Starting December 2, 2024, the WHOIS-based email domain control validation (DCV) method to obtain SSL/TLS certificates will no longer be accepted by SSL.com. It has recently been proven by industry experts to be vulnerable, resulting in an upcoming withdrawal by the CA/Browser Forum.
Security researchers from watchTowr recently discovered a vulnerability by registering an expired domain once used as the official home of an authoritative WHOIS server. Over 135,000 systems continued to query their rogue server, enabling potential issuance of counterfeit SSL/TLS certificates. This incident exposed significant flaws in the WHOIS system. In response, Google proposed a CA/Browser Forum ballot to phase out WHOIS and other Domain Contact information sources as a domain validation method.
Google’s proposal outlines the following changes that all certificate authorities will be required to implement before July 15, 2025:
- Certification Authorities (CAs) will no longer be permitted to use Domain Contact information.
- CAs will be prohibited from reusing domain validations that relied on Domain Contact data.
How will this change impact SSL.com customers?
We will not be including email addresses from WHOIS, RDAP or other Domain Contact sources in the domain validation process. In your SSL.com account, when validating a domain, the drop down menu will not include email addresses previously picked from your Domain Name Registrar. Additionally, existing Domain Contact-based validations will no longer be reusable for reissuing or renewing certificates. You will need to revalidate your domains using an alternative method.What should SSL.com customers do next?
To prepare for this change, you will need to switch to a different DCV method before December 2, 2024. Other options for DCV are explained in the next section.What other options are offered by SSL.com?
As the industry moves away from Domain Contact data, we recommend that users transition to one of the other supported DCV methods as soon as possible. SSL.com offers several alternatives which are listed below. For a complete guide on DCV methods, please refer to this SSL.com article: What Are The Requirements for SSL.com SSL/TLS Certificate Domain Validation?- Email Challenge Response
After placing your order, an email will be sent to an authorized address. Follow the link in the email and enter the validation code to establish domain control. - File Lookup via HTTP/HTTPS
Upload a specific file to your website that contains hashed data from your Certificate Signing Request (CSR), as well as a unique token provided by SSL.com. Once the file is properly placed, domain control will be confirmed. - DNS CNAME Lookup
Create a CNAME record in your domain’s DNS that points to SSL.com. This entry must include the MD5 and SHA-256 hashes of the CSR and a unique token.