tl;dr: StartSSL would issue certificates for sites like Github and Dropbox, and practically any site offering OAuth2, without having to have control over the domain.
StartEncrypt by StartCom/StartSSL has a LetsEncrypt-like verification process wherin the ownership of the domain is verified by doing a HTTP request, and having the listening webserver return a specific token.
The problem was that they allowed the user to choose the path on the domain, and so when you for example would host a raw file on Github or Dropbox, you could issue a certificate for that domain. Also, it would follow redirects, even to other domains, and with OAuth2 practically mandating open redirects, this was easy to do on many sites.
StartEncrypt by StartCom/StartSSL has a LetsEncrypt-like verification process wherin the ownership of the domain is verified by doing a HTTP request, and having the listening webserver return a specific token.
The problem was that they allowed the user to choose the path on the domain, and so when you for example would host a raw file on Github or Dropbox, you could issue a certificate for that domain. Also, it would follow redirects, even to other domains, and with OAuth2 practically mandating open redirects, this was easy to do on many sites.