One day after the CAA (Certificate Authority Authorization) standard became obligatory on September 8, a German security researcher caught Comodo breaking the rules and issuing an SSL certificate it was not supposed to issue.

CAA allows website owners to specify what Certificate Authorities (CAs) are allowed to issue certificates in their name. Site owners can set up a CAA rule for their domain by adding a text field in DNS entries such as the one below: CAA 0 issue ""

This small rule tells any Certificate Authority that only Symantec can issue SSL certificates for the domain.

Comodo issued SSL cert ignoring CAA entry

According to the rules of the CAA standard approved by the CA/Browser Forum in Ballot 187, this April, Certificate Authorities such as Comodo have to check a CAA field in DNS records before issuing new SSL certificates.

On Monday, German security researcher Hanno Böck shared with the infosec community that he managed to obtain an SSL certificate from Comodo — now revoked — for his own website, even if the CAA field limited SSL issuance only to Let's Encrypt.

Böck says he obtained the certificate on Saturday, a day after CAA checks become mandatory on Friday, September 8.

"I was originally informed about the lack of CAA checking at Comodo by Michael Kliewe from the mail provider," Böck wrote in a mailing list. "However that was before CAA became mandatory."

"I have by now heard from multiple other people that confirmed the same," the expert added. "Seems right now Comodo isn't checking CAA at all."

Comodo website states company is CAA compliant

According to a web page on the official Comodo website, the company boasts about being CAA compliant.

Comodo did not respond to a request for comment from Bleeping Computer in time for this article's publication.

Related Articles:

Google's .App Domains With Baked-In HTTPS Are Now Open for General Registration

Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates

Google Chrome to Remove “Secure” Indicator From HTTPS Pages in September

Facebook's Phishing Detection Tool Now Recognizes Homograph Attacks