Opened 4 years ago

Closed 4 years ago

#10819 closed Other (rejected)

Filezilla update server uses untrusted certificate

Reported by: Benjamin M Kilpatrick Owned by:
Priority: normal Component: FileZilla Client
Keywords: update certificate Cc:
Component version: 3.16.1 Operating system type: Windows
Operating system version: 7 SP 1

Description

According to ESET, the Filezilla client attempts to connect to an update server which sends a self-signed certificate. This seems to be a security problem which should be remedied.

Attachments (1)

filezillabug.png (60.9 KB) - added by Benjamin M Kilpatrick 4 years ago.
ESET screenshot

Download all attachments as: .zip

Change History (2)

Changed 4 years ago by Benjamin M Kilpatrick

Attachment: filezillabug.png added

ESET screenshot

comment:1 Changed 4 years ago by Tim Kosse

Resolution: rejected
Status: newclosed

This isn't a bug. By definition, root certificates are always self-signed.

This and only this root certificate is trusted by FileZilla when checking for updates. You cannot get any more secure than this.

This is once again a good example why virus scanners are all snake oil. They complain about things that are completely normal and secure, but keep silent on things that are actually insecure (e.g. the ginormous trusted root certificate list in your web browser that contains hundreds of shady root certificates under the control of various even more shady governments).

Note: See TracTickets for help on using tickets.