Skip to Content.
Sympa Menu

cacert-de - I currently can't trust using https://cacert.org - it seems to use an invalid certificate to sign the content.

Subject: Deutschsprachige CAcert Support Liste

List archive

I currently can't trust using https://cacert.org - it seems to use an invalid certificate to sign the content.


Chronological Thread 
  • From: tverrbjelke <tverrbjelke AT gmx.de>
  • To: cacert-de AT lists.cacert.org, cacert-support AT lists.cacert.org
  • Subject: I currently can't trust using https://cacert.org - it seems to use an invalid certificate to sign the content.
  • Date: Tue, 19 Nov 2013 11:06:18 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hei,

I already opened an issue http://bugs.cacert.org/view.php?id=1222

Problem
========

Since 16th of november 2013 I experience a problem with strange
certificate at https://cacert.org

When I go http://cacert.org and then "log in via password"
https://www.cacert.org/index.php?id=4 the used certificate of that
page is unknown to me and my browser.

Bowser shows me "connection untrusted". I use Firefox V 25 ubuntu
canonical. Same on my lappy, but has same browser.

So why is the page itself signed by another - unknown - certificate?

Same problem applies to https://lists.cacert.org/wws/lists/help

I currently can't trust CACert.org - it seems to use an invalid
certificate.

Maybe I did miss something, but *maybe* the site has been subverted?
I would like to assert someone today, but I won't login until the
problem is solved / cleared.


Analysis
========

Yes, I already (months ago) did import the cacert zertificates, class3
used to authentificate web pages.

I verified, if my versions of the certificates (inside firefox and
also the downoaded version on my backup-drive) are the same that are
presented online at the site:

I compare the sha1sums and md5sum and my result is:
All root class1 and class3 are OK:

$ sha1sum cacert-root-class3-2012.der.crt
ad7c3f64fc4439fef4e90be8f47c6cfa8aadfdce cacert-root-class3-2012.der.crt

So theoretically any correctly signed page should be accepted by my
browser...


Visiting the site and temporarily accepting the cert ("I know the
risk...")
Then checking the actually used cert for https://cacert.org
I see a unknown cert Serial number "0B:B3:C6". I exported that cert
and attached this as (so named by me) "fake-www.cacert..." so you can
check yourself what I mean...

The fake-cert has this checksum:

$ sha1sum fake-www.cacert.org-20131117.der
2164c049b001b7a84e459ba6f0d7ef232cfcad58 fake-www.cacert.org-20131117.der


I am not sure, maybe it is related to this http://bugs.cacert.org
/view.php?id=1217 - "0001217: Add the root certificates in CER-Format
on Index.php?id=3 " - but then why is my problem also existing at at
https://lists.cacert.org/wws/lists/help ?

so... I am clueless... researching the net I didn't find more...
maybe I am having a blind spot, maybe I am dumb, but maybe this is a
*serious* issue...


I attached all mentioned certs: correct root-class1 and class3 and the
potentially fraud /fake class3 cert. And their fingerprints.


thankful for any assistance,
tverrbjelke

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlKLOBoACgkQRP30d5yulgH1zAD9EZgCasVbyzMABnL6gAkjHRjX
kblyEsnn67F0KAcyG7YA/R1y81hYdhkieCbAsINyG1rsBW11HyBnVnFe1LEvkVZz
=wdmA
-----END PGP SIGNATURE-----

Attachment: cacert-issue.tar.gz
Description: application/gzip

Attachment: cacert-issue.tar.gz.sig
Description: Binary data




Archive powered by MHonArc 2.6.18.

Top of Page