Trust of sslforfree.com to generate private keys


#1

Two older threads asked if it was secure to use it:

On both, the advice was to prefer https://gethttpsforfree.com/ (who doesn’t generate private keys) but without details.
One suggested zerossl.com (who also generate private keys)

As a general advice, it’s better to generate your private key and csr offline.

If you must generate it online you have to trust the service.

I see some red flags about sslforfree:

And, from a security point of view:

So I would not recommend that website to generate your private key.

Although it should be safe to use to generate a certificate if you already have a CSR (See #2)

Beware, that service also may ask for your ftp password:

Site note: Let’s Encrypt apparently decided to stop listing browser based clients on https://letsencrypt.org/docs/client-options/ : https://github.com/letsencrypt/website/pull/377

To compare with https://zerossl.com/free-ssl/#crt :


#2

This isn’t really safe either. Due to the fact that authorizations are re-usable (currently for 30 days), it opens the opportunity for sslforfree.com to just silently* issue an identical certificate under an alternate private key. This is because they control the ACME account key at all times.

(* mitigated by CT logs but most users are not savvy to that)


#3

Thanks for pointing that out, corrected!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.