WARNING - EDIT nov-2020 : some services mentioned have significantly changed. Advice may not be up to date!
Two older threads asked if it was secure to use it:
On both, the advice was to prefer https://gethttpsforfree.com/ (who doesn't generate private keys) but without details.
One suggested zerossl.com (who also generate private keys)
As a general advice, it's better to generate your private key and csr offline.
If you must generate it online you have to trust the service.
I see some red flags about sslforfree:
- there is no information on who is running that website on the webpage and the only contact link is an anonymous email ( info@sslforfree.com )
- the whois is anonymized
- the commit to add it on the ACME Client Implementations - Let's Encrypt webpage, Add sslforfree to client-options.md (#127) · letsencrypt/website@8b2540b · GitHub doesn't seams to be done by them and the PR behind it is private or deleted: https://github.com/letsencrypt/website/pull/127
- the only clue I found was in Show HN: Free SSL Certificates | Hacker News where the user etrackr seams to be the author of that website
And, from a security point of view:
- HSTS: No HSTS ( so no HSTS preload HSTS Preload List Submission )
- Headers: No Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options: Mozilla Observatory / Scan results for www.sslforfree.com
- Bad https configuration: SSL Server Test: www.sslforfree.com (Powered by Qualys SSL Labs)
- Load externals javascript (and without SRI)
So I would not recommend that website to generate your private key.
Although it should be safe to use to generate a certificate if you already have a CSR (See #2)
Beware, that service also may ask for your ftp password:
Site note: Let's Encrypt apparently decided to stop listing browser based clients on ACME Client Implementations - Let's Encrypt : client-options: document inclusion/update policy. by cpu · Pull Request #377 · letsencrypt/website · GitHub
To compare with Free SSL Certificates and SSL Tools - ZeroSSL :
- Contact info are accessible: About - ZeroSSL
- No external javascript loaded
- HSTS and preloaded: HSTS Preload List Submission
- Most security headers (sadly, no CSP nor SRI) : Mozilla Observatory
- Robust https configuration: Mozilla Observatory