Just before people start blasting Let's Encrypt saying that a free cert provider with an automated system is always going to be a risk the following should be considered first.
- The issue was in the specification: TLS-SNI-01 and TLS-SNI-02
- The specification did not take into account shared hosting providers who don't do domain validation
- Many cloud providers allow any domain to be set up that isn't already in use so you can set up a complete system ready to go before pointing your dns to it
- The issue affects subdomains where dns is pointing to the shared service and then has a binding on http (port 80) but no binding for https (443)
- Other CAs who correctly follow the specification for TLS-SNI-01 and TLS-SNI-02 using automated methods may also have issues.
- Let's Encrypt were extremely fast to respond to the incident disabling TLS-SNI within 2 hours of the first report
Biting the hand that feeds IT
