#11934 closed Bug report (rejected)
update.filezilla-project.org using self-signed certificate
Reported by: | n8felton | Owned by: | |
---|---|---|---|
Priority: | low | Component: | Other |
Keywords: | update certificate https ssl tls | Cc: | |
Component version: | Operating system type: | ||
Operating system version: |
Description
Attempting to connect to update.filezilla-project.org is failing due to HSTS and the server using a self-signed certificate rather than a public CA or Let's Encrypt.
Attachments (1)
Change History (6)
comment:1 by , 6 years ago
Resolution: | → rejected |
---|---|
Status: | new → closed |
comment:2 by , 6 years ago
If you see it using a self-signed certificate then a malicious man-in-the-middle proxy is intercepting and modifying your traffic.
comment:3 by , 6 years ago
Priority: | blocker → low |
---|
by , 6 years ago
Attachment: | Screen Shot 2019-06-03 at 3.35.31 PM.png added |
---|
comment:4 by , 6 years ago
It appears to be signed by filezilla-project.org
, which does not appear to be a part of any trusted roots provided by macOS or Windows.
While it may not be "self-signed", the root that it is signed by is not trusted.
comment:5 by , 6 years ago
Since trust cannot be delegated, it's the one and only CA trusted by the FileZilla update mechanism.
All third-party software and hardware interfering with the update mechanism is considered malware. Please remove all malware from your environment.
It doesn't use a self-signed certificate.