Here’s a theoretical scenario that I came up with recently while playing around with a CDN provider. I’ve noticed that some companies that use Let’s Encrypt to generate customer certificates will put multiple customers’ subdomains on the same certificate (the two that I’ve encountered so far are Smugmug and Akamai CDN provisioned through Microsoft Azure). I assume they’re doing this to avoid hitting LE’s API limits. While it’s not a big deal for a trusted provider, here’s a similar scenario that it made me think of:
- Attacker compromises my DNS account or provider.
- They issue a LE certificate using DNS validation, but also include a Subject Alternative Name of a domain name that they own.
- I regain control of my DNS.
- I can’t revoke the certificate because doing so requires validating all domains on the certificate.
Am I correct in how that would play out?
(This is just a hypothetical scenario; my DNS is properly secured.)