Trust of sslforfree.com to generate private keys

WARNING - EDIT nov-2020 : some services mentioned have significantly changed. Advice may not be up to date!

Two older threads asked if it was secure to use it:

On both, the advice was to prefer https://gethttpsforfree.com/ (who doesn't generate private keys) but without details.
One suggested zerossl.com (who also generate private keys)

As a general advice, it's better to generate your private key and csr offline.

If you must generate it online you have to trust the service.

I see some red flags about sslforfree:

• there is no information on who is running that website on the webpage and the only contact link is an anonymous email ( info@sslforfree.com )
• the whois is anonymized
• the commit to add it on the ACME Client Implementations - Let's Encrypt webpage, Add sslforfree to client-options.md (#127) · letsencrypt/website@8b2540b · GitHub doesn't seams to be done by them and the PR behind it is private or deleted: https://github.com/letsencrypt/website/pull/127
• the only clue I found was in Show HN: Free SSL Certificates | Hacker News where the user etrackr seams to be the author of that website

And, from a security point of view:

• HSTS: No HSTS ( so no HSTS preload HSTS Preload List Submission )
• Headers: No Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options: Mozilla Observatory / Scan results for www.sslforfree.com
• Bad https configuration: SSL Server Test: www.sslforfree.com (Powered by Qualys SSL Labs)
• Load externals javascript (and without SRI)

So I would not recommend that website to generate your private key.

Although it should be safe to use to generate a certificate if you already have a CSR (See #2)

Beware, that service also may ask for your ftp password:

image1043×427 21.5 KB

Site note: Let's Encrypt apparently decided to stop listing browser based clients on ACME Client Implementations - Let's Encrypt : client-options: document inclusion/update policy. by cpu · Pull Request #377 · letsencrypt/website · GitHub

To compare with Free SSL Certificates and SSL Tools - ZeroSSL :

• Contact info are accessible: About - ZeroSSL
• No external javascript loaded
• HSTS and preloaded: HSTS Preload List Submission
• Most security headers (sadly, no CSP nor SRI) : Mozilla Observatory
• Robust https configuration: Mozilla Observatory

This isn't really safe either. Due to the fact that authorizations are re-usable (currently for 30 days), it opens the opportunity for sslforfree.com to just silently* issue an identical certificate under an alternate private key. This is because they control the ACME account key at all times.

(* mitigated by CT logs but most users are not savvy to that)

Thanks for pointing that out, corrected!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.