Revised: I rewrote the email and corrected some errors.
Hello, Thank you for your reply. I'm still investigating the LiteSSL issue and have uncovered some new aspects. The blog page associated with LiteSSL's FreeSSL mentions this article: “51ssl免费通配符证书申请流程”[1] It mentions a website called 51ssl. I noticed that LiteSSL, FreeSSL, and 51ssl all carry the label “亚数信息科技(上海)有限公司” This article promotes how to apply for wildcard domain certificates using 51ssl. It outlines three methods: 1. DNS (CNAME) verification 2. File verification (i.e., 3.2.2.4.18) 3. Email verification I am more concerned with the second method. Wildcard domains cannot be verified using the file method. This article was published on June 24, 2022. However, the CA/B Baseline Requirements stated on December 1, 2021: CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN. I have the following questions: 1. LiteSSL, FreeSSL, 51ssl, and TrustAsia. Do they use the same infrastructure? 2. Is 51ssl still using these methods to validate wildcard certificates? If not, when was this corrected? Was a report filed? [1] https://web.archive.org/web/20250215190449/https://blog.freessl.cn/mian-fei-tong-pei-fu-zheng-shu-shen-qing-liu-cheng/ On Wednesday, January 21, 2026 at 5:42:25 PM UTC+8 Rollin Yu wrote: > Thank you for your feedback. We have acknowledged this issue and suspended > the affected ACME certificate issuance service at 15:40 (UTC+8) on January > 21, 2026. > > We have identified the cause. The issue affects only the recently launched > free ACME service (litessl.cn). We are currently identifying the impacted > certificates and will complete the revocation within 24 hours. > > We will publish a incident report as soon as possible and will keep you > informed of any key developments. > > On Wednesday, January 21, 2026 at 4:59:07 PM UTC+8 Roger M Lambdin wrote: > >> >> I've noticed this CA has just been found to have a major vulnerability. >> >> A security researcher discovered the following issues with LiteSSL's ACME >> server: >> >> According to his post [1]: >> >> 1. Flawed ACME IP throttling policy causes frequent certificate issuance >> failures >> >> 2. DNS -01 challenge can be exploited to issue wildcard certificates for >> arbitrary domains. >> >> The second issue is particularly severe. Reproduction steps: >> >> 1. Create a LiteSSL ACME account using your own domain and pass the >> DNS-01 challenge to request a wildcard certificate >> >> 2. View the list of wildcard certificates issued by this CA and select >> any one arbitrarily [2]. >> >> 3. Using your own ACME account, construct an ACME request to apply for a >> wildcard certificate for the selected domain [3]. >> >> I recommend the following actions: >> >> 1. Based on this CA's certificate issuance list, we need to identify >> which wildcard certificates have been issued [2]. >> >> 2. The CA must take action to fix the vulnerability in the ACME server. >> >> 3. The CA must submit an incident report. We need to know: When was the >> DNS-01 challenge implemented? How did the vulnerability occur? When was the >> earliest exploitation of this vulnerability? Which certificates were >> erroneously issued? >> >> 4. Revoke the erroneously issued wildcard certificates and immediately >> notify the owners of these domains. >> >> 5. Based on the certificate CA information, this company is a subordinate >> CA of TrustAsia. We need to know: Does LiteSSL share infrastructure with >> them? >> >> 6. This CA must conduct a thorough investigation of its security measures >> and provide a report. >> >> [1] Original source: https://archive.ph/u6U2p >> >> [2] Certificate list: https://crt.sh/?CN=%25&iCAID=438132 >> >> [3] Certificate issued by the researcher: https://crt.sh/?q=vaadd.com >> >> >> >> >> >> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1e59f982-3aaa-45c4-be93-6bac5b336b4en%40mozilla.org.
