[jorams]

The post says the following:

> Maximum 10-minute time window during which the attacker temporarily rerouted and intercepted Fox-IT email for the specific purpose of proving that they owned our domain in the process of fraudulently registering an SSL certificate for our ClientPortal.

[tialaramex]

Specifically Comodo reports that they sent their normal validation email to hostmaster@fox-it.com (which unknown to Comodo or Fox-IT at the time was being directed to the attackers). I've never used Comodo's implementation of 3.2.2.4.4 but typically there's an email with a code in it, telling you to go to a web page and paste the code in if you want to authorise the issuance of the requested certificate, or something along those lines.

The security of this validation method (3.2.2.4.4) depends upon

1. You control DNS for your domain including the MX records used to deliver email (this is where Fox-It came undone here)

2. You control the MX servers, or if you have a third party providing backup MX, you trust them not to abuse that

3. The Certificate Authority does a good job of getting accurate DNS records and connecting to the right IP address

4. All email addresses in your WHOIS records plus a handful of famous ones like hostmaster@ postmaster@ are delivered to people you trust in your organisation.