Skip to content
Home » Blog » Critical SSL.com Vulnerability Allowed Unauthorized Certificates

Critical SSL.com Vulnerability Allowed Unauthorized Certificates

A serious vulnerability was recently discovered at SSL.com, a Certificate Authority (CA) trusted by all major browsers. If you’re responsible for managing SSL certificates for your infrastructure, this is something you need to be aware of.

Critical DCV Bypass for MX Hostnames

SSL.com had a flaw in their Domain Control Validation (DCV) process. DCV is the system Certificate Authorities (CAs) use to verify that someone requesting a certificate actually controls the domain.

In this case, SSL.com’s validation checks could be tricked via email validation for MX records (the servers that receive email for a domain). An attacker who could receive email at an organization’s domain — even at a non-admin email address — could obtain a valid SSL cert for that domain.

This means an attacker might get a SSL cert for, say, google.com or any large enterprise simply by having an employee’s email address, or perhaps even a free email service account, without needing full domain control.

The reported issue has been acknowledged by the CA which has issues a preliminary incident report confirming the issue. In addition to the test certificate issued by the security researcher, SSL.com identified 10 additional certificates that were miss-issued in the same manner and revoked them, though they have not released the list of those. A more detailed analysis is promised before May 2, 2025.

Why Certificate Authorities Matter

SSL certificates don’t just secure websites, they also prove the identity of the organization behind them. The Certificate Authority is responsible for ensuring the requestor of the certificate has the permission to receive it If an attacker can get a certificate for your domain:

  • They could impersonate your websites.
  • They could intercept traffic using man-in-the-middle (MITM) attacks.
  • They could distribute malware or phishing sites that look fully legitimate.

Even worse, because the SSL certificate would appear fully valid and trusted by browsers, users would have no warning. Your certificate is only as trustworthy as your CA.

Who This SSL.com Vulnerability Affects

  • Organizations with publicly accessible email addresses (especially at large enterprises).
  • Any domain that does not carefully control who can receive email at their domain.
  • Domains without CAA (Certification Authority Authorization) DNS records to restrict which CAs are allowed to issue certificates for them.

Why It Matters for SSL Certificate Managers

Even though this specific flaw was at SSL.com and is reportedly fixed now, the lessons are much broader:

  • Use CAA records to specify which CAs are allowed to issue certificates for your domains. This can limit exposure from mistakes at CAs.
  • Monitor Certificate Transparency logs to spot unexpected certificates issued for your domains.
  • Review your email security to prevent attackers from hijacking inboxes tied to important domains.

Can Certificate Revocation Help?

Certificate revocation is a crucial step in mitigating the risks associated with compromised SSL certificates. When a certificate is revoked, it is added to a Certificate Revocation List (CRL) or marked in the Online Certificate Status Protocol (OCSP), alerting browsers and users that the certificate is no longer trustworthy. However, revocation is not a foolproof solution. The effectiveness of revocation depends on the browsers and servers properly checking the revocation status of certificates. As such, while certificate revocation is an important tool in the security toolkit, it should be part of a broader strategy that includes monitoring, auditing, and proactive security measures to ensure the integrity and trustworthiness of SSL/TLS deployments.

What You Should Do

  1. Set up CAA DNS records for all your domains.
  2. Monitor Certificate Transparency (CT) logs for unauthorized certificates.
  3. Audit email accounts associated with your domain — especially those like admin@, webmaster@, or individual employees.
  4. Stay updated with vulnerabilities from your CAs and carefully consider which you trust.
  5. Utilize a service like TrackSSL to monitor your certificates and identify issues.

Final Thoughts

SSL certificates are critical for online trust, but they rely on complex systems that sometimes fail. While SSL.com’s bug was specific and has been fixed, it’s a reminder that proactive security measures are essential. TrackSSL is working adding new monitoring options that help you to discover errors and vulnerabilities like this. Interested in trying them out? Reach out to us!

For further reading, check out the original reported issue.