ProHoster > Blog > internet news > Eleven domain verification methods for TLS certificates have been deprecated.

Eleven domain verification methods for TLS certificates have been deprecated.

The CA/Browser Forum, a platform for collaborative decision-making that addresses the interests of browser vendors and certification authorities, has approved new requirements for organizations issuing HTTPS certificates. The new requirements deprecate 11 methods for verifying ownership of the domain for which a certificate is issued. Support for these deprecated methods will be phased out by March 2028. The stated reason for deprecating support is to focus on automated and cryptographically verifiable verification methods.

Methods related to using WHOIS information, confirming contact information via email, phone calls, faxes, SMS, or paper letters, and verification based on verifying ownership of the IP address registered for the domain in the DNS have been deprecated. It is expected that discontinuing support for these verification methods will eliminate loopholes that could potentially allow attackers to gain access. certificate for a domain, which they don't control. For example, a year ago, it was demonstrated that it was possible to obtain TLS certificates for other domains in the ".mobi" zone by hijacking the outdated WHOIS service of the domain registrar.

List of domain ownership verification methods that have been deprecated:

  • Sending email, fax, SMS or paper letter to the contact information specified for the domain in the WHOIS database or in the SOA record in DNS.
  • Sending an email, fax, SMS or paper letter to the contact information specified for the domain associated IP addresses.
  • Sending a verification code to standard email addresses such as admin@, administrator@, webmaster@, hostmaster@ and postmaster@.
  • Sending a verification code to the email specified in the domain's CAA record in DNS.
  • Sending a verification code to the email specified in the domain's TXT record in DNS.
  • Confirmation by phone call to the number specified as the contact number for the domain.
  • Confirmation by phone call to the number specified in the domain's TXT record in DNS.
  • Confirmation by phone call to the number specified in the domain's CAA record in DNS.
  • Confirmation by phone call to the number specified as the contact number for the IP address to which the domain is linked.
  • Checks based on confirmation of ownership of the IP address registered for the domain in DNS.
  • Checks based on reverse IP address resolution.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers 🔥 Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster