https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

[moz]

  * Mozilla Home
  * 
  * Privacy
  * Cookies
  * Legal

Bugzilla

[                    ]
Quick Search Tips Advanced Search
  * Browse
  * Advanced Search
  * New Bug

  * Reports
  * 
  * Documentation

  * Log In
    Log In with GitHub
    or
    [                    ] [                    ]
    [password            ] [*] Remember me [Log In]  
    Create an Account * Forgot Password
    [                    ] [Reset Password]  

  * Browse
  * Advanced Search
  * New Bug
  * Reports
  * 
  * Documentation

Please enable JavaScript in your browser to use all the features on
this site.

Copy Summary
V

  * Markdown
  * Markdown (bug number)
  * Plain Text
  * HTML

[                    ]
View V

  * Reset Sections
  * Expand All Sections
  * Collapse All Sections
  * 
  * History
  * 
  * JSON
  * XML

Open Bug 1961406 Opened 1 day ago Updated 1 hour ago

SSL.com: DCV bypass and issue fake certificates for any MX hostname

* Summary:
SSL.com: DCV bypass and issue fake certificates for any MX hostname

Categories

(CA Program :: CA Certificate Compliance, defect)

Product:
CA Program V
CA Program
Issues related to the Certificate Authority Program
See Open Bugs in This Product
File New Bug in This Product
Watch This Product
Component:
CA Certificate Compliance V
CA Program :: CA Certificate Compliance
Problems found in certificates issued by Certificate Authorities,
including auditor compliance, included in the default certificate
store.
See Open Bugs in This Component
Recently Fixed Bugs in This Component
File New Bug in This Component
Watch This Component
Version:
other
Platform:
Unspecified
Unspecified
Type:
defect
Priority:
Not set
Severity:
--

Tracking

(Not tracked)

Status:
UNCONFIRMED
Status:
UNCONFIRMED
---
Mark as Assigned
Milestone:
---
Project Flags:

Accessibility Severity [---]

Tracking Flags:

                Tracking Status
relnote-firefox          [---]
firefox-esr115  [---]    [---]
firefox-esr128  [---]    [---]
firefox137      [---]    [---]
firefox138      [---]    [---]
firefox139      [---]    [---]

People

(Reporter: ragtime_knoll5n, Unassigned)

Assignee:
Unassigned
Assignee:
[ ] Reset Assignee to default
Mentors:
---
QA Contact:
[ ] Reset QA Contact to default
Reporter:
# ragtime_knoll5n
Triage Owner:
# bwilson
CC:
12 people

References

Depends on:
---
Blocks:
---
Regressions:
---
Regressed by:
---
URL:
 
See Also:
---

Details

Alias:
---
Keywords:
---
Whiteboard:
---
Change Request:
---
Bug Flags:

 behind-pref     []
 sec-bounty      [ ]
 sec-bounty-hof  []
 in-qa-testsuite []   [                    ]
 in-testsuite    []
 qe-verify       []

Crash Data

Signature:
None

Security

(public)

This bug is publicly visible.

User Story

Bottom |
Tags V

  * Reset

Timeline V

  * Reset
  * 
  * Collapse All
  * Expand All
  * Comments Only

      Sec Reporter
      Reporter
[715] Description   

      *
      1 day ago

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Edg/135.0.0.0

Steps to reproduce:

SSL.com failed to conduct accurate domain validation control when
utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It
incorrectly marks the hostname of the approver's email address as a
verified domain, which is completely erroneous.

Steps to reproduce:

  * Navigate to https://dcv-inspector.com and click "Start Test". You
    will be redirected to a URL such as https://dcv-inspector.com/
    test/d2b4eee07de5efcb8598f0586cbf2690.
  * Create a TXT record for the domain
    _validation-contactemail.d2b4eee07de5efcb8598f0586cbf2690.test.dcv-inspector.com
    with the value myusername@aliyun.com. Here, aliyun.com is both a
    cloud provider and an email provider, similar to @Yahoo.com,
    @Gmail.com, or @iCloud.com.
  * Visit SSL.com and request a certificate for the domain
    d2b4eee07de5efcb8598f0586cbf2690.test.dcv-inspector.com. Then,
    select myusername@aliyun.com from the email approvers list.
  * Log in to myusername@aliyun.com, retrieve the email that contains
    the DCV random value, and finalize the DCV validation process.
  * SSL.com will add the domain name of the email address (the part
    after the @. in this case, aliyun.com) to your list of verified
    domains.
  * To obtain certificates for aliyun.com and www.aliyun.com,
    initiate the certificate request. SSL.com will then issue
    certificates for both aliyun.com and www.aliyun.com.

Affected Certificates

  * https://crt.sh/?id=17926238129

Actual results:

SSL.com verified and issued aliyun.com.
I'm not administrator, admin, hostmaster, postmaster, or webmaster of
aliyun.com. and also, _validation-contactemail with the value of my
email is never configured for aliyun.com.
So, this is wrong.

Expected results:

Don't list the email domain into verified domains.

      Sec Reporter
      Reporter
[715] Updated       

      *
      1 day ago

Summary: SSL.com: DCV bypass and issue certificates for any MX
hostname - SSL.com: DCV bypass and issue fake certificates for any MX
hostname

      Rebecca Kelley
      Comment 1
[9c9]                 
      *
      1 day ago

SSL.com acknowledges this bug report and we are investigating
further.

      Rebecca Kelley
      Comment 2
[9c9]                 
      *
      23 hours ago

Out of an abundance of caution, we have disabled domain validation
method 3.2.2.4.14 that was used in the bug report for all SSL/TLS
certificates while we investigate. We will provide a preliminary
report on or before 2025-04-21.

 2  0  0  0  0 [?] 0
You need to log in before you can comment on or make changes to this
bug.
Top |