Researchers from watchTowr have exposed significant vulnerabilities in the way certain certificate authorities verify domain ownership, enabling fraudsters to obtain TLS certificates for any .mobi domain.
The researchers' exploit involved creating a fake WHOIS server that could trick certificate authorities into issuing TLS certificates for domains that the unscrupulous actors did not own.
The CA/Browser Forum is now reassessing the guidelines around WHOIS data verification due to security failures highlighted by research from security firm watchTowr.
Without uniform rules for WHOIS verification processes, the risks of domain spoofing and fraudulent certificates continue to pose significant threats in digital communications.
[
Collection
]
[
|
...
]