SSL.com is under fire after a researcher uncovered a serious flaw in its certificate issuance system—one that let them fraudulently obtain a digital certificate for aliyun.com, the official domain of Alibaba Cloud.
The vulnerability, tied to the Domain Control Validation (DCV) process, allowed nearly a dozen certificates to be wrongly issued for seven real domains. The researcher who discovered the bug exploited it to prove just how easy it was to bypass SSL.com’s safeguards.
At the core of the issue was the misuse of a specific DCV method—BR 3.2.2.4.14—which verifies domain ownership through DNS TXT email contact records. SSL.com’s system mistakenly treated the email domain of the requestor as a verified domain, even when it wasn’t.
To exploit the bug, the researcher created a DNS TXT record using a test domain and an email ending in @aliyun.com. They then used this email to request a certificate. When the DCV confirmation was sent, the researcher completed the process, tricking SSL.com into treating aliyun.com as a verified domain.
They later confirmed they had never controlled or managed the aliyun.com domain—or any associated administrative emails like [email protected] or [email protected].
SSL.com quickly responded by disabling the faulty DCV method. The company confirmed the flaw led to several misissued certificates and stated all were revoked once the issue was identified.
The full list of affected domains includes:
- aliyun.com, www.aliyun.com
- *.medinet.ca
- help.gurusoft.com.sg
- banners.betvictor.com
- production-boomi.3day.com
- kisales.com
- medc.kisales.com
SSL.com said the problem didn’t impact systems tied to Entrust, another certificate authority that shares some infrastructure. Still, the incident raises fresh concerns about trust in public certificate authorities and the security of DCV methods widely used across the web.
The company promised to maintain transparency as it finishes its internal investigation and full root cause analysis.
