On January 9, Frans Rosén from Detectify identified a vulnerability in the TLS-SNI-01 domain validation method used by Let’s Encrypt, which could potentially allow attackers to issue SSL/TLS certificates for domains they do not own, thus jeopardizing secure web browsing. This flaw could be exploited particularly when cloud providers host multiple users on the same IP address without proper domain ownership validation, allowing attackers to intercept traffic on seemingly secure websites. In response, Let’s Encrypt promptly disabled TLS-SNI-01 validation, urging users to adopt HTTP-01 or DNS-01 validation methods instead, and announced plans to completely phase out TLS-SNI-01 and TLS-SNI-02. Major providers like AWS CloudFront and Heroku acted swiftly to mitigate the vulnerability by preventing the addition of domains ending with .invalid. Let’s Encrypt plans to collaborate with the IETF ACME working group to ensure future specifications address this security concern.