@farshidhakimy @aral Absolutely — you're right, this isn’t a brand-new concept. Cloudflare's cert on https://1.1.1.1 is a great example of a legitimate use case for IP-based certificates, especially in infrastructure-focused services like public DNS.
And yes, other CAs have issued certs for IP addresses before Let's Encrypt started doing it — so it’s not unprecedented. The shift here is more about accessibility and scale. Let’s Encrypt offering free certs for public IPs means this capability is now much more widely available, even to actors who previously didn’t have the budget or motivation to go through commercial CAs.
That’s where the risk discussion comes in — not that certs for IPs are inherently bad, but that easier issuance could lower the barrier for phishing kits, command-and-control servers, or shady hosts to appear more “legitimate” with a valid HTTPS padlock, especially in contexts where URLs are masked or shortened.
So yeah, not panic-worthy — just something worth watching as it scales.
