This increases the time during which the possibility of such an attack exists.
A domain-validated SSL certificate attests only to ownership and control of a domain name, and the owner of a domain name may have acquired it from others.
It is therefore possible for the previous owner of the domain to have a still-valid DV certificate for the domain.
If such a valid certificate (and associated private key) were to be used in conjunction with a DNS spoofing attack it would allow a malicious site to masquerade as a legitimate site and bypass the protection afforded by SSL.
Some CAs issue DV SSL certificates that have expiration times several years in the future.
This page contains draft comments about various CA practices that have been the subject of discussion in past CA evaluations.
In general these practices are not explicitly addressed by the Mozilla CA certificate policy, and we do not necessarily consider them security risks.However we want to highlight them because they've occasioned controversy in the past and have in some cases caused approval of applications to be delayed.Some of these practices may be addressed in future versions of the policy.(There are no EV wildcard certificates.) Mozilla's CA Certificate Inclusion Policy requires CAs to conform to the Baseline Requirements (BRs) in the issuance and management of publicly trusted SSL certificates.This includes the BR restrictions on the use of email as a way of validating that the certificate subscriber owns or controls the domain name to be included in the certificate.CAs are expected to conform to BR Section 11.1.1 (section 184.108.40.206 in BR version 1.3), which restricts the email addresses that may be used to authenticate the subscriber to information listed in the "registrant", "technical", or "administrative" WHOIS records and a selected whitelist of local addresses, which are limited to local-parts of "admin", "administrator", "webmaster", "hostmaster", and "postmaster".