|
| ▲ | killjoywashere 2 months ago | parent | next [-] |
| IdenTrust participates in the US Federal PKI ecosystem, so they likely have strong incentives to charge exorbitantly. Those free certs are probably meant to facilitate development of gov-specific capabilities by random subcontractors long enough to figure out how to structure a contract mod that passes the anticipated cost onto the government. Don’t hate the player, hate the game. |
|
| ▲ | AStonesThrow 2 months ago | parent | prev | next [-] |
| > Honest Achmed I had to stop and Google that, wondering if it was a pastiche of “Akbar & Jeff’s Certificate Hut”... https://bugzilla.mozilla.org/show_bug.cgi?id=647959 |
| |
| ▲ | jchw 2 months ago | parent [-] | | I'm glad to give you an xkcd 1053 moment. Honest Achmed is one for the books. |
|
|
| ▲ | arccy 2 months ago | parent | prev | next [-] |
| Google's CA offers them for free via ACME https://pki.goog/ |
| |
| ▲ | jchw 2 months ago | parent [-] | | That's pretty cool, though it does seem that you need to authenticate with a GCP account. A little bit less convenient. I do think there are actually a few other providers of ACME out there that require registration beforehand, ZeroSSL actually offers it without pre-registration like Let's Encrypt. |
|
|
| ▲ | birktj 2 months ago | parent | prev | next [-] |
| Buypass provides ACME certificates as well [1]. The usage limits are not quite as generous as LE, but they work pretty well in my experience. [1] https://www.buypass.com/products/tls-ssl-certificates/read-m... |
|
| ▲ | rmetzler 2 months ago | parent | prev | next [-] |
| A while ago I saw that acme.sh now uses ZeroSSL by default. https://github.com/acmesh-official/acme.sh/blob/42bbd1b44af4... |
| |
| ▲ | _hyn3 2 months ago | parent [-] | | "We now have another confirmation on Twitter that remote code is executed and a glimpse into what the script is... it appears to be benign." https://github.com/acmesh-official/acme.sh/issues/4659 It was not. Don't use acme.sh. | | |
| ▲ | rsync 2 months ago | parent [-] | | I went down the acme/HiCA/RCE rabbit hole a year or so ago and, while I don't remember the specifics, my feeling was that the RCE was not that dangerous and was put into place by greedy scammers thwarting the rules of cert (re)selling and not by shadowy actors trying to infiltrate sensitive infra ... Is there new information ? Was my impression wrong ? |
|
|
|
| ▲ | nickf 2 months ago | parent | prev [-] |
| ZeroSSL is owned by Identrust, but the infra is operated by another CA.
Also Microsoft killed EV codesigning early last year - not stopping it working, just making it identical to ‘normal’ codesigning certs. |
| |
| ▲ | mkup 2 months ago | parent [-] | | Could you please provide more info on this topic, e.g. a link? I intended to buy EV code signing certificate as a sole proprietor to fix long-standing problem with my software when Windows Defender pops up every time I release a new version. Is EV code signing certificate no longer a viable solution to this problem? Is there no longer a difference between EV and non-EV code signing certificate? | | |
|
