To me the biggest question is whether or not TLS was in place. That should prevent the attacker from intercepting the actual data without the victim noticing.
No, it doesn't. As mentioned in the article, the attacker successfully requested a TLS certificate for the hostname, which was possible because he could pass a CA's domain validation.
I'm not entirely sure, but I think HPKP could have prevented this for returning customers, because Fox-IT would have been able to pin the key of their own certificate. Then the new certificate used by the attacker would have been rejected by the customer's browser.
Yes, it more highlights that the simple presence of a valid certificate does NOT guarantee that you are connecting to the service that you think you are.
EV certs would be harder to compromise, but likely not too difficult for a sophisticated attacker. And who really notices if a site that had an EV cert suddenly doesn't? I might for my bank, but likely would not for a software product website.
> Maximum 10-minute time window during which the attacker temporarily rerouted and intercepted Fox-IT email for the specific purpose of proving that they owned our domain in the process of fraudulently registering an SSL certificate for our ClientPortal.
Specifically Comodo reports that they sent their normal validation email to hostmaster@fox-it.com (which unknown to Comodo or Fox-IT at the time was being directed to the attackers). I've never used Comodo's implementation of 3.2.2.4.4 but typically there's an email with a code in it, telling you to go to a web page and paste the code in if you want to authorise the issuance of the requested certificate, or something along those lines.
The security of this validation method (3.2.2.4.4) depends upon
1. You control DNS for your domain including the MX records used to deliver email (this is where Fox-It came undone here)
2. You control the MX servers, or if you have a third party providing backup MX, you trust them not to abuse that
3. The Certificate Authority does a good job of getting accurate DNS records and connecting to the right IP address
4. All email addresses in your WHOIS records plus a handful of famous ones like hostmaster@ postmaster@ are delivered to people you trust in your organisation.
I'm not entirely sure, but I think HPKP could have prevented this for returning customers, because Fox-IT would have been able to pin the key of their own certificate. Then the new certificate used by the attacker would have been rejected by the customer's browser.