Discussion on Web PKI Vulnerabilities Exploited in Cross-Origin Attacks

[Pinji Chen]

Recently, we have identified a novel cross-origin web attack that exploits some characteristics of certificate systems to establish attack conditions and prolong the attack duration. Upon reporting this issue to stakeholders, they identified one of the root causes of this attack stems from the weakness of Web PKI. Therefore, we propose to address these concerns within the CA/Browser Forum, focusing on the following points:

1. When a domain is transferred to a new owner, validation reuse can still allow the previous domain holder to request a certificate for that domain without re-validating domain ownership.
2. When both a victim’s domain and an attacker’s domain are included in a multi-domain shared certificate, the victim cannot revoke the certificate.
3. When a domain included in a shared certificate is sold to a new owner, the original certificate holder can still use the certificate to authenticate the domain that has been transferred."

Our research has been accepted by NDSS 2025, and the paper is attached for your reference. You can find further details and how the properties of the web PKI can impact our attack in our work. Thank you in advance for your time reviewing and guiding our research. We look forward to your feedback.