[Discuss] server certificates for the https protocol

Alan W. Irwin irwin at beluga.phys.uvic.ca
Mon Jan 28 17:42:48 PST 2008 

On 2008-01-28 14:20-0800 Steven Kurylo wrote:

> On Jan 27, 2008 12:56 PM, Alan W. Irwin <irwin at beluga.phys.uvic.ca> wrote:
>> Could somebody give me a brief description of what server certificates are
>> and the practical steps I should take to deal with invalid ones?
>>
>> For example, I am currently getting the following message from an svn commit
>> to SF
>>
>> software at raven> svn commit .
>> Error validating server certificate for 'https://lasi.svn.sourceforge.net:443':
>>   - The certificate is not issued by a trusted authority. Use the
>>     fingerprint to validate the certificate manually!
>> Certificate information:
>>   - Hostname: *.svn.sourceforge.net
>>   - Valid: from Tue, 09 Oct 2007 14:15:07 GMT until Mon, 08 Dec 2008 15:15:07 GMT
>>   - Issuer: Equifax Secure Certificate Authority, Equifax, US
>>   - Fingerprint: fb:75:6c:40:58:ae:21:8c:63:dd:1b:7b:6a:7d:bb:8c:74:36:e7:8a
>> (R)eject, accept (t)emporarily or accept (p)ermanently?
>>
>> Is this the fault of SourceForge or Equifax or is there a real security
>> concern here?
>
> Its telling you the cert is signed by Equifax Secure Certificate
> Authority, Equifax, US but you don't trust them.
>
> In an ideal world you'll verify the fingerprint against a trusted
> source.  They don't seem to list their fingerprints on their website,
> even if you decided to trust it.
>
> Firefox comes with a lot of Equifax certificates, so you could see if
> firefox already trusts it.
>
> The paranoid hat could be that your DNS could be poisoned and you're
> not looking at the real sourceforge server.  The hacker is using the
> Equifax name on their certificate to try to trick you.
>
> More likely your OS just doesn't have the latest equifax cert installed.

Thanks for these ideas.  Is it also possible that SF failed to renew
something (depite [or because of] the future date on the EquiFax
certificate)?  Everything was working fine without any warning messages a
few days ago so failure to renew is a possibility from that perspective.

I tried https://lasi.svn.sourceforge.net on firefox. Is that what you meant
by seeing if firefox already trusts "it"? If so, the result wasn't
definitive because for a browser it gets forwarded to an http (not https)
site for browsing the svn repository, i.e.,
http://lasi.svn.sourceforge.net/viewvc/lasi/.  The response to the svn
command is very different of course because it actually writes to the
repository directly with the https protocol rather than simply viewing html
pages that were generated from the svn repository.

Alan
__________________________
Alan W. Irwin

Astronomical research affiliation with Department of Physics and Astronomy,
University of Victoria (astrowww.phys.uvic.ca).

Programming affiliations with the FreeEOS equation-of-state implementation
for stellar interiors (freeeos.sf.net); PLplot scientific plotting software
package (plplot.org); the libLASi project (unifont.org/lasi); the Loads of
Linux Links project (loll.sf.net); and the Linux Brochure Project
(lbproject.sf.net).
__________________________

Linux-powered Science
__________________________

More information about the Discuss mailing list