Photo credit: www.csoonline.com

SSL.com Investigates Security Flaw Leading to Certificate Mis-Issuance

Rebecca Kelly, technical project manager at SSL.com, confirmed the company’s awareness of a significant bug concerning their certificate issuance process. In response to potential security vulnerabilities, the company has taken proactive measures, stating, “Out of an abundance of caution, we have disabled domain validation method 3.2.2.4.14 that was utilized in the bug report for all SSL/TLS certificates while we investigate.” This step reflects SSL.com’s commitment to maintaining the integrity of their certification processes.

A preliminary report linked to the incident highlights that SSL.com erroneously issued 10 certificates using the compromised method, all of which have since been revoked. Kelly noted that, apart from one specific case, investigations revealed that the other mis-issued certificates were non-fraudulent in nature. This indicates that while the process was flawed, it did not lead to any intentional misuse.

As the situation develops, CSO has reached out to SSL.com to gain insights concerning the status of the remaining mis-issued certificate. Meanwhile, it is crucial for major online platforms, including email and cloud service providers, to meticulously review the complete list of affected certificates. This precaution will help ensure heightened security and avoid potential vulnerabilities during the ongoing investigation.

Source
www.csoonline.com