Let’s Encrypt changes the certificate issuing process. New security measures placed

Let’s Encrypt Certification Authority (CA) just announced multi-perspective domain validation as part of a plan to improve security standards in Internet use. In this way, Let’s Encrypt becomes the first CA to implement multi-perspective validation. 

Domain validation is a process used by all CAs to ensure that the requester of a certificate is actually the domain controller that they want to register. Typically, the validation process involves asking the domain owner to place a particular file or token in a controlled location for the domain, such as a particular path or DNS entry. Subsequently, the CA will verify that the applicant for validation can do so as agreed, as shown in the following graphic:

While this is a reliable process, there are several potential drawbacks. For example, if an attacker could hijack or redirect network traffic along the validation path, it could trick the CA into issuing a certificate incorrectly. While this is not a popular attack vector at present, researchers fear they will be relevant in the future. 

Cybersecurity specialists consider that Border Gateway Protocol (BGP), like most of its implementations, is very unsafe, and despite ongoing efforts to secure them, there could still be a lot of time to complete this Work. Therefore, Let’s Encrypt decided to take another approach and, instead of validating from a network approach, to start adopting validation from multiple perspectives, as the graph shows:

This new approach will validate from multiple regions within a single cloud provider. This approach is designed to diversify to other cloud providers in the future. The new approach will make it difficult for attackers to face greater complexities, as they will have to successfully compromise three different network routes at the same time, and increases the likelihood that the attack will be detected by cybersecurity specialists.