There’s been two threads recently that are the result of a bad actor taking advantage of the fact that afriad.org domains are “shared” unless you pay:
It seems that somebody is just mass generating certificates with random shared domain names with 100 SANs.
This seems like a bit of an abuse problem because of a few factors:
- At least in one case, domain owners might not be aware that their domains can be used by others users, and are getting locked out of their own domains (in a rate limit sense)
- The rate limit system is being subverted, the effective rate limit for this type of approach is multiplied by a large factor thanks to the availability of domains
- The PSL has proven to be an ineffective tool for managing shared domains. Not-so-recently it’s become increasingly impossible to get listed.
I wonder where the best place for this to get addressed is?