Hacker News new | past | comments | ask | show | jobs | submit login

> brilliant, ethical, and pragmatic

In case it's news to others, as it was to me, Fastmail routinely acquires SSL certificates for its customers' domains without their knowledge or consent.

https://www.fastmail.com/help/files/secure-website.html




Not routinely, it was done once as part of the plan to support SSL for all websites, and when we hit some limits with letsencrypt, we shelved the plan for a bit. There are currently 4 unsolved issues, which the team are looking in to.

We still need to find a way to provide automatic SSL for customer domains though - because we allow our customers to create arbitrary websites inside either their domains or their personal subdomain on our domains (username.fastmail.com).

The alternative of NOT doing something with SSL certificates is having insecure websites for customers by default, which will be more and more punished (and rightfully so) by browser interfaces. Setting up SSL for the domains which are hosted with us is the right thing to do.


You either trust them or not. I believe most customers wouldn't even know what a domain is, but still need it. It's kinda ironic that you want control, privacy and security but give away control of your domain to a 3rd-party. I get your point and I agree that anything involving this kind of behavior should be opt-in with clear red text warnings.


This seems largely practical/beneficial, and not of a significant downside. If you are pointing your domain at them for DNS, they are arguably canonically "that server" until you sent it somewhere else, and they're securing the connection for you.

The short-term nature of Let's Encrypt also works out well for this, because if you take your domain elsewhere, FastMail loses the certificate to claim to be that domain very quickly due to rapid expiration.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: