View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000346||Main CAcert Website||website content||public||2006-11-02 09:46||2013-11-20 22:23|
|Fixed in Version||2007|
|Summary||0000346: Root certificate and Fingerprint on unsecure Site|
|Description||under http://www.cacert.org/index.php?id=3 there is the root certificate and also the Fingerprint on an unsecure http Website. I think this could be vulnerable point. If the webserver was attacked there where no Guarantee if root certificate and/or the Fingerprint would be manipulated.|
|Tags||No tags attached.|
Who would download this certificate? Only people that do not yet have it installed in their browser. So where is the point in securing the page if you cannot valitate the sites certificate anyway?
It may even lead to more confusion if you're asked to accept the sites cert and later you find that you need to accept another cert (the root cert) so you might end up with two certs in your browser.
Instead of trusting anything on the internet the recommended way of validating the root certificate is
- download it and check the fingerprint which you hopefully got from a trustable source.
- if the latter is not possible you can download the fingerprint and the GPG signature and check it with the CAcert public GPG key. Then you need to validate the CAcert public GPG key by validating its signatures until you find enough signatures of people you trust.
I'd vote that this bug is invalid.
||There is a OpenPGP signed root certificate fingerprint on that page.|
|2006-11-02 09:46||wonderer||New Issue|
|2006-11-10 16:29||wonderer||Priority||high => urgent|
|2006-11-10 16:30||wonderer||Assigned To||=> Sourcerer|
|2006-11-10 16:30||wonderer||Status||new => needs work|
||Note Added: 0000703|
|2007-11-04 01:20||Sourcerer||Status||needs work => solved?|
|2007-11-04 01:20||Sourcerer||Resolution||open => fixed|
|2007-11-04 01:20||Sourcerer||Note Added: 0000939|
|2009-04-09 21:03||Sourcerer||Status||solved? => closed|
|2013-01-14 20:40||Werner Dworak||Fixed in Version||=> 2007|
|2013-11-20 22:23||NEOatNHNG||View Status||private => public|