I know I must be missing something fairly fundamental here, but doesn’t the flaw with tls-sni-01 hit http-01 as well?
E.g. if hosting company hosts oldsite.example.com, and the customer stops using it (but does not tidy up DNS) exactly the same problem will happen - The hostname is simply tied to that cloud hosting company.
In the case of AWS (one quick test) it looks like they use a CNAME to a random unique ID for static S3 hsoted sites at least, so that is protected - but going through a couple of other hosting company sign up forms did not appear to have the same protection in place (I stopped as soon as they asked for credit card details or money).
Unclaimed domains are only a minor part of the problem.
With the tls-sni issue, the only prerequisite was that you were able to upload a custom SNI certificate (x.y.acme.invalid) to the same IP address as the domain you were attacking (such as with a public CDN service, where millions of sites are served from a single [set] of IPs). You did not need to specifically serve content from the victim domain.
http-01 does not have this problem because you need to be able to serve content from the victim domain, which is MUCH harder.
You are right that domains pointing at e.g. Cloudflare that aren’t added to any Cloudflare account still have the problem of anybody being able to take them over, but I don’t think Let’s Encrypt cares/should care about that scenario.
I think opinions will vary on the question of who is responsible. Being able to upload and present certificates for invalid names is not especially a vulnerability on its own, it only became one when tls-sni-01 was introduced. My personal view is that because acme/tls-sni was the latest arrival on the scene, you cannot pin any blame on the CDNs.
I think letting anyone do something on behalf of something they do not control is wrong - you’re not allowed to open a bank account for someone else… The examples are endless - claiming to be someone else is wrong pretty much everywhere
I’d look at it the other way - just because it wasn’t a problem before doesn’t make it acceptable.
(Yes, my opinions are quite firm on who messed up - however, agree it could be viewed as a grey area)
