Right now, StartSSL needs to do a quick search on their database to see which certs had email sent to a domain other than the one for which the cert applies. All such certs should be revoked immediately, and the owners of the domains involved notified of the breach.
Also, did they check properly for TLD and subdomain issues? If I have "me.blogspot.com", can I get a cert for "blogspot.com"? (What's a TLD today? It's complicated. See "https://publicsuffix.org/")
You would soon be left without any CAs. [1] People are pretty stupid when it comes to security, and this includes people working for CAs. There have been cases where the CA private key is publicly accessible to the internet without any password. [2]
--
[1] Yes, plenty of smart people have been advocating moving away from the current CA system. It's fundamentally broken.
I agree. What certificates have been issued until now fraudulently like this? Does SartSSL submit certificates to Certificate Transparency? And if it does, who knows if there is a bug in that code too, and certs have not been submitted?
Mozilla, Google, Apple and Microsoft should remove this CA ASAP. If it breaks some sites, even better. Maybe it will make some noise and fix all this CA bullshit for good.
IMHO this could be handled more safely: suspend or remove the acceptation of any StartSSL certificates issued after a given date. This should give them some more accountability.
Also, did they check properly for TLD and subdomain issues? If I have "me.blogspot.com", can I get a cert for "blogspot.com"? (What's a TLD today? It's complicated. See "https://publicsuffix.org/")