[pfg]

> This method is rarely used, instead for the domain validation most certificate authorities ask the domain owner to place a certain file in their websites.

This statement strikes me as odd. Email-based validation is the most common validation method used by most CAs for DV certificates. The only exceptions that come to mind are WoSign and Let's Encrypt.

The vulnerability is pretty bad, though. Good catch.

[dopamean]

I work for a hosting provider that acts as a reseller of certs and we use the DV file option the author speaks of. It's easy for us because we can automate the entire process for the customer.

Whenever I've bought a cert for myself I've used the same process. I never thought email verification seemed like a great idea.

[pfg]

It's certainly easier for automation. I think the security implications are mostly the same - you're vulnerable to DNS spoofing and BGP hijacking either way. With email validation, a misconfigured or breached email server is enough to get a certificate, while with http validation, it's your web server or web app that could be vulnerable.

[brohee]

And a vulnerability in your website permitting an attacker to create a file opens the possibility for an attacker to get a certificate for your site too, and without certificate transparency you'll possibly never even know it even happened...

[pilsetnieks]

Maybe they meant that it's rarely used even though it's widely available. Anecdotally, I think that every certificate authority I've used allows for email validation but most offer options, of which I myself prefer the file or DNS record options.

[_yy]

RapidSSL does it too.