| ▲ | AdamJacobMuller 3 days ago | |||||||
Sure, gmail.com might be excluded, but its still a massive hole for a few reasons. This would affect ANY email provider who offers public email addresses. While I agree gmail.com is probably excluded (and maybe this doesn't bypass CAA -- maybe it does) there's a whole additional surface of anyone who has an email at any big enterprise getting a certificate for their domain. Even if I work at google.com, therefore have a google.com email, I should absolutely not be able to get a certificate for google.com just by getting an email at that company. I doubt it's even /that hard/ to buy an email account at a big company like that in the underground world, it seems like they are valuable generally and any company with 200k employees is going to have some leaks. This massively increases the attack surface of a simple leaked email account (which might otherwise have very little or no access). Crazy crazy oversight that has huge implications and is so easy to carry out that I would not be surprised if this was actually exploited by bad actors. | ||||||||
| ▲ | londons_explore 3 days ago | parent [-] | |||||||
plenty of companies have mailing lists which are listname@companydomain.com Getting on those lists is often easy. Same with support ticketing systems, etc. | ||||||||
| ||||||||