[pakitan]

A valid certificate only allows you to have a secure connection without errors and warnings popping up all over. It does nothing to guarantee that the domain is "legit". You can already set up thecitibank.com and get an SSL certificate for it without any problem. What you can't do is get the EV (green bar) certificate where indeed you need to go through a human. But I'm pretty sure Let's Encrypt won't be giving away EV certificates.

[weavie]

Surely you would at least need access to a relevant email address on that domain? How would you bypass that?

[r0bbbo]

He would need to be in control of that domain entirely. thecitibank.com is just an address that looks legitimate and is purchasable.

[weavie]

Ok, I understand.

On a slight side note he may not necessarily need to control the domain entirely, just have access to a privileged email address [1]

However, now it seems you won't even need access to an email address. What would stop someone creating a cert for the real citibank.com and using it for a MITM attack? How many people actually check the green bar?

[1] http://arstechnica.com/security/2015/03/bogus-ssl-certificat...

[schoen]

In the live.fi example, it sounds like Microsoft may have failed to prevent a random user from registering administrator@live.fi as a personal account. Citibank probably won't allow a customer to get that e-mail address!

[weavie]

It was hostmaster@live.fi (http://www.tivi.fi/Kaikki_uutiset/2015-03-18/A-Finnish-man-c...)

[cpach]

”without any problem”

Are you sure about that?

[bigiain]

Yeah - there's many ssl vendors who've automated everything - so long as you can read email sent to webmaster@whatever-damned-phishing-domain-you-like.com, they'll sign a csr for that domain's ssl cert.

[dtech]

Most certificate providers are already fully automated, the personal identity (not domain ownership) verification is the only human part.