commit: ae82d4612a0299c1f6e8d7977439caaee4d548f3
parent 045eeb36700c783095f9cf6bcad380d6da470081
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Sun, 11 Aug 2024 10:47:45 +0200
RejectedCertificatesAutorities.md: Reject ZeroSSL (COMODO)
Diffstat:
1 file changed, 18 insertions(+), 0 deletions(-)
diff --git a/RejectedCAs.md b/RejectedCAs.md
@@ -3,3 +3,21 @@
- Appears to still support non-standard verifications
- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificate
- Cross-signs other CAs, which while interesting for allowing new CA, ultimately means having to trust all the cross-signed CAs
+
+## COMODO
+
+Brands:
+- Francisco Partners Management, L.P.
+- Xcitium
+- Sectigo
+- CodeGuard
+
+Or Sectigo with their re-branding.
+
+Notorious in terms of controversies, shouldn't be present in any decent CA list. <https://en.wikipedia.org/wiki/Comodo_Cybersecurity>
+
+## ZeroSSL
+
+The certificate they use <https://crt.sh/?caid=158799> is a child certificate of Sertigo/COMODO.
+
+Looks very suspicious, normally a new CA should only get cross-signed.
