We know that usernames and passwords are broken, password resets are, SSL certificates, hacks like certificate pinning etc. and many other things.
Apparently even domain name ownership proof is just as broken: there seems to be no method to authoritatively determine whether somebody who claims to own a domain actually does.
If somebody came to me and said they had designed that thing that was going to be great, called the internet, and it had all those identity problems, I’d be sending them back to redesign. #frustrated