[HN Gopher] ZeroSSL: XSS to session hijacking, stealing a privat... ___________________________________________________________________ ZeroSSL: XSS to session hijacking, stealing a private key (and password hash) Author : kkm Score : 43 points Date : 2023-01-19 20:40 UTC (2 hours ago) (HTM) web link (groups.google.com) (TXT) w3m dump (groups.google.com) | agwa wrote: | Important note: ZeroSSL is _not_ a certificate authority but a | certificate reseller who is paying an actual CA, Sectigo, to | operate a white-label intermediate certificate with ZeroSSL in | the name[1]. | | As a non-CA, ZeroSSL isn't required to provide an incident report | or revoke any certificates like the researcher is requesting. | Fortunately, their bad security can only impact their own | customers, in contrast to a CA whose bad security can affect | everyone. | | [1] see | https://www.agwa.name/blog/post/the_certificate_issuer_field... | sys42590 wrote: | ZeroSSL left an uncanny impression on me when for some reason | acme.sh developers made them default instead of Let's Encrypt. | This prompted me to switch to a different client (just in case of | further worsening of Let's Encrypt support by acme.sh). | leetnewb wrote: | Which client did you end up on? The list is somewhat | overwhelming. | Ennea wrote: | Going to throw another hat into the ring here: I use acme- | tiny [1], which is a single file ACME client written in | Python in under 200 lines. The idea behind it is that you can | fully read and understand everything it does without spending | too much time on it. I really like this approach, so I went | ahead and started using it, and have been for a few years | now. | | [1] https://github.com/diafygi/acme-tiny | sys42590 wrote: | dehydrated, as it has little dependencies. | greyhound_7 wrote: | ZeroSSL is pretty much the worst. If you need TLS certs, don't | use them. | egberts1 wrote: | Dehydrated.io, damn few dependencies. | | You're welcome. | | https://github.com/dehydrated-io/dehydrated | [deleted] ___________________________________________________________________ (page generated 2023-01-19 23:00 UTC)