[dopamean]

I work for a hosting provider that acts as a reseller of certs and we use the DV file option the author speaks of. It's easy for us because we can automate the entire process for the customer.

Whenever I've bought a cert for myself I've used the same process. I never thought email verification seemed like a great idea.

[pfg]

It's certainly easier for automation. I think the security implications are mostly the same - you're vulnerable to DNS spoofing and BGP hijacking either way. With email validation, a misconfigured or breached email server is enough to get a certificate, while with http validation, it's your web server or web app that could be vulnerable.

[brohee]

And a vulnerability in your website permitting an attacker to create a file opens the possibility for an attacker to get a certificate for your site too, and without certificate transparency you'll possibly never even know it even happened...