Many CAs only send an email to the domain administrator on record before issuing a DV certificate, said Trell Rohovit, CEO of HydrantID, a startup that sells digital certs on a subscription basis.
"So essentially a bad guy only has to beat one process/person/or email, and -- puff -- your brand just flew out proverbial Internet window," Rohovit said.
Symantec, CloudFlare and GoDaddy did not have an immediate comment.
Comodo said it has "the largest share of the problem" due to it being the largest CA, according to an email statement from CEO Melih Abdulhayoglu.
Rogue DV certificates are revoked by Comodo when the company is made aware of them, Abdulhayoglu wrote.
But certificate issuance is a complex process, and the problem with automated systems (like DV certificates) is that there are no human validation operators vetting the issued certificates," he wrote.
A spokesman for Abdulhayoglu said Comodo would not comment further on Netcraft's allegations.
Some CAs won't issue DV certificates at all because of security concerns. DigiCert, based in Lehi, Utah, believes DV certificates provide "little value" and that phishing risks could be mitigated by not issuing them, according to its website.
Entrust, based in Minneapolis, also doesn't issue DV ones, citing security concerns.
"Although the domain validated certificate supports transaction encryption, the end user cannot trust the certificate to confirm who is on the other end," its website says.
Netcraft, based in Bath, England, does have a commercial incentive to release these findings: it sells a service, called Domain Registration Risk, which scores domain names and how likely they will be used for phishing.
The service is intended for domain name registrars but also could be used by CAs prior to issuing a certificate, Edgecombe wrote.
Sign up for CIO Asia eNewsletters.