Is this safe? (sslforfree.com)


#1

I found this website that lets you download Let’s Encrypt certificates and I wonder if it’s safe to use?
https://www.sslforfree.com/


Trust of sslforfree.com to generate private keys
#2

Yes and no, it’s a question of trust.

With sslforfree, zerossl and all similar sites, you are trusting that the owner of the site (or a hacker) doesn’t suddenly change their code to steal your private keys.

It’s a similar risk to running any software, however it is very difficult to tell whether a website has changed in a subtle and malicious way, whereas e.g. Certbot is developed in the open and you can be reasonably confident that malware won’t make it into a release.

sslforfree has a mode where you can avoid revealing your certificate private key:

You can also provide your own CSR when using manual verification in which case the private key is handled completely on your end.

However I think it still puts sslforfree in a position of power due to the fact they control the ACME account.

I think from a theoretical security perspective, ZeroSSL is superior because your browser talks directly to the Let’s Encrypt API servers, whereas sslforfree (I believe) acts as a middleman.


#3

(Thanks for the reply)

I’ve used sslforfree since my hosting provider doesn’t support Let’s Encrypt in any way, but it supports custom SSL/TLS via Cpanel. I wasn’t familiar with ZeroSSL, but I think I’ll give it a try for my next certificate renewal.


#4

Way back in the beginning I used the site Get HTTPS for Free. I highly recommend it!

Get HTTPS For Free does not require you to reveal your private key. As a matter of fact they STRONGLY guide you not to!

https://gethttpsforfree.com/

There is a link at the bottom of the page to the source code.


#5

The tradeoff is that you’ll have to use openssl commands to create a private key and CSR yourself, which the other web applications are seemingly trying to avoid asking users to do. Still, this is a good point.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.