Hacker News new | past | comments | ask | show | jobs | submit login

FWIW, it is ZeroSSL. I want there to be more major ACME providers than just LE, but I'm not sure about ZeroSSL, personally. It seems to have the same parent company as IdenTrust (HID Global Corporation). Probably a step up from Honest Achmed but recently I recall people complaining that their EV code signing certificates were not actually trusted by Windows which is... Interesting.



IdenTrust participates in the US Federal PKI ecosystem, so they likely have strong incentives to charge exorbitantly. Those free certs are probably meant to facilitate development of gov-specific capabilities by random subcontractors long enough to figure out how to structure a contract mod that passes the anticipated cost onto the government.

Don’t hate the player, hate the game.


> Honest Achmed

I had to stop and Google that, wondering if it was a pastiche of “Akbar & Jeff’s Certificate Hut”...

https://bugzilla.mozilla.org/show_bug.cgi?id=647959


I'm glad to give you an xkcd 1053 moment. Honest Achmed is one for the books.


Google's CA offers them for free via ACME https://pki.goog/


That's pretty cool, though it does seem that you need to authenticate with a GCP account. A little bit less convenient. I do think there are actually a few other providers of ACME out there that require registration beforehand, ZeroSSL actually offers it without pre-registration like Let's Encrypt.


Buypass provides ACME certificates as well [1]. The usage limits are not quite as generous as LE, but they work pretty well in my experience.

[1] https://www.buypass.com/products/tls-ssl-certificates/read-m...


A while ago I saw that acme.sh now uses ZeroSSL by default.

https://github.com/acmesh-official/acme.sh/blob/42bbd1b44af4...


"We now have another confirmation on Twitter that remote code is executed and a glimpse into what the script is... it appears to be benign."

https://github.com/acmesh-official/acme.sh/issues/4659

It was not. Don't use acme.sh.


I went down the acme/HiCA/RCE rabbit hole a year or so ago and, while I don't remember the specifics, my feeling was that the RCE was not that dangerous and was put into place by greedy scammers thwarting the rules of cert (re)selling and not by shadowy actors trying to infiltrate sensitive infra ...

Is there new information ? Was my impression wrong ?


ZeroSSL is owned by Identrust, but the infra is operated by another CA. Also Microsoft killed EV codesigning early last year - not stopping it working, just making it identical to ‘normal’ codesigning certs.


Could you please provide more info on this topic, e.g. a link? I intended to buy EV code signing certificate as a sole proprietor to fix long-standing problem with my software when Windows Defender pops up every time I release a new version. Is EV code signing certificate no longer a viable solution to this problem? Is there no longer a difference between EV and non-EV code signing certificate?


After Microsoft's March 2024 update, EV Code signing certs don't offer instant Microsoft Defender reputation. Now, OV and EV both code signing certificates can be installed and stored on FIPS 140 Level 2 or Common Criteria EAL 4+ certified HSM, tokens, or cloud HSMs. So, you can consider EV Code Signing as higher security and higher validation with no more difference. If u want to buy code signing at affordable cost, I recommend: https://signmycode.com/cheap-code-signing-certificates


Sure: https://learn.microsoft.com/en-us/security/trusted-root/prog...

3.D.3 covers the details about EV CS.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: