How safe is ZeroSSL.com?


#1

Can you please compare it against something I can easily understand? I was reading a discussion on reddit and I would like to know your thoughts please. Is it safer to setup and renew Lets Encrypt on my computer than ZeroSSL? Can I trust them with my keys?

I have not installed Let’s Encrypt yet but I am planning before I execute because I don’t know too much.

Thanks for your patience

Cheers
Brody James


#2

One of the key parts of an SSL certificate as proof of domain ownership is that it’s signed with a private key, that only you have. If someone else were to obtain that private key, they could then produce SSL certificates pretending to be you, or revoke your existing certificates.

In the perfect world, only you should have access to your private key. If you have a script that you run on your own server, you can audit that script, and the key never goes off your server - that is the safest option.

The opposite (and worst) case is where you ask someone else to produce a private key for you, and they then give you a copy of the key. This means you need to completely trust them, their code and their servers. There are a couple of these systems available - which I would certainly not trust at all.

ZeroSSL falls in between these two scenarios, and it depends exactly how you use it. @leader is the author of ZeroSSL so may be able to comment on anything I get factually wrong.

I think you can generate your own private key, on your own computer, and then use that to generate a csr (again on your own computer). If you upload the csr to ZeroSSL, and use ZeroSSL to “obtain” the certificate for you, such that ZeroSSL never sees your private key - it’s perfectly safe and secure.

You can use ZeroSSL to generate the private key for you in your browser, and then generate the CSR etc. I have not audited the code in ZeroSSL. This should be safe (in that ZeroSSL never sees your private key), but I can’t be 100% certain of that. Whilst this method would be a huge amount safer than using a site which generates the private key for you, it’s still not something I’m personally 100% comfortable with - hence don’t use that method.

So in answer to your specific questions

It’s always safer to keep 100% control of your private key, yes. I believe there is a method (where you generate the CSR) that you don’t need to let ZeroSSL see your private key though.

Personally I don’t trust anyone else with my private key, no.


#3

Thank you for your insight and addressing my concerns serverco. Some of what you said are my thoughts too.

Cheers,
BJ


#4

Neither do I, for that matter.

It is private for a reason, and I am in full agreement iwth you.


#5

It doesn’t matter to the thrust of the question about ZeroSSL, but it can’t hurt to correct this, or explain more clearly.

In public key cryptography keys are inherently made in pairs, one “public” and the other “private”. Certificates are signed documents, which say that the Issuer promises the Subject of the certificate has a private key which corresponds to this particular Public Key written down in the certificate. The signature on the document is made using the private key belonging to the Issuer, which means that everyone who knows the Issuer’s public key can check the signature is real. The certificate is not signed by the Subject, except in the special case of “self-signed” certificates, which have the exact same Issuer and Subject.

For a typical web SSL cert, the Issuer might be Let’s Encrypt, the Subject might be www.example.com and the Public Key might be a several hundred digit odd number (for the RSA algorithm most popularly used). This certificate would be signed by Let’s Encrypt, using Let’s Encrypt’s private key, which (because it is very important and mustn’t be stolen) is trapped inside a dedicated hardware device that knows how to sign certificates without any risk of revealing the key it is protecting.


#6

By looking at the network usage, it seems like everything is done on your browser and the AMCE server, so I’m pretty sure they do not store your private key, although I’m sure there is a way for them to get the key without showing up in the network tab in Chrome Devtools


#7

The biggest risk with this kind of service is that either the developer or someone who can compromise the server could replace the Javascript code that particular people receive when they use ZeroSSL, so that they receive a malicious version that secretly sends a copy of the private key elsewhere. Since individual users of ZeroSSL normally don’t read the Javascript when using it, it’s hard for them to be sure that the code they’re using is the same code that everyone else is using. Even assuming that the ZeroSSL developer doesn’t intend to do this (which I’m confident of), someone else who gets access to ZeroSSL’s web server could also do it.

That’s a big reason that a lot of people feel more concerned about cryptographic operations inside of web applications as opposed to inside of native code applications. With native code running directly on your computer, you could in principle check a signature and also check whether you got the same version as everybody else, before installing or running the software. With web applications, this kind of verification is much harder because web browsers don’t really give us convenient tools for it. For example, if you download an ISO, EXE, or RPM file, you can take a checksum and ask other people whether that’s the same checksum they saw when they downloaded that application; with a web app, there is no widespread standard for what it means to “checksum” the web app itself.

People have been talking for years about how to make web app code more easily verifiable, and there are lots of proposals, but so far we’re still waiting for something really effective to become a standard part of web browsers. (Some web app developers have been able to find compromises like shipping a single-page application that’s meant to be saved to disk and checksummed from there before being opened locally.)

I think tools like ZeroSSL are a great service, but it’s really unfortunate that it’s so difficult to verify the integrity of their code when using them.


#8

I think it has been discussed earlier here at some point, but I guess it won’t hurt to clarify this again and maybe give a backstory of how ZeroSSL service was created in the first place.

At first there was just a Perl client for Let’s Encrypt. Even though it worked fine on Linux/FreeBSD/etc, it was not able to create a CSR on Windows. CSR creation is often a point where people seem a bit lost, especially if that CSR is supposed to include more than one domain name. So the CSR generator was created, to ease the task. Seeing as there were still cases when people could not actually install the software at all or were unable (or not allowed) to do so, the in-browser client was added later to handle the whole process. At the time there was just semi-manual, though still useful if you know what to do, gethttpsforfree.

Now let’s get to the subject of whether you should use it. ZeroSSL actually encourages you on its pages to use automation - even though the service has its uses, the key to successful adoption of Let’s Encrypt is automation. As explained on the site, the client is fully in-browser and the server is completely unaware of what you might be doing. Whether Let’s Encrypt returns any data or errors - neither of that is seen by the server. Actually, the server is not even using cookies or analytic services.

Should you trust the service that might be creating something for you? Trust is the key word here. You trust something on a daily basis - you trust online shops and Paypal with your data; you trust that your phone carrier or the apps on your phone are not collecting too much data, including your geolocation; you trust your hoster or some other entity with your driving license or some other form of id; etc. That list is endless and you have to make choices. Many of those services and entities were at the beginning at some point or are now, but you have decided to trust them. It’s not much different here. If you feel uncomfortable - just follow the tech guides and use the clients you can install. But then again - without the code audit done and full understanding of how they work, can you absolutely trust them either? Or any programs on your computer or your phone to that matter?

Even the services which seemed to be trustworthy may surprise you in a bad way, like it was recently with Web of Trust. Others might be far from that but still there is a risk of some incidents, as @schoen has pointed out. In 2014 for example, jQuery.com was compromised - and a lot of sites were loading the library from it. In 2016 the Linux Mint site, which is very popular Linux distribution, has been compromised to point to backdoor’ed ISOs. And there are other examples.

ZeroSSL, apart from being run completely in your browser and over HTTPS, allows you to further minimise the risks by providing a CSR, which you can create elsewhere. Your private key can’t be extracted from it. You can also firewall all the communications apart from to and from Let’s Encrypt itself once the client is loaded and it will work fine, because that is the only data exchange that takes place - between your browser and LE servers over HTTPS.

So effectively it is up to you. What you might want to consider when making choices here is whether there is an actual person behind the service and would he or she actually want to risk their reputation to do something dodgy at all and for what?


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.