Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:
4 Feb 2016 Closed Medium 5.8
Symantec domain-validated (DV) SSL/TLS certificate issuance system, e.g. RapidSSL, QuickSSL, did not properly handle special characters in an email address when verifying a domain owner through email addresses found in WHOIS records. This could have potentially resulted in the issuance of a DV certificate for possible fraudulent use.
Symantec DV Certificate Issuance System Improperly Handled Domain Email Address Special Characters
DV certificates require the lowest level of authentication to validate a SSL/TLS certificate order. Certificate Authorities (CAs) issue DV certificates through a Whois record lookup and an approval email is subsequently sent to the registrant email address found in that record.
Symantec DV SSL/TLS certificate issuance system did not properly handle special characters that are allowed, but are not commonly used, in email addresses found in whois records. This could have potentially allowed an individual to use an otherwise legitimate domain name to fraudulently obtain a valid DV SSL/TLS certificate. Such a valid DV certificate could have potentially been used to provide authentication to an otherwise malicious phishing site for example.
Symantec Response Symantec engineers verified this issue and resolved it in the Symantec DV SSL/TLS certificate issuance system. No customer upgrade is required. Existing customer SSL/TLS certificates have been re-validated. Symantec is not aware of exploitation of or adverse impact from this finding.
Symantec would like to thank Andrew Ayer of SSLMate, https://www.agwa.name/, for reporting this issue and coordinating with us as we worked through it.
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.