[dijit]

Technically any CA can sign certificates from bad actors, letsencrypt is notable because they verify you own the domain automatically, and they do so for free.. I know of no issues in the ACME protocol.

That said, any CA can sign anything and your browser will trust it in most* cases.

* - Not under certificate pinning or CA pinning though.

[foo101]

Consider the scenario where I own a domain example.com for a year. Just a day before its expiry or just a day before I sell the domain to someone else, I obtain a certificate for it from letsencrypt via ACME protocol.

A week or month from now, the new owner of the domain sets up a HTTPs website. With the old certificate I have, I can now launch an MITM attack on the new owner for about 2-3 months!

[teraflop]

You can perform exactly the same attack with a 1-year certificate from any other CA.

[dastbe]

The answer to this is ultimately ratcheting down cert validity duration. As more people automate renewals we can get to the point where certs are valid for maybe days at a time.