Opened 7 weeks ago

Closed 7 weeks ago

Last modified 7 weeks ago

#11934 closed Bug report (rejected)

update.filezilla-project.org using self-signed certificate

Reported by: n8felton Owned by:
Priority: low Component: Other
Keywords: update certificate https ssl tls Cc:
Component version: Operating system type:
Operating system version:

Description

Attempting to connect to update.filezilla-project.org is failing due to HSTS and the server using a self-signed certificate rather than a public CA or Let's Encrypt.

Attachments (1)

Screen Shot 2019-06-03 at 3.35.31 PM.png (134.2 KB) - added by n8felton 7 weeks ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 7 weeks ago by Tim Kosse

Resolution: rejected
Status: newclosed

It doesn't use a self-signed certificate.

comment:2 Changed 7 weeks ago by Tim Kosse

If you see it using a self-signed certificate then a malicious man-in-the-middle proxy is intercepting and modifying your traffic.

comment:3 Changed 7 weeks ago by Tim Kosse

Priority: blockerlow

Changed 7 weeks ago by n8felton

comment:4 Changed 7 weeks ago by n8felton

It appears to be signed by filezilla-project.org, which does not appear to be a part of any trusted roots provided by macOS or Windows.

While it may not be "self-signed", the root that it is signed by is not trusted.

comment:5 Changed 7 weeks ago by Tim Kosse

Since trust cannot be delegated, it's the one and only CA trusted by the FileZilla update mechanism.

All third-party software and hardware interfering with the update mechanism is considered malware. Please remove all malware from your environment.

Note: See TracTickets for help on using tickets.