ZeroSSL: XSS to session hijacking, stealing a private key (and password hash) (opens in new tab)

(groups.google.com)

112 pointskkm3y ago24 comments

24 comments

agwa3y ago

Important note: ZeroSSL is not a certificate authority but a certificate reseller who is paying an actual CA, Sectigo, to operate a white-label intermediate certificate with ZeroSSL in the name[1].

As a non-CA, ZeroSSL isn't required to provide an incident report or revoke any certificates like the researcher is requesting. Fortunately, their bad security can only impact their own customers, in contrast to a CA whose bad security can affect everyone.

[1] see https://www.agwa.name/blog/post/the_certificate_issuer_field...

twiss3y ago

Sectigo might be required to revoke them, then? There doesn't seem to be a requirement for the compromise to be Sectigo's fault, according to my reading of the Baseline Requirements [1]:

> The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days if one or more of the following occurs: (...)

> 16. The CA is made aware of a demonstrated or proven method that exposes the Subscriber’s Private Key to compromise or if there is clear evidence that the specific method used to generate the Private Key was flawed.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...

sys425903y ago

ZeroSSL left an uncanny impression on me when for some reason acme.sh developers made them default instead of Let's Encrypt. This prompted me to switch to a different client (just in case of further worsening of Let's Encrypt support by acme.sh).

netheril963y ago

I prefer ZeroSSL to Let's Encrypt. ZeroSSL has no rate limit, and most importantly they have full ECC support. With Let's Encrypt, even if I request for an ECC cert, the intermediate CA is still RSA, drastically increasing the certificate size (they have their reasons of compatibility, but I don't care about that).

Ayesh3y ago

LetsEncrypt now has an ECC root and intermediates. You have to request the account ID to be included, and after which, the intermediate and root certificates will be ECC. More information here: https://community.letsencrypt.org/t/ecdsa-availability-in-pr...

1 more reply

dilyevsky3y ago

I believe zerossl chain (really sectigo) is trusted by more devices than the new isrg root (mostly old unupdated ones). Also zerossl has fewer limits in their acme implementation. Downsides are zerossl has some questionable security practices and also I think zerossl either dont support tls-alpn-01 validation or it’s just broken

leetnewb3y ago

Which client did you end up on? The list is somewhat overwhelming.

Ennea3y ago

Going to throw another hat into the ring here: I use acme-tiny [1], which is a single file ACME client written in Python in under 200 lines. The idea behind it is that you can fully read and understand everything it does without spending too much time on it. I really like this approach, so I went ahead and started using it, and have been for a few years now.

[1] https://github.com/diafygi/acme-tiny

seized3y ago

I too am moving away from acme.sh for the same reason. Dehydrated looks nice but I started using goacme.

https://github.com/go-acme/lego

I wasn't set on only bash though.

sys425903y ago

dehydrated, as it has little dependencies.

Ayesh3y ago

Before 2020, ZeroSSL used to be a browser-based acme client using Lets Encrypt. I don't doubt that money was involved, and they switched to Comodo (now Sectigo), with no notice that I could think of. I used them for a few one-off certificates, but this rug-pull caught me off guard. I'd happily watch if they go down in this dumpster fire.

greyhound_73y ago

ZeroSSL is pretty much the worst. If you need TLS certs, don't use them.

kiririn3y ago

What other options are there that support old clients and are free + automatable?

It’s all well and good to prefer Lets Encrypt if your clients are using web browsers, but it is not suitable for more exotic cases. E.g video streaming, where clients can be things like many years old copies of VLC, which no longer trust Lets Encrypt certs

throwaway815233y ago

gogetssl.com issues free 90 day Sectigo (formerly Comodo) certificates and they have an ordering API. Caveats: 1) I don't know if those certificates will work in old VLC clients or whatever. 2) After you order the certificate you get an email from the CA with a link that you have to click saying that you approve issuance. I don't know what happens if you try to automate that.

For me the main hassle of LetsEncrypt is the 90 day rotation and there have been situations where I'd rather just pay for a longer lasting certificate. Gogetssl (above) sells 5 year DV Sectigo certificates for $16, it looks like.

Ignore the prices shown on the not-logged-in part of the site: sign up for their "reseller" program (you get approved right away automatically) and you can see their real price list while you are logged in.

2 more replies

IncRnd3y ago

I had a very similar problem with older clients attempting to connect to streaming sites hosted on a WHM cluster. One day Let's Encrypt certs stopped being trusted on some of the older client machines. Fortunately, the provider from cPanel was also free and their certs worked (and still work) with older clients.

cvalka3y ago

Could you provide more info?

hit8run3y ago

Hmm… I’m wondering if this a security flaw on purpose so the NSA or other authorities have an easy backdoor?

egberts13y ago

Dehydrated.io, damn few dependencies.

You're welcome.

https://github.com/dehydrated-io/dehydrated

8organicbits3y ago

There's a number of these to consider: https://github.com/topics/acme-client

j / k navigate · click thread line to collapse

24 comments

agwa3y ago

Important note: ZeroSSL is not a certificate authority but a certificate reseller who is paying an actual CA, Sectigo, to operate a white-label intermediate certificate with ZeroSSL in the name[1].

[1] see https://www.agwa.name/blog/post/the_certificate_issuer_field...

twiss3y ago

Sectigo might be required to revoke them, then? There doesn't seem to be a requirement for the compromise to be Sectigo's fault, according to my reading of the Baseline Requirements [1]:

> The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days if one or more of the following occurs: (...)

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...

sys425903y ago

netheril963y ago

Ayesh3y ago

1 more reply

dilyevsky3y ago

leetnewb3y ago

Which client did you end up on? The list is somewhat overwhelming.

Ennea3y ago

[1] https://github.com/diafygi/acme-tiny

seized3y ago