I found this website that lets you download Let’s Encrypt certificates and I wonder if it’s safe to use?
https://www.sslforfree.com/
Yes and no, it's a question of trust.
With sslforfree, zerossl and all similar sites, you are trusting that the owner of the site (or a hacker) doesn't suddenly change their code to steal your private keys.
It's a similar risk to running any software, however it is very difficult to tell whether a website has changed in a subtle and malicious way, whereas e.g. Certbot is developed in the open and you can be reasonably confident that malware won't make it into a release.
sslforfree has a mode where you can avoid revealing your certificate private key:
You can also provide your own CSR when using manual verification in which case the private key is handled completely on your end.
However I think it still puts sslforfree in a position of power due to the fact they control the ACME account.
I think from a theoretical security perspective, ZeroSSL is superior because your browser talks directly to the Let's Encrypt API servers, whereas sslforfree (I believe) acts as a middleman.
5 Likes
(Thanks for the reply)
I’ve used sslforfree since my hosting provider doesn’t support Let’s Encrypt in any way, but it supports custom SSL/TLS via Cpanel. I wasn’t familiar with ZeroSSL, but I think I’ll give it a try for my next certificate renewal.
Way back in the beginning I used the site Get HTTPS for Free. I highly recommend it!
Get HTTPS For Free does not require you to reveal your private key. As a matter of fact they STRONGLY guide you not to!
There is a link at the bottom of the page to the source code.
The tradeoff is that you'll have to use openssl commands to create a private key and CSR yourself, which the other web applications are seemingly trying to avoid asking users to do. Still, this is a good point.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.