I've been getting repeated emails from a certificate authority asking me to authorize the issuance of an SSL certificate for a domain that we already control and use Let's Encrypt for. I checked with the developer who manages our website, and he confirmed that he didn't request a certificate from them. I even called the certificate authority previously to ask them to cancel the request, but I got distracted while on hold and never followed through. Have others encountered this situation where someone not associated with a domain attempts to get a certificate for it? What could be the motive behind this and what steps can I take to prevent it?
4 Answers
Sounds like either a phishing attempt or a Man-in-the-Middle attack. Keep an eye on your email and reports of unusual activities!
I can relate! I've been getting similar emails daily for a different site I manage. It's strange because we already have a valid certificate in place for it; I’ve never encountered this before.
Anyone can try to request a certificate for any domain. It's probably just someone probing or testing their luck. Honestly, just ignore those requests. Also, if the domain used to belong to someone else, they could have forgotten to cancel any active certificates.
It sounds like someone might be trying to perform a domain spoofing attack. By acquiring an SSL certificate, they could potentially redirect your visitors to malicious sites without them noticing due to the valid certificate. I recommend auditing your DNS records to check for any anomalies and reviewing who has access to those records. It might also be wise to cycle any access tokens or secrets you have in place.
But wouldn't they need DNS access to execute any redirects? I manage our DNS myself and the only other person who has access is the owner, who isn't tech-savvy at all.
At my workplace, we’ve set up CAA records that prevent unauthorized certificate issuance. Only specified authorities like Let's Encrypt are allowed to issue certificates for our domains. It might not stop those emails from hitting your inbox but it’s a solid preventative measure.