ZeroSSL left an uncanny impression on me when for some reason acme.sh developers made them default instead of Let's Encrypt. This prompted me to switch to a different client (just in case of further worsening of Let's Encrypt support by acme.sh).
Before 2020, ZeroSSL used to be a browser-based acme client using Lets Encrypt. I don't doubt that money was involved, and they switched to Comodo (now Sectigo), with no notice that I could think of. I used them for a few one-off certificates, but this rug-pull caught me off guard. I'd happily watch if they go down in this dumpster fire.
ZeroSSL is pretty much the worst. If you need TLS certs, don't use them.
Hmm… I’m wondering if this a security flaw on purpose so the NSA or other authorities have an easy backdoor?
Important note: ZeroSSL is not a certificate authority but a certificate reseller who is paying an actual CA, Sectigo, to operate a white-label intermediate certificate with ZeroSSL in the name[1].
As a non-CA, ZeroSSL isn't required to provide an incident report or revoke any certificates like the researcher is requesting. Fortunately, their bad security can only impact their own customers, in contrast to a CA whose bad security can affect everyone.
[1] see https://www.agwa.name/blog/post/the_certificate_issuer_field...