Comment by 0xbadcafebee

TLS 1.0, 1.1 and 1.2 are still in use, despite 1.0 and 1.1 being deprecated, and only 1.3 requires forward secrecy. So any attacker that can MITM can just force a protocol that doesn't require forward secrecy.

In terms of "no longer controls this domain name", or "no longer controls this IP address", there are a raft of other issues related to this that expiration doesn't cover:

- Does the real domain owner still have a DNS record pointing to an IP address they no longer own? If yes, attacker that now has that IP can serve valid TLS.

- Does the attacker control either the registrar account, or the name server account, or can poison DNS, or an HTTP server, or an email server, or BGP? If yes, the attacker can make new certs.

There's so many holes in TLS it's swiss cheese. Expiration as security is like a cardboard box as a bulletproof vest. Yet that cardboard box is so bulky and cumbersome it makes normal life worse.