View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001222 | Main CAcert Website | website content | public | 2013-11-19 10:02 | 2014-06-29 10:20 |
| Reporter | tverrbjelke | Assigned To | NEOatNHNG | ||
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | Firefox 25 | OS | ubuntu 12.04 | OS Version | 3.2.0-56-generic |
| Product Version | 2013 Q4 | ||||
| Summary | 0001222: I currently can't trust using https://cacert.org - it seems to use an invalid certificate to sign the content. | ||||
| Description | At least since 16th of november 2013 I experience a problem with strange certificate at https://cacert.org I currently can't trust using CACert.org - it seems to use an invalid certificate to sign the content. Same problem applies to https://lists.cacert.org/wws/lists/help Maybe I did miss something, but for me it looks like someone could have corrupted the site. I would like to assert someone today, but I won't login to this system until the problem is solved / cleared. | ||||
| Steps To Reproduce | Verify you have imported the correct certificates (class3) into your browser, used to authentificate web sites (e.g. of cacert). Verify that they have the correct fingerprint as shown on http://www.cacert.org/index.php?id=3. Go http://cacert.org and then "log in via password" -> https://www.cacert.org/index.php?id=4. My bowser shows me "connection untrusted" ... I use Firefox V 25 ubuntu canonical. Same on my lappy, but has same browser. The certs offered at http://www.cacert.org/index.php?id=3 are still the correct one. So why is the page itself signed by another - to me unknown - certificate? | ||||
| Additional Information | I am not sure, maybe it is caused by http://bugs.cacert.org /view.php?id=1217 - "0001217: Add the root certificates in CER-Format on Index.php?id=3 " - but then why is my problem also existing at at https://lists.cacert.org/wws/lists/help ? Analysis ======== I verified, if my local versions of the certificates (inside firefox and also the 2012 downoaded version on my backup-drive) are the same that are presented online at the site: I compare the sha1sums and md5sum and my result is: All root class1 and class3 are OK: $ sha1sum cacert-root-class3-2012.der.crt ad7c3f64fc4439fef4e90be8f47c6cfa8aadfdce cacert-root-class3-2012.der.crt So theoretically any *correctly* signed page should be accepted by my browser... Visiting the site and temporarily accepting the cert ("I know the risk...") Then checking the actually used cert for https://cacert.org I see a unknown Root CA cert with serial number "0B:B3:C6". I exported that cert and attached this as (so named by me) "fake-www.cacert..." so you can check yourself what I mean... The fake-cert has this checksum: $ sha1sum fake-www.cacert.org-20131117.der 2164c049b001b7a84e459ba6f0d7ef232cfcad58 fake-www.cacert.org-20131117.der so... I am clueless... researching the net I didn't find more... maybe I am having a blind spot, maybe I am dumb, but maybe this is a *serious* issue... I attached all mentioned certs: correct root-class1 and class3 and the potentially fraud /fake class3 cert. And their fingerprints. I'd like to issue someone hopefully *today*. thankful for any assistance, tverrbjelke | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
I have verified the certificate fake-www.cacert.org-20131117.der in the attached tar.gz just fine. Please note that the www.cacert.org certificate is signed by the Class 1 root certificate now because, due to restrictions with the Class 3 intermediate certificate, only importing the Class 3 without importing the Class 1 is not supported any more. What are these restrictions? Until some time ago the Class 3 subroot was signed using the MD5 hash which is nowadays considered insecure. Then we replaced it with a variant using SHA256 as hash function which unfortunately turned out to be incompatible with some old clients (most noteworthy Windows XP without SP2 and some Symbian phones). So to be most compatible we changed our website to use certificates directly signed by the Class 1 root certificate. I guess we might switch back to using the new Class 3 in the future but till then only trusting Class 3 will give errors on our website. So please try if the error goes away if you also trust the Class 1 root (you may try that in a test profile if you don't want to do that in your production environment. |
|
|
removed all cacert ccerts. Installed class1 root and gave it one right: to authentificate websites. Then https://cacert.org/ loads without complaints. You don't need the class3 at all anymore. From security perspective this situation is SO scary, please NEOatNHNG can you (or someone in charge) call me e.g. via my email tverrbjelke ATT gmx DOOT de? (fingerprint is 9A09 6BCC 8F97 497B 9DAB 35BA 44FD F477 9CAE 9601) Or jabber me via tverrbjelke ATT jabber DOOT org ? txh |
|
|
Sent an email to the user a while ago. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-11-19 10:02 | tverrbjelke | New Issue | |
| 2013-11-19 10:02 | tverrbjelke | File Added: cacert-issue.tar.gz | |
| 2013-11-19 15:47 | NEOatNHNG | Note Added: 0004457 | |
| 2013-11-19 15:47 | NEOatNHNG | Assigned To | => NEOatNHNG |
| 2013-11-19 15:47 | NEOatNHNG | Status | new => needs feedback |
| 2013-11-21 11:04 | tverrbjelke | Note Added: 0004473 | |
| 2013-11-21 11:04 | tverrbjelke | Status | needs feedback => needs work |
| 2014-03-11 23:15 | NEOatNHNG | Note Added: 0004636 | |
| 2014-03-11 23:15 | NEOatNHNG | Status | needs work => solved? |
| 2014-03-11 23:15 | NEOatNHNG | Resolution | open => fixed |
| 2014-06-29 10:20 | INOPIAE | Status | solved? => closed |
