In this new beta update of ssl certificate page, I was able to issue a let’s encrypt ssl certificate for my subdomain, and it worked, so why you said that let’s encrypt is not for subdomains.
This worked so well, my website is very much secured, trusted, and smoothly working. No problems.
You should take care of your free subdomain users. But let’s encrypt ssl should not be available for free subdomains, because free subdomains are mostly used for fraud, phishing, etc. So adding a trusted ssl will make the sites more trusted to the victims and they will be scammed so easily. < I think this topic is both hosting support and informal also >
The reason Let’s Encrypt doesn’t work for subdomains is that Let’s Encrypt has limits on how many certificates they will issue for a certain registered domain name. That limit is 50 certificates per week right now.
So that means that Let’s Encrypt will only provide 50 certificates per week for html-5.me and ALL subdomains. And if you look at how many certificates we issue for, say, epizy.com, 50 per week is nowhere near enough to provide a certificate to everyone.
So why could you get one for html-5.me? Because I forgot to add it to the list of domains for subdomains. But that’s fixed now.
We are taking care of free subdomain users. That’s why we have GoGetSSL and ZeroSSL providers (which do not have the same certificate limit). ZeroSSL especially is just as easy to use as Let’s Encrypt.
Having an SSL certificate doesn’t make a site trustworthy. That’s not what an SSL certificate does, or has ever done, despite the marketing nonsense to the contrary.
The only things an SSL certificate ensures is that you are connected to the website that’s in the address bar and the data transmitted cannot be seen or manipulated by a third party.
So if you send credit card details to a website, an SSL certificate ensures that nobody else but you and the website can see the credit card details. It provides absolutely zero guarantee that the website will actually provide the services or products you paid for, or that they won’t sell your card details on the dark web.
@Admin From the perspective of a normal Internet user, if we see a lock sign next to a URL, we assume that this site is trustworthy because we don’t know exactly what it is. We are not well-versed in Internet security. When I asked why they trusted that site and gave their personal information, they said they saw the lock icon beside the url and that is why they trusted that site and gave their personal information. Scammers target countries such as India and Bangladesh because they are unaware of the difference between a legitimate and a phishing URL. They only have faith in the lock icon. Another factor is greed, because most phishing sites promise large sums of money in exchange for personal information.
It’s just my opinion, but you run a business. I’m not saying you should disable SSL, but I am saying you should closely monitor the sites because I’ve seen a lot of phishing sites using ifastnet free subdomains. And infinityfree is a major ifastnet free hosting provider.
That could be a common misunderstanding on the internet.
HTTPS only means a site is secure. It only means that information you provide should be safe from man-in-the-middle attacks (Unless the key was compromised of course, hence the word should).
Trust is something that only you can provide.
And if we did not issue certificates to certain websites, they could just get them free elsewhere.
Besides, checking every website is hard, and when we do find ones that are illegal, spammy, or have other issues, we suspended them, not revoke their access to SSL certs.
Anyone who knows anything about security knows that SSL certificates don’t make a site trustworthy, and no government or bank or other institution will tell you “look for the lock in the address bar to know you’re dealing with a trustworthy site”.
Back in the early 2000’s maybe, when SSL certs were really expensive and you needed dedicated IPs to use them, then only serious companies had them. And it would be out of reach of some scam site. But even then, it doesn’t say anything about the quality of the company you’re dealing with.
In the past you still had Extended Validation certificates that showed the company name in the address bar. But even that’s no longer the case. Why? Because browser makers also know that having an SSL certificate doesn’t make a site trustworthy.
Also, why should this be our responsibility? You can just get a Let’s Encrypt certificate yourself using a third party tool. And then it’s Let’s Encrypt that “certifies” the connection as being safe. Shouldn’t you go after Let’s Encrypt for not vetting the sites that they provide certificates to?