31:17+00:00","author":{"@id":"https:\/\/hostingdiscussion.com\/news\/#\/schema\/person\/3a1732732b90f8c57c2a0ec68d3c49e3"},"breadcrumb":{"@id":"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hostingdiscussion.com\/news\/bug-in-ssl-coms-email-verification-let-strangers-claim-certs-for-major-domains\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hostingdiscussion.com\/news\/"},{"@type":"ListItem","position":2,"name":"Bug in SSL.com\u2019s email verification let strangers claim certs for major domains"}]},{"@type":"WebSite","@id":"https:\/\/hostingdiscussion.com\/news\/#website","url":"https:\/\/hostingdiscussion.com\/news\/","name":"Web Hosting News","description":"Cloud and web hosting industry daily news","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hostingdiscussion.com\/news\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/hostingdiscussion.com\/news\/#\/schema\/person\/3a1732732b90f8c57c2a0ec68d3c49e3","name":"Justine Juyad","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hostingdiscussion.com\/news\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/96df33d01870f85226adf8492251fbefe00bc349b10bb7679b094f3fa086999c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/96df33d01870f85226adf8492251fbefe00bc349b10bb7679b094f3fa086999c?s=96&d=mm&r=g","caption":"Justine Juyad"},"description":"HostingDiscussion.com senior reporter","sameAs":["https:\/\/hostingdiscussion.com\/news\/"],"url":"https:\/\/hostingdiscussion.com\/news\/author\/justine-juyad\/"}]}},"views":254,"_links":{"self":[{"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/posts\/6171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/users\/20624"}],"replies":[{"embeddable":true,"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/comments?post=6171"}],"version-history":[{"count":1,"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/posts\/6171\/revisions"}],"predecessor-version":[{"id":6172,"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/posts\/6171\/revisions\/6172"}],"wp:attachment":[{"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/media?parent=6171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/categories?post=6171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hostingdiscussion.com\/news\/wp-json\/wp\/v2\/tags?post=6171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}