hngopher.com

       [HN Gopher] ZeroSSL: XSS to session hijacking, stealing a privat...
       ___________________________________________________________________
        
       ZeroSSL: XSS to session hijacking, stealing a private key (and
       password hash)
        
       Author : kkm
       Score  : 43 points
       Date   : 2023-01-19 20:40 UTC (2 hours ago)
        
 (HTM) web link (groups.google.com)
 (TXT) w3m dump (groups.google.com)
        
       | agwa wrote:
       | Important note: ZeroSSL is _not_ a certificate authority but a
       | certificate reseller who is paying an actual CA, Sectigo, to
       | operate a white-label intermediate certificate with ZeroSSL in
       | the name[1].
       | 
       | As a non-CA, ZeroSSL isn't required to provide an incident report
       | or revoke any certificates like the researcher is requesting.
       | Fortunately, their bad security can only impact their own
       | customers, in contrast to a CA whose bad security can affect
       | everyone.
       | 
       | [1] see
       | https://www.agwa.name/blog/post/the_certificate_issuer_field...
        
       | sys42590 wrote:
       | ZeroSSL left an uncanny impression on me when for some reason
       | acme.sh developers made them default instead of Let's Encrypt.
       | This prompted me to switch to a different client (just in case of
       | further worsening of Let's Encrypt support by acme.sh).
        
         | leetnewb wrote:
         | Which client did you end up on? The list is somewhat
         | overwhelming.
        
           | Ennea wrote:
           | Going to throw another hat into the ring here: I use acme-
           | tiny [1], which is a single file ACME client written in
           | Python in under 200 lines. The idea behind it is that you can
           | fully read and understand everything it does without spending
           | too much time on it. I really like this approach, so I went
           | ahead and started using it, and have been for a few years
           | now.
           | 
           | [1] https://github.com/diafygi/acme-tiny
        
           | sys42590 wrote:
           | dehydrated, as it has little dependencies.
        
       | greyhound_7 wrote:
       | ZeroSSL is pretty much the worst. If you need TLS certs, don't
       | use them.
        
       | egberts1 wrote:
       | Dehydrated.io, damn few dependencies.
       | 
       | You're welcome.
       | 
       | https://github.com/dehydrated-io/dehydrated
        
         | [deleted]
        
       ___________________________________________________________________
       (page generated 2023-01-19 23:00 UTC)