Security Hall of Fame
How to report a security issue?
At the On Promise Cloud GmbH, security is paramount and the internal processes reflect that. In the case of security issues, a stop-the-line policy is executed, all forces are focused on the topic until the problem is mitigated. After the permanent fixed is applied the situation will be disclosed in our blog, enabling everyone to participate on our gained learnings.
Contact
Email: security@on-promise.cloud
Security.txt: security.txt
2025
🛡️ SSL Certificate Risk: Missing Certificate Authority Authorization rule
What’s the issue?
Certificate Authorities (CAs) can mistakenly issue SSL certificates for your domain to attackers — allowing impersonation of your website.
Examples from the past:
- In 2011, fake Google certificates were used in Iran for mass surveillance.
- Between 2015–2018, Symantec mis-issued many certificates. Google responded by untrusting Symantec certs in Chrome, forcing them to sell their CA business.
How can you protect your business?
Use CAA DNS Records to control which CAs can issue certificates for your domain.
Optionally, add an iodef email to get alerts if unauthorized issuance is attempted.
What are CAA records?
A DNS setting like this:
yourdomain.com. CAA 0 issue "letsencrypt.org" yourdomain.com. CAA 0 iodef "mailto:security@yourdomain.com"This tells the world: “Only Let’s Encrypt may issue SSL certs for us. And alert us if anyone else tries.”
Limitations:
If a hacker breaks into a trusted CA, CAA can’t help. But it’s still a strong first line of defense.
Action for founders:
✅ Add a CAA record to your DNS.
✅ Set up iodef for alerts.
It’s a 10-minute task that gives you long-term peace of mind.
Thanks to Hilex, who shared this hint proactively.
The reported issue was promptly resolved. The following domains are now protected by proper CAA DNS records:
2024
- nothing reported
2023
- nothing reported
2022
- nothing reported