The HTTP-based challenge is similar in scope to the DNS one: an attacker would still need the target’s private key to actually impersonate the ACME session itself.
Put another way: this is still not an issue with ACME itself, but the fact that the Web PKI is built on top of unauthenticated substrates (primarily DNS). If someone (like your cloud provider) can demonstrate control of your domain, then it is ipso facto their domain as well. ACME can’t solve that any more than the previous generation of DV techniques could.
I understand. I just used the DNS challenge as an example. I generally use the DNS challenge since I can assign certs on my private network more easily (the zone is public.)
The DNS based attack would be harder than doing that, for, say, a malicious cloud vendor to implement.
Also, you don’t need a private key to bootstrap a new domain with a new ACME provider.