View Issue Details

IDProjectCategoryView StatusLast Update
0000346Main CAcert Websitewebsite contentpublic2013-11-20 22:23
Reporterwonderer Assigned ToSourcerer  
Status closedResolutionfixed 
Fixed in Version2007 
Summary0000346: Root certificate and Fingerprint on unsecure Site
Descriptionunder there is the root certificate and also the Fingerprint on an unsecure http Website. I think this could be vulnerable point. If the webserver was attacked there where no Guarantee if root certificate and/or the Fingerprint would be manipulated.
TagsNo tags attached.
Reviewed by
Test Instructions



2006-11-10 19:18

manager   ~0000703

Who would download this certificate? Only people that do not yet have it installed in their browser. So where is the point in securing the page if you cannot valitate the sites certificate anyway?

It may even lead to more confusion if you're asked to accept the sites cert and later you find that you need to accept another cert (the root cert) so you might end up with two certs in your browser.

Instead of trusting anything on the internet the recommended way of validating the root certificate is

- download it and check the fingerprint which you hopefully got from a trustable source.
- if the latter is not possible you can download the fingerprint and the GPG signature and check it with the CAcert public GPG key. Then you need to validate the CAcert public GPG key by validating its signatures until you find enough signatures of people you trust.

I'd vote that this bug is invalid.


2007-11-04 01:20

administrator   ~0000939

There is a OpenPGP signed root certificate fingerprint on that page.

Issue History

Date Modified Username Field Change
2006-11-02 09:46 wonderer New Issue
2006-11-10 16:29 wonderer Priority high => urgent
2006-11-10 16:30 wonderer Assigned To => Sourcerer
2006-11-10 16:30 wonderer Status new => needs work
2006-11-10 19:18 bluec Note Added: 0000703
2007-11-04 01:20 Sourcerer Status needs work => solved?
2007-11-04 01:20 Sourcerer Resolution open => fixed
2007-11-04 01:20 Sourcerer Note Added: 0000939
2009-04-09 21:03 Sourcerer Status solved? => closed
2013-01-14 20:40 Werner Dworak Fixed in Version => 2007
2013-11-20 22:23 NEOatNHNG View Status private => public