I read that they were able to redirect the traffic to their own machine, and therefore perform an http-01 challenge like anyone else.
Which can effectively be mitigated by using DNSSEC, DANE and CAA. Browser support for DANE is currently rather poor, but most MTAs and MUAs support it out of the box.
-Jeroen _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
