“SSL.com acknowledges this bug report and we are investigating further,” Rebecca Kelly, technical project manager at SSL.com, commented on the demonstration, quickly following with, “Out of an abundance of caution, we have disabled domain validation method 3.2.2.4.14 that was used in the bug report for all SSL/TLS certificates while we investigate.”
In a preliminary incident report attached in the comment section of the demonstration, it was revealed that a total of 10 certificates were mis-issued by SSL.com using the faulty method and were consequently revoked. These improperly issued certificates, with the exception of one, were found to be non-fraudulent mis-issuance upon investigation, Kelly added.
While CSO awaits response from SSL.com on the status of the one mis-issued certificate still not in the clear, major websites, including email and cloud providers, are advised to cross-check the entire list of mis-issued certificates to be extra vigilant.
