Let's Encrypt had a similar vulnerability late last year.[1] That was successfully exploited in a malware attack. There's also a potential BGP attack.[2]
Validating that a host is on the correct domain is very hard in the presence of attacks. DNS can be spoofed. If there was an easy way to verify domains, CA-issued SSL certs would be unnecessary.
> How was this attack carried out? The malvertisers used a technique called “domain shadowing”. Attackers who have gained the ability to create subdomains under a legitimate domain do so, but the created subdomain leads to a server under the control of the attackers. In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site.
That's quite different. The attackers appear to have had full control of DNS in that case. Being able to control DNS is essentially the definition of domain ownership. Fraudulent issuance would be the smallest problem for a site affected by this. They'd have gotten a certificate from practically any CA issuing DV certificates.
Domain validation is messy and far from perfect, but this vulnerability is just inexcusable.
Those are not comparable. For better or worse, the attacks you speak of are not covered by DV's threat model, and all DV-issuing CAs--not just Let's Encrypt--suffer from them.
The Startcom vulnerabilities, on the other hand, are much easier to exploit and clearly violate DV's threat model.
Validating that a host is on the correct domain is very hard in the presence of attacks. DNS can be spoofed. If there was an easy way to verify domains, CA-issued SSL certs would be unnecessary.
[1] http://blog.trendmicro.com/trendlabs-security-intelligence/l... [2] https://community.letsencrypt.org/t/attack-on-domain-verific...