Opened 8 years ago
Closed 8 years ago
#10819 closed Other (rejected)
Filezilla update server uses untrusted certificate
| Reported by: | Benjamin M Kilpatrick | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | update certificate | Cc: | |
| Component version: | 3.16.1 | Operating system type: | Windows |
| Operating system version: | 7 SP 1 |
Description
According to ESET, the Filezilla client attempts to connect to an update server which sends a self-signed certificate. This seems to be a security problem which should be remedied.
Attachments (1)
Change History (2)
by , 8 years ago
| Attachment: | filezillabug.png added |
|---|
comment:1 by , 8 years ago
| Resolution: | → rejected |
|---|---|
| Status: | new → closed |
This isn't a bug. By definition, root certificates are always self-signed.
This and only this root certificate is trusted by FileZilla when checking for updates. You cannot get any more secure than this.
This is once again a good example why virus scanners are all snake oil. They complain about things that are completely normal and secure, but keep silent on things that are actually insecure (e.g. the ginormous trusted root certificate list in your web browser that contains hundreds of shady root certificates under the control of various even more shady governments).
ESET screenshot