{"id":3485,"date":"2025-04-25T11:50:52","date_gmt":"2025-04-25T11:50:52","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3485"},"modified":"2025-05-26T11:22:42","modified_gmt":"2025-05-26T11:22:42","slug":"unauthorized-certificates-issued-for-alibaba-cloud-due-to-ssl-com-ca-flaw","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/unauthorized-certificates-issued-for-alibaba-cloud-due-to-ssl-com-ca-flaw\/","title":{"rendered":"Unauthorized Certificates Issued for Alibaba Cloud Due to SSL.com CA Flaw"},"content":{"rendered":"\n

<\/a>A critical vulnerability in the SSL.com domain validation process allowed unauthorized parties to get the certificates on behalf of you or your organisation. SSL.com is one of the famous Certificate Authorities (CA) trusted by all major browsers.<\/p>\n\n\n\n

This Vulnerability is reported by security researchers<\/a>; in their demonstration, they showed how an attacker can misuse it to get a fraudulent certificate. He did a POC<\/a> (proof of concept) of this bug on aliyun.com, the official website for Alibaba Cloud, one of the largest cloud companies.<\/p>\n\n\n\n

Understanding the POC<\/h2>\n\n\n\n

\u201cSSL.com totally messed up their domain validation checks,\u201d the researcher explained. They used a method called Email to DNS TXT Contact, but here\u2019s the problem. They ended up trusting the wrong part of the domain; just because an email showed up, they assumed the whole domain was legit. <\/p>\n\n\n\n

Big mistake. That\u2019s not how validation is supposed to work. And it opened the door for attackers to sneak in and get trusted certificates they never should\u2019ve had.<\/p>\n\n\n\n

The researcher figured out a loophole in how SSL.com validates domain ownership using a method called DCV (Domain Control Validation). This method uses email-based validation tied to DNS records. So here\u2019s what the researcher did. <\/p>\n\n\n\n

Also Read:<\/strong> The End of WHOIS-Based DCV Methods: What You Need to Know and How to Transition<\/a><\/p>\n\n\n\n

Created a test domain, something harmless, under their control. Added a special DNS TXT record to it: _validation-contactemail with an @aliyun.com email address.<\/p>\n\n\n\n

Wait\u2026 what? Yes, they were using a test domain, but they added an email address from aliyun.com (Alibaba Cloud\u2019s official domain) inside the DNS record. The researcher went to SSL.com and requested a certificate for their test domain. <\/p>\n\n\n\n

During the process, SSL.com offered a list of email approvers. Guess what was on the list? Their @aliyun.com email! SSL.com sent a verification code (the DCV random value) to that email. The researcher clicked the link. Done. Validation complete.<\/p>\n\n\n\n

Also Read:<\/strong> DigiCert Elevates Industry Standards with New Open-Source DCV Library<\/a><\/p>\n\n\n\n

SSL.com mistakenly thought the researcher had verified ownership of aliyun.com, just because the email address used had that domain. They automatically added aliyun.com to the researcher\u2019s list of verified domains. <\/p>\n\n\n\n

With that, the researcher was now able to issue real, trusted SSL certificates for:<\/strong><\/p>\n\n\n\n