Appropriate Use of SSL Certificates
Why we don't have a certificate for www.instantssl.com
SSL Certificates are commonly used to protect the flow of confidential or sensitive information. Most commonly, personal details and credit cards.
Their use is, and should be, kept to areas where this is needed such as payment gateways or forms that require personal information to be entered.
All of the Comodo sites use one centralised system for payment and information processing. This resides on the domain name 'secure.comodo.net' (and now additionally 'secure.trust-provider.com', a white-labeled copy for resellers), which is where we do need the SSL, and indeed it is in place.
However, visiting https://www.instantssl.com shows an error - because the certificate is for secure.comodo.net.
The sites are hosted on the same server, on the same IP address. Not only does www.instantssl.com not require a certificate, we would need to get an extra IP for the server. At the present time, this is not something we can do.
Q: What about an example page then, that doesn't show errors?
Q: What about EV Certificates?
A: In exception to the above, we have an EV Certificate on www.comodo.com, even though no confidential data is requested there. It is to demonstrate the use of EV SSL Certificates.
Q: What about the login boxes from InstantSSL/Enterprise/Positive etc.? If you don't have a certificate, aren't they insecure?
A: No. The login submits your information over an encrypted link, even though the login page isn't. Our login system uses many separate layers of cryptography to be secure.
Q: But other companies do it!
A: Go here: https://www.google.co.uk/ You get an error, because the certificate is on google.com. The parts where they ask you for confidential data is google.com. That's just one example, like ours, of proper practice.