Hello! There’s a story on wired about hackers that not only hijacked DNS records of an online bank but also received a certificate from Let’s encrypt:
And those sites even had valid HTTPS certificates issued in the name of the bank, so that visitors’ browsers would show a green lock and the bank’s name, just as they would with the real sites. Kaspersky found that the certificates had been issued six months earlier by Let’s Encrypt, the non-profit certificate authority that’s made obtaining an HTTPS certificate easier in the hopes of increasing HTTPS adoption.
“If an entity gained control of DNS, and thus gained effective control over a domain, it may be possible for that entity to get a certificate from us,” says Let’s Encrypt founder Josh Aas. “Such issuance would not constitute mis-issuance on our part, because the entity receiving the certificate would have been able to properly demonstrate control over the domain.”
I agree that domain control is a valid ground to request a DV certificate and it’s NOT mis-issuance by Let’s Encrypt.
However, my question is: would it be possible to implement an automated check if domain already has (or recently had) a valid EV certificate? Such cases are extremely suspicous and I don’t think there’re going to be many. Why anyone who spent money and time to get the extended validation would switch to a free DV? This looks like a good reason to put the request on hold and double-check what is the site in question. If it’s an online bank, retailer etc then it’s 99% chance of a fraud.
[offtopic] I also believe that browsers should warn users when validation level changes even when there’s no HPKP. Personally, I’d also look into CA changes which are also rather rare (compared to certificate re-issuance within the same CA).