Web Analytics

SSL.com to Deprecate Domain Contact-Based Email Domain Control Validation on December 2, 2024

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Starting December 2, 2024, the WHOIS-based email domain control validation (DCV) method to obtain SSL/TLS certificates will no longer be accepted by SSL.com. It has recently been proven by  industry experts to be vulnerable, resulting in an upcoming withdrawal by the CA/Browser Forum.

Security researchers from watchTowr recently discovered a vulnerability by registering an expired domain once used as the official home of an authoritative WHOIS server. Over 135,000 systems continued to query their rogue server, enabling potential issuance of counterfeit SSL/TLS certificates. This incident exposed significant flaws in the WHOIS system. In response, Google proposed a CA/Browser Forum ballot to phase out WHOIS and other Domain Contact information sources as a domain validation method.

Google’s proposal outlines the following changes that, all certificate authorities will be required to implement before July 15, 2025: 

  • Certification Authorities (CAs) will no longer be permitted to use Domain Contact information.
  • CAs will be prohibited from reusing domain validations that relied on Domain Contact data.

At SSL.com, we support this proposal by Google and we are scheduling the deprecation of this method early on December 2, 2024 in an abundance of caution. 

How will this change impact SSL.com customers?

We will not be including email addresses from WHOIS, RDAP or other Domain Contact sources in the domain validation process. In your SSL.com account, when validating a domain, the drop down menu will not include email addresses previously picked from your Domain Name Registrar.

Additionally, existing Domain Contact-based validations will no longer be reusable for reissuing or renewing certificates. You will need to revalidate your domains using an alternative method.

What should SSL.com customers do next?

To prepare for this change, you will need to switch to a different DCV method before December 2, 2024. 

Other options for DCV are explained in the next section. 

What other options are offered by SSL.com?

As the industry moves away from Domain Contact data, we recommend that users transition to one of the other supported DCV methods as soon as possible. SSL.com offers several alternatives which are listed below. For a complete guide on DCV methods, please refer to this SSL.com article: What Are The Requirements for SSL.com SSL/TLS Certificate Domain Validation?

  1. Email Challenge Response
    After placing your order, an email will be sent to an authorized address. Follow the link in the email and enter the validation code to establish domain control.
  2. File Lookup via HTTP/HTTPS
    Upload a specific file to your website that contains hashed data from your Certificate Signing Request (CSR), as well as a unique token provided by SSL.com. Once the file is properly placed, domain control will be confirmed.
  3. DNS CNAME Lookup
    Create a CNAME record in your domain’s DNS that points to SSL.com. This entry must include the MD5 and SHA-256 hashes of the CSR and a unique token.

Contact SSL.com 

Contact SSL.com Support Team

If you have any questions or need support during this transition, don’t hesitate to reach out to us via email at support@SSL.com, call us at 1-877-SSL-SECURE, or click the chat link on this page. We’re here to help!

Contact SSL.com Sales Team

If your organization has a dedicated SSL.com sales agent, you can also email our sales team at sales@SSL.com, call them by telephone at 877-SSL-Secure (877-775-7328), or fax your request to 832-201-7706.

 

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.