With sslforfree.com, the private key is generated in your browser (or server-side, if your browser doesn’t support certain features). This means that you will have to trust sslforfree.com not to steal this private key (which could allow an attacker to impersonate your site), or do a code audit of the entire site on each page load - which is impractical.
If you’re looking for a web-based solution, I would recommend https://gethttpsforfree.com/. With that site, you do not disclose your private key to the site in any way, but rather generate the private key on your PC or server and sign a CSR file using this key, which you then use on the site. CSR files do not contain any sensitive information, only your public key and the domain names you want to appear on the certificate. The site provides the instructions you need to generate these files. It’s also possible to download that website and run it locally, and the source code is relatively easy to audit.
Ultimately, native clients such as
certbot with signed releases are the safest option, but web-based solutions like gethttpsforfree.com that work based on CSRs are reasonably safe.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.