Skip to Content.
Sympa Menu

cacert-de - AW: I currently can't trust using https://cacert.org - it seems to use an invalid certificate to sign the content.

Subject: Deutschsprachige CAcert Support Liste

List archive

AW: I currently can't trust using https://cacert.org - it seems to use an invalid certificate to sign the content.


Chronological Thread 
  • From: Marcus Mängel <m.maengel AT inopiae.de>
  • To: "'tverrbjelke'" <tverrbjelke AT gmx.de>, <cacert-de AT lists.cacert.org>, <cacert-support AT lists.cacert.org>
  • Subject: AW: I currently can't trust using https://cacert.org - it seems to use an invalid certificate to sign the content.
  • Date: Tue, 19 Nov 2013 22:47:01 +0100

Hi tverrbjelke,

please have a look at the bug http://bugs.cacert.org/view.php?id=1222 and
answer the question there.

BR

Marcus

-----Ursprüngliche Nachricht-----
Von:
cacert-support-request AT lists.cacert.org

[mailto:cacert-support-request AT lists.cacert.org]
Im Auftrag von tverrbjelke
Gesendet: Dienstag, 19. November 2013 11:06
An:
cacert-de AT lists.cacert.org;

cacert-support AT lists.cacert.org
Betreff: I currently can't trust using https://cacert.org - it seems to use
an invalid certificate to sign the content.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hei,

I already opened an issue http://bugs.cacert.org/view.php?id=1222

Problem
========

Since 16th of november 2013 I experience a problem with strange certificate
at https://cacert.org

When I go http://cacert.org and then "log in via password"
https://www.cacert.org/index.php?id=4 the used certificate of that page is
unknown to me and my browser.

Bowser shows me "connection untrusted". I use Firefox V 25 ubuntu canonical.
Same on my lappy, but has same browser.

So why is the page itself signed by another - unknown - certificate?

Same problem applies to https://lists.cacert.org/wws/lists/help

I currently can't trust CACert.org - it seems to use an invalid certificate.

Maybe I did miss something, but *maybe* the site has been subverted?
I would like to assert someone today, but I won't login until the problem is
solved / cleared.


Analysis
========

Yes, I already (months ago) did import the cacert zertificates, class3 used
to authentificate web pages.

I verified, if my versions of the certificates (inside firefox and also the
downoaded version on my backup-drive) are the same that are presented online
at the site:

I compare the sha1sums and md5sum and my result is:
All root class1 and class3 are OK:

$ sha1sum cacert-root-class3-2012.der.crt
ad7c3f64fc4439fef4e90be8f47c6cfa8aadfdce cacert-root-class3-2012.der.crt

So theoretically any correctly signed page should be accepted by my browser...


Visiting the site and temporarily accepting the cert ("I know the
risk...")
Then checking the actually used cert for https://cacert.org I see a unknown
cert Serial number "0B:B3:C6". I exported that cert and attached this as (so
named by me) "fake-www.cacert..." so you can check yourself what I mean...

The fake-cert has this checksum:

$ sha1sum fake-www.cacert.org-20131117.der
2164c049b001b7a84e459ba6f0d7ef232cfcad58 fake-www.cacert.org-20131117.der


I am not sure, maybe it is related to this http://bugs.cacert.org
/view.php?id=1217 - "0001217: Add the root certificates in CER-Format on
Index.php?id=3 " - but then why is my problem also existing at at
https://lists.cacert.org/wws/lists/help ?

so... I am clueless... researching the net I didn't find more...
maybe I am having a blind spot, maybe I am dumb, but maybe this is a
*serious* issue...


I attached all mentioned certs: correct root-class1 and class3 and the
potentially fraud /fake class3 cert. And their fingerprints.


thankful for any assistance,
tverrbjelke

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlKLOBoACgkQRP30d5yulgH1zAD9EZgCasVbyzMABnL6gAkjHRjX
kblyEsnn67F0KAcyG7YA/R1y81hYdhkieCbAsINyG1rsBW11HyBnVnFe1LEvkVZz
=wdmA
-----END PGP SIGNATURE-----




Archive powered by MHonArc 2.6.18.

Top of Page