[e_d_e_v]

I came here to say this. What's more, the spec was agreed upon, in relatively public forums, with a voice from the community. Crappy shared hosting providers are going to mostly ignore their customers and perpetuate insecure scenarios while they continue to bill exorbitant rates that exploit the customers' ignorance or inertia. That has been the case for some time, and will continue to be the case, this is just another symptom.

[rgbrenner]

What's more, the spec was agreed upon, in relatively public forums, with a voice from the community.

It was agreed upon and no one caught this issue. Now we know the issue.

There's nothing wrong with using a protocol you think is correct. There is something wrong with using a protocol you know is incorrect, but continue to use it anyway.

The entire internet should not be required from now to forever to workaround LE's mistake. LE should fix their protocol.

And worse, this protocol isn't even needed for LE. They could remove it, and everyone could use one of the two others that are secure, and LE would be just fine, and everyone -- even those crappy shared hosting providers -- would be perfectly secure.

LE created this issue all by itself, and is capable of fixing it all by itself. LE should do that.

[DanielDent]

LE "created" this issue in the sense that they were the first to formalize an implementable specification for automated verification of authorized domain name use.

In comparison to the prior relatively unspecified approach to verification, it's still an improvement.

"The last person who touched needs to take ownership over anything anyone can blame on the change" is the management style which leads to enterprise IT being unable to get anything done. Because at that point, the safest thing is to never change anything - regardless of how bad things currently are.

Sometimes the world changes, and other parts of the technology ecosystem need to adapt.

[Editing to add since I can't reply to you]: The fundamental "flaw" here is that it's possible for people to get self-signed certificates served for domains where they haven't validated ownership of the domain.

Hosting companies can't be simply adjusting their routing tables for anyone who asks. If you are pointing a domain name at an IP address which will accept routes from any untrusted party, that's simply not a secure situation.

A signed certificate might be good evidence of some authority for a domain, but a self-signed certificate used in a challenge process most assuredly is not.