[foo101]

Consider the scenario where I own a domain example.com for a year. Just a day before its expiry or just a day before I sell the domain to someone else, I obtain a certificate for it from letsencrypt via ACME protocol.

A week or month from now, the new owner of the domain sets up a HTTPs website. With the old certificate I have, I can now launch an MITM attack on the new owner for about 2-3 months!

[teraflop]

You can perform exactly the same attack with a 1-year certificate from any other CA.

[dastbe]

The answer to this is ultimately ratcheting down cert validity duration. As more people automate renewals we can get to the point where certs are valid for maybe days at a time.