[weavie]

Ok, I understand.

On a slight side note he may not necessarily need to control the domain entirely, just have access to a privileged email address [1]

However, now it seems you won't even need access to an email address. What would stop someone creating a cert for the real citibank.com and using it for a MITM attack? How many people actually check the green bar?

[1] http://arstechnica.com/security/2015/03/bogus-ssl-certificat...

[schoen]

In the live.fi example, it sounds like Microsoft may have failed to prevent a random user from registering administrator@live.fi as a personal account. Citibank probably won't allow a customer to get that e-mail address!

[weavie]

It was hostmaster@live.fi (http://www.tivi.fi/Kaikki_uutiset/2015-03-18/A-Finnish-man-c...)