Securing Your Domain with CAA Records: Prevent Unauthorized Certificate Issuance
You may have seen a recent post by WatchTowr titled We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI. The TLDR is that WatchTowr Labs discovered a major vulnerability in the .MOBI TLD by purchasing an expired WHOIS server domain for $20, allowing them to control WHOIS queries. They found that many systems, including Certificate Authorities (CAs) responsible for issuing TLS/SSL certificates, were querying this outdated WHOIS server, which enabled WatchTowr to spoof domain ownership information, namely emails. This undermined the CA process, highlighting a significant flaw in the trust-based TLS/SSL certificate issuance system, making it exploitable by malicious actors. ...