“Recently, we learned that we did not include the underscore prefix with the random value used in some CNAME-based validation cases. This impacted approximately 0.4% of the applicable domain validations we have in effect. Under strict CABF rules certificates with an issue in their domain validation must be revoked within 24 hours, without exception,” said DigiCert in a statement.
The DigiCert incident
The main reason for the mass revocation exists within DigiCert’s Domain Control Validation (DCV) process. The bug contained a missing underscore in the DNS CNAME entry, an important component to verify domain ownership. Due to the oversight, the certificates were issued without validation, undermining their credibility.
Domain validation is a basic step for issuing SSL/TLS certificates, it ensures the legitimacy of the entity requesting the certificate, to check if it’s legit or not. In case of failure to validate domain ownership can be a security hazard. This includes man-in-the-middle a
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.