On September 6, 2018 The Register published an article describing how a team of academic security researchers successfully demonstrated that they could use a variant of DNS poisoning to obtain a Domain Validation (DV) certificate for a target domain they did not own.
Comodo CA finds this research to be credible and believes that the approach as described can work against CAs that have not taken specific measures to guard against it, including Comodo CA. (Note that this DV-only attack is ineffective against Extended Validation [EV] certificates and OV certificates due to the additional vetting required for these certificates.)
On the morning of Friday, September 7, our Engineering team implemented changes to mitigate the effectiveness of this type of attack against our validation process, and we continue working on full resolution for our Comodo CA, InstantSSL, PositiveSSL, EnterpriseSSL, and OptimumSSL brands. We have no knowledge of any false certificates issued by Comodo CA using this attack on any of our brands.
As this is a new demonstration, CAs can be fully aligned with Baseline Requirements and previously accepted industry norms but still be vulnerable. We expect that many CAs are vulnerable to this attack today and would like to see defense against attacks of this type included in Baseline Requirements.
Comodo CA encourages security researchers to share findings such as these with us confidentially in advance so that we can block potential vulnerabilities before they come to the attention of computer criminals. We commend the team from the Fraunhofer Institute for Secure Information Technology on the good work they did demonstrating this attack vector.