
How I exploited TLS-SNI-01 to issue Let's Encrypt certs using shared hosting - Titanous
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/
======
fransr
Hi, I'm the author of the article. As I wanted to point out, I'm not assuming
this was something Let's Encrypt did wrong, but rather assumptions in the
specification which was not equivalent to the reality. I am really happy how
this all was handled by Let's Encrypt.

I've been thinking about this issue with domain validation for a long time. It
is not a solved problem yet. There is no standard for it. There are clearly
overlapping techniques from the 10 blessed being used in the wild (Google
being one) but the adoption has been really slow.

~~~
rconti
Great read, and good catch!

