The Middleman Problem in Certificate Validation
Crosslayer Labs is working on something most people don't think about: how certificates get issued in the first place. You know those little padlock icons in your browser? Behind them is a complex system called Public Key Infrastructure (PKI), and it turns out there's a sneaky vulnerability hiding in plain sight.
Here's what's happening: when companies need to prove they control a domain to get a certificate, many delegate that validation to third-party services through CNAME records or HTTP redirects. It's convenient, but it creates a dangerous concentration point. If one of these middleman services gets compromised, thousands or even millions of domains could suddenly have fraudulent certificates issued in their name. Crosslayer Labs has been researching this problem deeply, and they've identified how regulatory arbitrage lets these third parties operate validation services that would be prohibited if certificate authorities tried to run them directly.
The good news? Their research on Multi-Perspective Issuance Corroboration (MPIC) is now a requirement for all publicly-trusted certificate authorities, protecting roughly 8 million daily certificate issuances. That's real impact. But they're also clear that MPIC alone isn't enough—sophisticated attackers can still manipulate BGP routing and infrastructure layers to bypass validation controls.
The Reconnaissance Trade-off
What's particularly interesting is how Crosslayer Labs thinks about the next wave of certificate validation. The industry is moving toward persistent DNS-based validation, which eliminates those middleman vulnerabilities. Smart move. But they've spotted something others might have missed: these persistent DNS records create a new attack surface.
When you use the same DNS validation records across multiple domains, you're essentially leaving breadcrumbs that show which infrastructure belongs to whom. An adversary can map your certificate chains, correlate your domains, and build a comprehensive picture of your attack surface. It's the infrastructure equivalent of accidentally publishing your org chart.
This isn't a reason to avoid persistent validation—it's still better than centralized middlemen—but it does suggest organizations need tools that can decouple authorization from discovery. The platform Crosslayer Labs is building seems designed around this insight, offering capabilities that extend well beyond basic certificate management into attack surface discovery, security analytics, and ongoing monitoring across the full internet stack.
Defense Across Layers
What stands out about Crosslayer Labs' approach is how they're thinking about interconnected threats. They're not just focused on certificates in isolation. They're tracking BGP hijacking, DNS manipulation, and third-party service compromises as parts of an integrated threat surface. That makes sense when you realize that infrastructure-layer attacks can bypass even well-designed validation controls.
For organizations managing certificates at scale, there's also a practical administrative challenge: maintaining separate DNS records for each certificate authority limits your ability to fail over quickly if a CA has an outage or breach. Crosslayer Labs advocates for direct CA-subscriber relationships with cryptographic subscriber identity keys—essentially letting you authorize any CA to issue certificates through a single key in DNS. It's the kind of architectural thinking that reduces both security risk and operational overhead.
This teardown was generated with Mimir, and what's clear from looking at Crosslayer Labs' public presence is that they're tackling genuinely hard problems in internet security infrastructure. The vulnerabilities they've identified aren't theoretical—they're systemic flaws in how trust gets established online. Their research has already influenced industry standards, and the platform they're building seems designed to address attack vectors that most security tools don't even consider yet.